The cybersecurity threat landscape is being reshaped by new forms of attacks from threat actors, who are continually refining their tactics, techniques and procedures.
With AI, they are now able to exploit technological weaknesses and target human vulnerabilities. In Asia, for example, Proofpoint said generative AI is being used in phishing attacks and personalised emails across multiple languages, such as Korea and Japan, where email fraud has risen more than 30 per cent year-on-year. In Asia Pacific and Japan, 10 million phishing simulation emails were sent in 2024.
The human factor also remains our greatest vulnerability. Verizon’s latest data breach investigation report, which covered 139 countries globally, discovered that almost three-quarters of breaches can be attributed to human actions or inaction – whether by mistake, manipulation, or malicious intent.
What should organisations, CISOs and security decision makers do to counteract threats that are rendering traditional cyber defense methods ineffective? How critical is the need for a human-centric approach to our security and risk management?
Sumit Dhawan, CEO of Proofpoint, shares his thoughts with iTnews Asia on how the landscape has evolved and advises on how we can better address the evolving threats during his recent visit to Singapore.
iTNews Asia: The cybersecurity landscape seems to be getting worse. Year-on-year, attacks are more sophisticated, the scale is going up, and they are getting even more difficult to detect and complex to manage. The walls seem to be closing in for the CISO managing cybersecurity in this region. How do you see the cyber landscape now, and how has it changed over the years?
We started out as tools providers and these later transformed into firewalls. That proliferated into companies providing tools and technologies that moved towards a cyber architecture, where strategic platforms were integrated and interconnected. That was the previous landscape.
What’s happening now is that the terrain of how people work and the applications they use has changed. People are mobile, work sites have changed, and applications are used everywhere. The threat and cybercriminal landscape have fundamentally changed.
Everything we are looking at now – be they languages, size of the company, how the business is operated et cetera, they’ve all been neutralised by the combination of GenAI and crypto. A threat actor can use sophisticated tools to launch targeted attacks and to do them in volume.
iTNews Asia: How should organisations here prepare for this new threat landscape?
The only sustainable approach for any enterprise, anywhere globally, is to have at least three runtime platforms. They must have a defence in depth - you need to have something that's preventive, can detect and respond, and can protect your last line of defence, which is your perimeter.
These three technology platforms need to work together. We are the only one of the top five cybersecurity companies (with over $2 billion in software revenue) that does preventive. The others are doing perimeter solutions, which are network, such as SASE or detection and response. We all interoperate and integrate with the customer environment to help them build their cyber architecture.
iTNews Asia: What does preventive cover? Are people still the weakest link?
The preventive part of cybersecurity is mostly socially engineered threats, targeting people and data that potentially can be leaked. Often, it's a people-related issue or problem, caused by accidental or malicious attempts and people leaking data.
I’m not sure if people are the weakest link, but they are the biggest targets. I would argue that it's the defence of people that's the weakest link.
If your organisation doesn’t defend properly with the best possible solution, then that's your weakest link. You can't deflect the problem if you're a cybersecurity professional and say it's the people's problem.
- Sumit Dhawan, CEO, Proofpoint
People have vulnerabilities and are being targeted. There are technologies and solutions available to defend them and build their resiliency. Their behaviour can be addressed through training, simulations, gamification and (understanding) how they will handle those threats when they reach them.
iTNews Asia: Would you say addressing these vulnerabilities is the hardest part?
It’s the hardest and most important part. The Verizon study showed that more than 70 percent of threats are targeted at people. A large majority of ransomware or any kind of malware detected, are coming from people.
So, a good question to ask is ‘Why are you focused on downstream problems when upstream you haven't built the best possible defence?’
iTNews Asia: Are the threat actors using AI more efficiently or finding loopholes, and using it quicker than companies that are trying to stop them?
The volume of threats (coming from AI) is high. In Asia, the volume of threats in certain locales and languages is exponentially high. Unless you believe that all of a sudden threat actors are learning Japanese and Korean overnight, there has to be some tooling that they're using for writing sophisticated attacks in new languages. There's a reason why they're also launching attacks on India and other ASEAN countries.
Crypto has neutralised (the threat) where it is now easy to take (money) out. It used to be that US dollars and euros were easy to launder. With crypto, it doesn't matter. You can't trace it. You can target any country and any business now. There's no fingerprinting that can make us point to threats that were written by Gen AI.
Logic suggests that tooling has made it easy and (explains) why the volume of sophisticated threats has exponentially increased in new countries, new locales and new languages in this region.
iTNews Asia: How has AI – for instance using social media, social engineering methods – transformed the way we think of threats? What do we need to do to better protect ourselves?
AI has made social engineering easy. Our supply chain and commerce are managed digitally. Contracts, financial payments and money are handled and transferred digitally. With social media, information proliferates on the internet and through different media networks.
The threat actors can leverage all that – they can use the power of AI to create sophisticated attacks. The attacks are not only email-based, they are across multi-channels, and it’s not just you, but your suppliers, who may be attacked. How do you protect yourself from that?
It's not just your identity from a corporate Active Directory perspective that you should worry about, it's your identity that's in all SaaS applications that may be impacted. You also need to worry if your employees are using their corporate credentials to log into unsanctioned apps.
That's why a tool-based approach is impractical. You don't want to have a tool for third party risk, a tool for email, a tool for WhatsApp or Facebook, a tool for sort of training and simulation, a tool for account takeover, and so forth.
These are capabilities that can be in a single platform, and you can choose to activate them as a roadmap. Otherwise, you're always behind.
The threat landscape has grown and AI has given cybercriminals the ability to attack an enterprise in a million ways.
iTNews Asia: We’ve heard about the case of the Hong Kong company transferring millions of dollars from what was apparently a deep fake video call. How do you think that happened? Is this a sign of something we should be more concerned about?
There will always be highly sophisticated attacks that will emerge. Let me use an analogy as advice for CISOs. There may be plenty of crocodiles in this region, and there may be a new breed which has sharper teeth. But how many people are killed by crocodiles? How many people die from malaria in this region? A lot more people die from a mosquito bite than from crocodiles.
Don't ignore the fact that more people die from malaria. We know that 75 percent of threats that are targeting humans are mostly created using AI, not from sophisticated deep fakes.
It's very easy to be distracted with the most sophisticated threats, it's on top of their minds, but at the end of the day, what local CISOs should care about are the fundamental threats that are occurring every day.
iTNews Asia: Do we also look deeper into how to protect the data that's being lost? I read recently that it in a data breach, it took only 72 minutes to penetrate the organisation, get into the system and steal all the data. That’s just slightly more than an hour.
This problem is real and you have to detect it and there's network technologies that prevent it. That's why your last line of defence and detection and response technologies are there.
An interesting statistic, however, is most data is not stolen by malware, it is leaked by humans.
We have to prevent the biggest source of data loss, which is humans.
One problem now is people are mobile and working shorter. They're creating data in the cloud, emailing and sharing it with more people than ever before. This is creating a huge risk. We’re not talking about a malicious insider, but accidental behavioural insider risk.
That's what we do, we analyse user behaviour using every metric that's already tracked in the current systems. We’re aggregating it, correlating it and using our intelligence on insider threats. We’re predicting what is likely to lead to a risk of data exfiltration. We're looking at behaviours that we are able to prevent.
iTNews Asia: Do you see the countries here in the APAC region going through a learning curve and a cycle that's similar to the US, which is today more mature in their cybersecurity defence?
APAC is less sophisticated. They are using rudimentary tooling for human-centric security. Sometimes they are homegrown, sometimes it’s network-based tooling. The sophisticated requirements of having the same degree of protection for human-centric threats is now much higher in the APAC region than it ever was, and we're in the early stages.
Our business in the region is growing at 2.5 to 3 times the growth of our global business. Our global business is growing double-digit into the teens. So clearly, there is a huge demand in this region.
That's also why we launched a sovereign data centre solution in Singapore. We're going to do the same thing in other parts of the region very soon. We have one in Australia. We're serving the customers in Japan through localised solutions.
iTNews Asia: Are there industries or countries or sectors that perhaps are more vulnerable?
I think banking and financial organisations are naturally more vulnerable. I'd also say digitised businesses, which do a lot of supplier coordination and digital communication in their financial exchanges.
I will also include retail, manufacturing and government, where they have a lot of connectivity in their supply chains. They are more vulnerable because you can attack and compromise their suppliers.
iTNews Asia: You’ve met several customers during your visit to Singapore. What do you think about the more traditional companies who are not as digitised or resilient in their cyber defence? Is it harder for them because they lack the visibility to understand how the threats are coming?
I spent some time with a large Singaporean company that's was in a very traditional industry of paper and energy. They are very interested in strengthening their defence and improving detection.
The most traditional companies, who are conservative about adopting the cloud and digitisation, are just as concerned about data loss, privacy, and ransomware. They're saying that even if a single ransomware attack shuts down its OT, their business shuts down. They are so protective of their brand, reputation and image.
If a ransomware event happens, they have no option but to pay because they would never want to leak this.
iTNews Asia: What can they do to counter these threats?
I think the best thing they can do is leapfrog. I think the biggest risk that CISOs can fall into is to go after tools, which is often what they do. When you try to solve problems with tools and go through RFPs, it’s a dreadful cycle because they will continue to pick tools and they won't leapfrog. They will never build a platform or architecture if they continue to prioritise their problems around buying a tool to solve them.
I would strongly recommend for CISOs in the region who are farther behind to build a strategic roadmap in three key areas – preventive, detect and respond, and SASE. Work with strategic partners that will help them build a roadmap for success.
They can look at enabling capabilities in the roadmap in parallel with ownership from three or four leaders in their organisation that will own it, and build it with a set of strategic partners.
(In this way), you're not relying on a single vendor. You're not sort of putting all your eggs in one basket. You've got three strategic technology platforms that are integrated together.
iTNews Asia: Given the outlook and the threat challenges, what are you telling your customers and how are you advising them on their security posture?
Firstly, we advise everyone to start a human risk programme. The foundation of human risk can be set up in two parts, threats and data loss. Aggregate that to human risk and measure human risk on how your threats are coming in and how your data loss is happening.
Secondly, build an architectural and platform approach.
Thirdly, ensure that all of this is architected into the broader cybersecurity architecture.
Take a tiered approach so their cybersecurity challenges can be addressed strategically.
