How Regional Regulations Shape Global Cybersecurity Culture

COMMENTARY

Cybersecurity regulations differ across regions, as does the level of security culture. As a result, cybercriminals are better able to take advantage of weak spots arising from the lack of a global governing cyber alliance. We remain scattered when it comes to overarching procedures and cybersecurity response. From North and South America to Asia, Africa, Europe, and Oceania, cybercrime is prospering within the regulatory gaps.

To bridge these gaps, governments worldwide must collaborate closely to come to a consensus on how to deal with cybersecurity incidents. Unfortunately, this is not the kind of thing that will happen immediately. But by understanding the state of global security culture and regulation, we can point ourselves in the right direction. 

The Americas

While the emphasis of security culture in North America has resulted in changes to cybersecurity best practices, there are still plenty of major cyberattacks hitting the news. Ransomware events against MGM and United Healthcare show that even as the workforce improves its level of security awareness, there is a long way to go.

Security culture in South America is even more spotty. The varying levels of development across South American countries means cybersecurity companies will avoid investing too much effort in a less prolific region. Additionally, while there are some key regulatory requirements within South America, the lack of consistency across countries there puts the continent at a disadvantage. Though Colombia may be one of the more prepared countries with its strong outline of cyber strategies in its National Council of Economic and Social Policy, the region as a whole is not.

Africa & Europe

Africa, which has up to 2,000 unique languages and a quickly growing population, is rapidly adopting technology. African organizations have also experienced the most growth in cybercrime over the past couple of years. With such a quickly evolving environment, security culture will take a while to catch up.

While various African countries boast cybersecurity legislation, the African Union's Convention on Cybersecurity and Personal Data Protection has only been ratified by 15 of the 55 countries. This is concerning, since the South African Council for Scientific and Industrial Research predicts an increase in cyberattacks against critical infrastructure and government organizations.

In Europe, security awareness increasingly is gaining traction, but a range of attitudes toward cybersecurity culture remains.

While European cybersecurity regulations seem to be on track — for example, the well-established General Data Protection Regulation (GDPR) as well as the Digital Operational Resilience Act (DORA), which will be effective in 2025 — the truth is that many organizations haven't taken substantive efforts to develop a security culture, leaving them vulnerable to cyberattacks.

Asia & Oceania

Cybersecurity across Asia varies widely due to Asia's diversity of culture and languages.

While legislation like the Association of Southeast Asian Nations (ASEAN) is a great step at unifying portions of the region, Asia is fragmented, and will likely remain so for some time. This is unfortunate timing, as the Allianz Commercial Risk Barometer for 2024 predicts ransomware, malware, and social engineering to be the highest risks facing Asian organizations.

While Oceania is taking some important steps in solidifying a strong cybersecurity culture, the region has a long way to go. However, due to recent data breaches in the region — Latitude Financial, Optus, and Medibank — cybersecurity is considered more of a shared responsibility.

Additionally, the Australian government has implemented various cybersecurity awareness campaigns teaching citizens how to remain abreast of cyber threats. Meanwhile, Australia and New Zealand have each released their own cyber-strategy policies, which encourage cyber resiliency and foster security culture.

Global Cyber Cooperation

The ultimate solution, however idealistic, is for an overarching governing body to regulate and campaign for cybersecurity across the globe. In conjunction, each region should have its own consistent regulatory requirements. But that will take time.

In the meantime, individual organizations and individuals themselves can do various things to protect themselves in the face of increased cyber threat. It all begins with a strong security culture. While it may be more difficult for some organizations, the basis for a robust security culture is for everyone involved to feel responsible for their workplace, their city, their country, and so on.