To help IT defenders and CISOs keep their sights on the cyber threat radar, here are the five R’s that EY’s experts have curated:

1. Reduce ransomware risks
   2022 was undoubtedly the year of the data breach. Hackers penetrated cyber defenses and stole customer data across the region, but data breaches in Australia captured the most headlines and political headspace.

   Up to 12m Australians had their data exposed last year, and a treasure trove of personal information — including login credentials for government services — are now being sold on the Dark Web for as little as US$1. The real damage will unfold in 2023. Even more worrying: the success of cybercriminals in 2022 may encourage even less resourced amateurs to step into the ring.

   How do organizations respond? They start by simulating cyber incidents to investigate the effects of a real-world attack. Find out what happens if your critical systems are out of service or key data is locked up through ransomware. Are you investing enough to safeguard your systems and data?

2. Ramp up regulatory measures
   Regulators across APAC continue to ramp up cybersecurity measures that place the onus on businesses to invest and comply.

   For instance, the Australian Government is considering tougher financial penalties for “serious or repeated privacy breaches” with fines up to AU$50m. Japan’s data protection laws have been bolstered to match Europe’s GDPR. China’s Personal Information Protection Law has been in effect since November 2021 and organizations need to comply with the law when using the data of Chinese citizens. In Singapore, from 1 October 2022, firms that breach the Personal Data Protection Act may face fines of up to SG$1m or, in the case of large firms, 10% of their annual turnover in Singapore.

   In response to this policy tightening, firms across the region can take their cues from the financial services sector. Regulation has driven 15-plus years of investment in robust cyber defenses, and the financial services sector has withstood cyber threats better than other industries.

3. Reposition the role of the CISO
   In the past, CISOs have sometimes struggled to make themselves heard, because their cybersecurity teams were often (around 56% of the time, according to 2021 data) not consulted at all, or until it was too late.

   The lessons of 2022 will encourage boards to see cybersecurity not as a technical issue — as it has been viewed historically — but as a business opportunity.

   Firms that can bake security into every aspect of their business will be safer and can offer better user experiences.

4. Rethink resilience
   The pandemic has sharpened the world’s focus on economic, supply chain and national resilience — and cyber resilience should be no different.

   How organizations sustain operations and survive in the face of a concerted cyber incident is a huge challenge — but the bigger picture is national security.

   What happens when, without safeguards in place to protect critical infrastructure, the lights go out or the power grids go down?

   With everything from telecommunications to air traffic control and border security to banking exposed to cyber risk, APAC countries must start to look at cybersecurity through a national capability lens.

   This is a whole-of-business, whole-of-economy, whole-of-society problem — and it needs to be led by a whole-of-government response.

5. Reframe security systems
   Quantum computing is possibly the world’s new Y2K crisis, as it has the potential to crack the encryption keys that much of the world’s online commerce relies on for security today.

   This may be five or 10 years away, but it certainly demands a fundamental rethink of how we approach encryption, including the use of quantum computing itself as a defense.