Asia Pacific Cybersecurity Trends Report

Hi, everyone. Welcome to this Cloudflare TV special all around some cybersecurity survey findings from the region. My name is Ben Munroe. I'm in Singapore. And joining me today, I've got Amanda Spencer all the way from Australia. Hi, Amanda. Do you want to introduce yourself? Tell us what was your first job and how did you get into cybersecurity? You see, you want me to cast my mind back that far. Thank you, Ben. I will do. It was the late 90s, a bit confronting for me to own that. But it is true. I started at IBM Global Services and I was doing their system support for their Microsoft outsourcing customers. And after two years at that job, I figured out I just had a passion for networking and connectivity, where I moved on to my next job, which was super awesome. And cybersecurity just naturally followed that path for me. So it's always been very exciting. A lot of fun. There you go. Great to see you. Sze Rong, welcome to you. You're in Singapore. Sze Rong Tham, tell us what was your first job and how did you get into cybersecurity? Hi, everyone. I'm Sze Rong. So I'm based in Singapore. I'm actually a solutions engineer with ASEAN today. In fact, my first job was not too long ago. I started in Microsoft as a product marketing manager for essentially the low-code, no -code platform. And eventually, it led me to the world of cybersecurity and specifically the world of cybersecurity with Cloudflare. That's super cool. And you're right. The world of cybersecurity now is very different than when I started, certainly. And when Amanda started, I think that it was very much a world of devices and appliances and stacking and racking boxes inside of, well, sometimes inside of cupboards in buildings. And now, of course, using the cloud, using SaaS, using connectivity cloud, we're able to do things in a very, very different, more efficient way. Because as we'll see as we go through the report, it's always amazing to find what defenders are thinking. There's always new news, but there's always oldies and goldies in there. And the cybersecurity talent gap just never seems to go away. There's not enough hours in the day for the smart people. So, I got my start in cybersecurity at IBM, as I mentioned, ISS, and I've worked at Sourcefire, worked at Tipping Point, a number of different companies before, Cisco, before joining Cloudflare. And I realized it was a career for me when my younger daughter said to me one evening around the dinner table, Daddy, I know you save the Internet. Mummy, what do you do for a living? And I'm like, yeah, I'll be Internet saving man. That sounds fantastic. That is super cool, Ben. Super cool. All right, so we're here to talk about the cybersecurity report. We just launched the new version this year, the 2024 version. We speak to about 4,000 security decision makers around the region. And we asked them a whole bunch of questions. They're from different industries. They're from 14 different countries around the region. And we asked them questions about what threat landscape issues are they facing? What are they doing? What architectural decisions are they making? What outcomes are they seeing? So, it's really like what's on your mind as a security decision maker? And it turns out that data breaches are top of mind. So, we talked to all these different security decision makers and kind of incidents and breaches are top of mind. So, this, you know, 76%, for example, of the organizations that we spoke to in Singapore reported an increase in the number of incidents. And so, this is sort of, you know, an incident is anything from someone incorrectly trying to log in to something really serious that results in a breach. So, I realize it's a very broad term. But the fact they're experiencing an increase in all of this is sort of is concerning. And especially because, of course, financial losses from these breaches is actually on the rise. So, we've got two different people on the call. We've got Amanda leading our systems engineering team down in Australia. We've got Zerong here in our systems engineering team in ASEAN. The two of you have got very different markets around you, very different perspectives on this topic. So, I thought it might be interesting just to see what we feel about this and what experiences you've had with, you know, with customers in your market. So, on the broad topic of customers and companies who are trying to do really good work for their customers and for their citizens, etc. Like, you know, we start with you, Amanda. Like, what are you seeing in Australia around this thought about the rising of breaches and our customers in the market having to deal with it? Yeah, look, Ben, it's not a surprise to see that it's on the increase. It's on the rise. I mean, over here in Australia, like over the last couple of years, almost like every day on the news, there's another big, massive, huge breach. We had a whole bunch in succession most recently, but big ones, you know, and it just didn't seem to stop at one point. So, it certainly doesn't surprise me. I think as a result of that, folks are taking things a bit more seriously as well. You know, they want to hold these organisations accountable with the data that they have got from us. It's also interesting because we do hear back a few months later about what's happened and the result and, you know, people wanting sort of, you know, accountability and ownership, and then that dies away again. So, it seems to be like a cycle of that kind of thing happening, but certainly no bit surprised to see these kind of numbers. I mean, you know, 41% that experienced those data breaches, obviously 76% indicated that the frequency had increased, and it's the same here in us. You know, the threat landscape is extremely volatile here. So, yeah, it's not a surprise to me. What about you, Serong? Yeah, so similarly as well, we do see the stories coming in very often, especially in the Singapore and Malaysia patch that I cover. And interestingly, we do see a lot more media coverage in these aspects of cybersecurity attacks as well. And I think one thing that I realised is that while we see a trend that is growing in terms of cyber attacks, there are certain businesses that are often targeted, and we actually see it in a trend in our report, right? We saw an 80% of respondents indicating that the frequency has increased over the past year, and attackers are essentially targeting businesses that are large and small. And we see pretty much everyday brands, even supermarket brands, or even restaurant loyalty brands that are common to my market here in Singapore, is in fact businesses that are also facing these kinds of data breaches. One thing I do find very interesting and pretty fascinating as well is that attackers are getting smarter in doing so. And they're really looking at what is the way to get the highest effort to returns ratio. And one of the very often data breaches cases that I see is the ability to actually target shadow zombie APIs that customers don't actually have a specific pointer on, or they could miss it out in an inventory, right? So what exactly are shadow zombie APIs? Just simply things that you and me, maybe part of the security team, doesn't have visibility over, and it does cause a specific data breach that we do see in these companies today. Super, super insightful, Taron. Before I go on, I think your thing about the threat vector is very important. Before we move on too much, I'd like to just point out, of course, that these are sometimes incredibly expensive for companies to recover from, and we're seeing it, the expense is increasing. So in Australia, it was 35% of our respondents reported that there were losses of more than a million US dollars. And in Singapore, that number was actually 60%, which is worrying because it shows the costs are rising. And of course, it's not just the cost to recover, it's fines, it's legal challenges, it's compensation to customers, their customers. It's really concerning for us all. And I think one of the reasons we do this study is to try and understand what's going on and how we can help and what steps we need to take to make it better. The one thing you said there, you know, you're talking about shadow zombie APIs, and of course, API security and API vulnerabilities is newer in the threat landscape, not new, but it's newer. But one of the things that jumps out of the survey is how it's a lot of the challenges customers are facing is what I would call oldies and goldies, like DDoS is big, phishing is big, web attacks are big. It's like it's 2004, not 2024, right, in terms of these threat vectors that never go away. And ransomware is huge. I think ransomware, first of all, ransomware concerns and the volume of ransomware is kind of on the rise. I think 67% of our regional survey respondents experienced attacks and paid the ransom. So that's really sort of concerning. And then the secondarily, the source of the attacks was unpatched, public facing servers and applications. So it wasn't phishing attacks that were leading to ransomware. It wasn't, you know, web attacks, it was directed to individuals, it was going after unpatched, you know, unpatched infrastructure, which I think is fascinating. From what you said as well earlier, like the visibility side of our world is so crucial to have that complete visibility to know, first of all, what you even are trying to protect as well, right? And it's just becoming more and more crucial now, if you don't have that capability, it's going to be really hard for you to obviously know what you've got to protect out there. Yep. So I think one more point on the point that like, we are actually seeing attacks that are so common back in the 2000s, even common today. That's actually one thing that I observed, or in fact, a good and bad thing, right? Because we see attackers actually coming in, in ways that we are familiar with. It's just that the kind of attacks that are often associated with, for example, DDoS, phishing, malware is becoming easier and easier to create, and also less and less of an effort to create. What about a controversial topic of, should there be laws and mandates to stop payments for ransomware? Like, would that limit it? Would it slow it down? I'm not sure of the answer, if I'm honest with you. What do you think? I think there are arguments, you know, for and against that. And I think what was interesting in the study was that we saw a number of people responding that they committed to not paying, but then of that a fairly large percentage admitting that finally they did pay. And I mean, it's very easy to talk about, it's very difficult to live through. So I totally understand why businesses want to get back their operations, want to get back to, you know, fully functioning and fulfilling their mandates. I do think that it opens the door for further attacks. Ransomware perpetrators very rarely just give the keys back and say, there you go, sorry, and walk away, right? They lurk around, they re-attack, etc. So the mandate is difficult because it puts more control and adds more complexity to the order of running a business. Like if you've got a mandate hanging over your head, and you feel like you've got to comply with it, but you've got your own business requirements, it creates tension, I think. And one of the things that we found was, I don't know, the numbers vary region to region, but a large number of our respondents were spending up to 10% of their working week dealing with regulation, compliance, mandates, you know, from their various industry bodies in government. So this feels to me, like a mandate around ransomware feels like another piece of compliance, another piece of legislation. So I've got, I don't have the answer, but my initial response would be, I don't know, it feels like another piece of red tape. What do you think? Yeah, look, I agree with you for sure. I think, as I said, I don't really know, but I can't see, obviously, these cybersecurity criminals, I mean, they don't adhere to any mandates themselves. And what you'll find is oftentimes, as you say, customers will probably find themselves in a situation of eventually paying and finding themselves doing the wrong thing there as well. And all they want to do is get their businesses up and running. So yeah, it's a tough one. Yeah, it's a pretty tough one for me as well, especially since like the whole of ASEAN do have many different kind of mandates and regulations. And it really depends on how the government is actually driving certain cybersecurity initiatives within the countries itself. And because of the complexity of it, many different companies of different industries also take a different stance towards what we say as a kind of response to what ASEAN is doing. So in fact, back, I think, sometime early this year, I did see a particular launch of an attack on Malaysia specifically. And things were actually getting blown up, right? Because, for example, Telegram was being used as one of the avenues and channels for such news to actually propagate to the public like yourself and myself. And that actually puts a pressure on either a regulatory body or a government to take a specific official stance towards how they should be responding to what such ransomware claims and ransomware attacks as well. Right. So with that, I think governments are getting a little bit more sophisticated in the way they respond to it, making sure that they do validate the claims first. And they do get some sort of official indication that a data breach has happened, especially with critical infrastructure that we see in governments today, right, before they actually do or take a certain stance towards releasing the information about the ransomware or actually taking a particular stance towards the ransomware. So as I mentioned, I do agree with you. If it comes to sort of a mandate, it does increase the time for all of the cybersecurity professionals that you and me speak to on a daily basis to have to adhere to. But at the same time, it does at least give a framework or it does at least give a guidance to how they should be responding to such things that we see in the market today. Yeah, I think the other thing as well, if the government is going to mandate or a government is going to mandate, what are they going to do about helping? So one thing to force activity or force action, but then how are you going to help recovery or how are you going to help with costs, etc. It feels like it's difficult to do one without the other because you're creating loss and potential negative consequences for small businesses. We have to speak about AI. Two things I wanted to do, just taking a sidestep away from our surveys to just to put a plug in here for Cloudflare Radar. So radar.Cloudflare.com shows you Internet traffic patterns around the world, shows you usage around different operating systems, different desktop versus mobile percentages. It shows you news events, all kinds of information, what we see 20 plus percent of the web. So lots of cool information there. The one thing that I want to draw everyone's attention to is here. This is the Singapore stat, but we have been tracking the rise in the interest of visits to generative AI domains. So this is everything we know. We all use LLMs, text and image generating services. So the results in Australia, the results in India or in the region, there's this massive spike over the last 12 months, which kind of corresponds with the growth of these services and the launch of these services and the availability of these services. So that's a long way, a long preamble of saying AI loomed large in our survey and lots and lots of our respondents. I mean, every market, it was 90 plus percent of the market said, yeah, we're worried about AI. We've got some concern around emerging attack capabilities, our users dumping everything into these publicly available services, some correspondence around the two. So, you know, as a broader question as possible, Amanda, what are you seeing in your market around concerns or even opportunities that are noted around the topic of AI in networking and cyber and developer world? Well, look, it's a huge topic. I mean, it is concerning, obviously, but there is two sides to it, as you say. Obviously, the first side, it's bringing many different kinds of threats to us. The threats are coming in a different way. You know, the findings show that 92 percent of respondents are concerned, as you say. But I look at it as an opportunity here as well. That's also available to the defenders. That's making our lives easier in terms of analysis of data. You know, like back again, back in the day, there was so many, so much data, so many logs. Nobody used to actually look at it either. Right now, we've got the capability for AI to help get the real important data as well. So, it is two sides. I think we do have to be aware of it from, obviously, the threat angle. But for me, it's using it and seizing the opportunity to use it for our benefit as well, which I think is a huge help coming from, you know, that network analysis, performance management, you know, security, security visibility. I mean, having something like that that can filter through and get you just the data you need, the actionable insights, I think is incredible. Yeah, in fact, I have a perfect example for whatever, you know, Amanda has shared, and I definitely echo that. I do see AI being used to fight AI very often in like the day-to-day conversations that I have, and especially on emails, right? Every customer that we speak to would be something that you use as a common communication point between you and me. Exchange at least about 100 emails a day. I'm very sure, Amanda and Ben, you would do way more than me. But one of the often things that I see today is that phishing or business emails are getting a lot more sophisticated in terms of how it's crafted and in terms of how it's actually messaged, right? And that actually gives more leeway to becoming potential phishing attacks in every day's inbox or everyone's inbox. But at the same time, we are also using more and more sophisticated AI models and machine learning models to be able to identify for all of these, right? We don't just go by language. We could go by time of that particular email being sent, or even who is actually sending this email, right? And is it an often recipient in your inbox or my inbox in order to get more information into how we can actually protect against these email compromise attacks that we see in our day-to-day inboxes? Yeah, so definitely echo what Amanda says in terms of how we can be responding to AI or how we can be thinking about AI in the cybersecurity world today. Now, we've been talking a little bit about the number of tools and the complexity and all of this. And one of the findings we had was that our respondents talked about the need for consolidation. Consolidation is critical, is a must, is not a nice to have. You know, about half said they had more than 20 tools. Now, our survey skewed towards the larger organizations across the region, bigger companies, enterprises, banks, et cetera. So, big organizations and government too. So, it was a broad study. And I think 20 is low. You know, I think if you dive into this number, you'll see more have 30 and 40 and 50. Way too many. Like, how can you possibly track alerts and respond when you have that number of different tools? Because very often they are on different, there's different UIs for each one, different management consoles, different data planes, et cetera. So, to start with you, what are your thoughts around this need for, you know, fewer tools with greater outcomes? Because the last thing I'll say is that the companies with more tools didn't find better security outcomes. They actually found that more tools, as in separate disparate point products, actually made them more vulnerable in the end because it creates more gaps. So, what are your thoughts there? Yeah. In fact, I think this is something actually very close to heart because I'm a newbie in the sector, right? I come in just two years ago. And I think one of the conversations I often have with my customers, how do we actually go from where I was traditionally to where I could potentially be, right? So, when we talk about being where they are traditionally, it's really about pointed solutions for specific problems and issues that they actually see within their environment, right? And these problems and issues keep arising. But at the same time, we don't have a particular movement or particular direction to actually consolidate everything. So, that's one, you know, kind of like pull factor that's lacking from the customer's end. Another push factor that we couldn't quite see within the industry at this point of time or previously was that no one was actually, you know, saying that I could do everything, right? I could cover application security. I could cover internal security. I could even cover developer's platform today, right? And that's why that pull and push actually led to, you know, something that we see increasingly common today when we want to be able to talk about vendor consolidation. For me, it's all about simplicity. Like again, coming from a networking, performance management, troubleshooting, the simpler it is, the easier it is to figure stuff out. So, that for me is huge and consolidation aligns to that completely. So, I don't think we'll ever get to a point where, you know, as you say, every customer's only got one vendor. I mean, it's not going to be that way, you know? It's never going to work. But consolidation down from where it is today is definitely a need. It's a must. And every single customer is on that journey, you know, but it will take time. For example, customers tell us they, you know, you have to see some of the existing tools through the end of life, end of support, you know, all that kind of stuff. So, it is a journey, but every single customer is absolutely on it. And again, coming back down to the people side of it is hugely important. You know, again, I've seen customers with many, many tools and nobody owning those tools. They're all there. They tick all the boxes, but there's no ownership. There's no, you know what I mean? And so, again, you have to have that part of the journey as well, right? And again, it's just keep it simple. It makes life easier. I think one of the, you know, one of the topics that leads us into here is this idea of sort of platforms. So, you move away from products that are part of or that need to integrate with a platform and you move towards an idea of how do you implement platforms and have then a platform of platforms, right? So, you have, you don't think about an endpoint, you think about protecting your users, right? And I think, you know, you don't think about the network, you think about kind of your whole infrastructure, what you own, what you rent, what's in public and hybrid, you know, cloud environments. And so, it leads us to actually our last topic today, which is, you know, this idea of Zero Trust. And I realize it's spoken about all day, every day, everywhere, but one of the reasons is it's starting to have a real impact in our industry. And if you think about, you know, kind of Zero Trust over here and maybe a next gen SIM over here, and then a kind of identity thing here, you start to solve big chunks of security problems, like 80, 90% of security problems with a few platforms, underneath which, of course, are features, functions, tools, etc. But instead of buying, you know, seeing a problem, buying a box, you're seeing a problem and thinking about it from a more, you know, strategic, holistic way. So, everywhere in the region, again, more than half were, you know, or about half were already on their Zero Trust journey and the other half were kind of about to or embarking upon it. So, basically, everybody was investing, thinking about investing, or just starting to invest in Zero Trust. So, again, with the last few minutes that we've got today, what are your overall thoughts on what experiences are you hearing from customers around what is a buzzword, but what is also a real and proper way to go about solving a complex problem? Amanda? No, look, Ben, I have to mention this, because it's quite fascinating for me to have just discovered this. Obviously, every customer, as you say, is on this journey. And I discovered that Zero Trust was actually discovered and initiated and been campaigning since the 80s, Ben. There's a fellow named... Since before you and I got into cybersecurity. Isn't that amazing? Oh, it's fascinating, because this fellow, his name is John Kindervag. John Kindervag. He and I used to sit and chat about Downton Abbey together. He's a big Downton Abbey fan. Yeah, he's contributed to this book. And since the 80s, he's been campaigning on it. And only now are we actually listening to the poor guy. So, it's incredible to read some of that background, because it makes a lot of sense. He describes how he was installing PIX firewalls. And that was one of the first, obviously, real big deal security tools. And the interfaces had trust levels, and you could only originate flows from a higher trust interface to another. And he was like, hang on, that's not going to work if somebody breaches your environment, right? And from that point forward, he's like, this trust model is not going to work. But again, it's interesting. It's since the 80s. And that's how long it takes people's mindsets to start to shift to do things differently and to be open to different things. And one thing that I would actually leave you with is that it's always good to think about what exactly are your crown jewels within an organization. Because I think when you think about what your crown jewels are, it then goes back to the very first topic that we talked about, right? Data features. Those crown jewels usually cover the most important data that you have in your organization. And then we can go about thinking about what the security guardrails that you want to put in place, what kind of visibility you want to be able to see out of these applications, and then be able to craft it from there. Right? So, that's definitely something that I do hear a lot in regards to Zero Trust. I'll just say thank you to both of you. Thank you, Amanda. Thank you, Zerong. That was cool. I think we learned a lot. I'd love everyone to read the survey. You can find the regional survey and your country data cuts here at this very easy to remember URL. And I'll just ask maybe Amanda and then Zerong, any last thoughts, last words for the audience before we wrap today? Yeah, look, for me, thank you so much, Ben. Thank you, Zerong. I've enjoyed chatting with both of you. I think just last thoughts is, again, we are always learning. We always need to be open -minded. We always need to think about doing things differently as well. I think that's a big part of our journey, to be honest. And especially since I've learned that the Zero Trust architecture has been around since the 80s, Ben. This is rather worrying for me. There you go. Good. Zerong, I love you. Yeah, I had a lot of fun too. Amanda, Spencer, thank you very much. Zerong, Tam, thank you very much. Thank you to everyone. And we'll see you again soon. Bye-bye.