Recent years have seen something of a return to normality for organisations around the world. As the pandemic disruption subsides, staff and security teams are much more comfortable in hybrid and remote working. 

Unfortunately, cybercriminals are very comfortable in this environment, too. With a much larger and more disparate attack surface before them, many have honed their skills, developing increasingly targeted and creative ways to infiltrate networks, compromise identities and expose data. 

Such is their success that Proofpoint's State of the Phish Report 2023 found eight in ten organisations globally experienced at least one successful email phishing attack last year. And the picture here in the Asia Pacific and Japan (APJ) region is not much brighter. 

Australian organisations reported the highest rate of phishing incidents, with 94% experiencing an attack. Meanwhile, despite reporting the fewest phishing incidents, 64% of Japan's organisations still suffered the same fate. 

Of course, there is little the region's security teams can do to stop tenacious cybercriminals targeting their organisations with phishing, ransomware, and other common threats. But with these attacks increasingly focusing on people rather than infrastructure, much more can be done to equip users to keep them at bay.   

Understanding the APJ threat landscape

Any effective cyber defence strategy must be tailored to the threats that users are most likely to face. And while incidence rates differ slightly from country to country, here in the APJ region, phishing, Business Email Compromise (BEC), ransomware, and supply chain attacks lead the way. 

Australia is in the crosshairs of cyber criminals more than most on all four counts. As well as almost 100% of its businesses seeing phishing attempts, 90% of those surveyed also experienced BEC, 86% were hit with ransomware, and 80% reported a supply chain attack. 

As the region's largest and most digitally mature market, Australia seeing common threats in greater numbers is by no means surprising. That English remains the most popular language for email-based attacks, only compounds matters further. 

At the other end of the scale, South Korean organisations report the lowest prevalence of the four most common attacks: Phishing (56%), BEC (52%), ransomware (66%), and supply chain (52%). Meanwhile, Singapore and Japan take second and third billing across the board. 

While the language barrier certainly plays a part here, too, attitudes around corporate culpability are also likely to have an impact. In some areas within the APJ region, it may be less culturally acceptable to admit to a security breach, leading to underreporting. 

Whatever the facts behind the figures, one thing is clear. Businesses throughout Australia, Japan, Singapore, and South Korea face a barrage of increasingly sophisticated people-focused attacks. Any effective defence must, therefore, put people at its heart. But are users up to the task? 

Plugging the awareness gap 

While technological protections form a fundamental part of any cyber strategy, no tool is infallible. When threats do breach your perimeters – and they will – your people quickly become the last barrier standing between a cybercriminal and your networks, systems, and data. 

The good news is the APJ's people perimeter may be better equipped for the job than many others around the world. Users in the region demonstrated a greater understanding of common cybersecurity terminology than the global average. 

Almost two-thirds (65%) correctly defined phishing, with 48% understanding ransomware and 66% familiar with malware. Globally, these figures were 58%, 40%, and 69%, respectively. 

But despite the positives, this leaves anywhere between 35% and 52% of your last line of defence unaware of the most common attacks they are likely to face. And when we dig deeper into training programmes across the region, it's not difficult to see why so many are found wanting. 

In terms of scope, Australia and South Korea head the pack with 67% and 66%, respectively, conducting awareness training with every member of their organisation. Singapore (54%) and Japan (44%) fall below the global average of 56%. 

Training should absolutely be tailored and targeted at those most at risk. However, with cybercriminals always on the lookout for new ways into your organisation, it's vital that everyone, at all levels, is taught how to stop them in their tracks. 

Building a people-centric defence 

While the threat landscape shares many similarities across the world, this year's State of the Phish Report makes clear that each country faces specific challenges within it. Challenges arise for several reasons, be it cultural differences, language barriers or propensity to conduct companywide training. 

The only way to protect people and defend data in such a nuanced environment is to develop a cyber strategy tailored to real-life threats and user risk. This starts by determining who in your organisation is most exposed to attack, whether due to access privileges, job role or poor security awareness. 

From here, you can put protections in place where they are needed most. As well as tools and technological barriers, this tailored defence must include regular, comprehensive security training in context with the threats of the day. 

The more your users know about the attacks they face, how they will encounter them and their role in defending against them, the better placed they are to protect your organisation. The result is an ingrained workplace security culture – where best practice becomes the norm rather than an aim.