A new report from UK-based security firm Sophos has revealed that 24 percent of organizations in the Philippines had been breached in the last 12 months.
The most serious attack vectors in the Philippines — receiving a seriousness rating of 9 or 10 out of 10 — were phishing, malware, and ransomware.
Across the Philippines, the majority (64 percent) of business decision makers believe lack of security expertise is a challenge for their organization, with 62 percent observing recruitment of skills to be a struggle.
“This comes down to the set-up of cybersecurity within organizations, which commonly sees IT staff tasked with security in addition to their other responsibilities,” the report revealed.
There is also a wider corporate cultural issue, relating to attitude and behavior, impacting corporate cybersecurity. In fact, 78 percent of organizations in the Philippines believe the biggest challenge to their security in the next 24 months will be improving cybersecurity awareness and education among employees and leadership.
In the Philippines, 44 percent of organizations have a dedicated cybersecurity budget – in most cases budgets are included as part of other broader IT or other departmental spend.
Organizational IT security structures are diverse — one third of those surveyed have a dedicated CISO (chief information security officer), another third sees cybersecurity led by an IT leader, and the remainder give responsibility to another executive, such as the CTO.
The majority of organizations continue to keep most capabilities in-house and only in a few areas, like penetration testing and training, does outsourcing become a more common approach.
Only 34 percent of organizations in the Philippines are regularly making significant changes to their cybersecurity approach, with 30 percent intending to make changes to their security approach in the next six to 24 months.
As part of this, three in four (77 percent) organizations anticipate their use of external security partners to rise over the next 12 months. The main triggers for security updates — beyond changes to overall security posture — are technology and product developments, compliance and regulation requirements, and growing awareness of new attacks.