The ads look simple enough. Printed in Arial, easy to read, made for everyone to see. Even casual gamers stumble upon these Facebook gifs to the tune of their buzzing gunfire backgrounds almost as if these ads are created to land subliminally. But it’s real what cybersecurity firm Sophos says one way or another in these little reminders: Cybercrime is out to get us.
While enterprises remain the primary targets, our personal data is just as exposed. No longer confined to lone hackers or mysterious digital backdoors, it has morphed into something faster, slicker, more scalable. That’s Sophos’ assessment, which has been tracking the escalation of bot-driven attacks, automated threat campaigns, and the subtle breakdown of traditional defenses.
This shift is particularly pronounced in regions like Asia Pacific, where digital transformation has outpaced security preparedness, exposing schools, small businesses, and government institutions to an increasingly commercialized underworld of ransomware and phishing-as-a-service kits.
To understand this evolving threat landscape and how organizations can prepare, PhilSTAR Tech sat down with two of Sophos’ senior leaders: Torjus Gylstorff, the company’s Chief Revenue Officer, and Aaron Bugal, Field CISO for Asia Pacific and Japan. While their insights suggest that cybercrime extends beyond technical issues, we delve deeper into why they believe it’s a strategic one.
From hobbyists to cybercrime-as-a-service
Aaron Bugal has spent decades watching cyberthreats evolve. Today, he says, the biggest problems are its sophistication (how often these threats pose themselves to not look like threats), and the scale of it. Tools that once required expertise are now widely available. “It’s industrialized,” he says, as ransomware campaigns can now be launched using purchased kits, complete with customer service. This democratization of attack tools means that smaller, less-resourced organizations like local government units, regional schools, and SMEs are increasingly in the crosshairs and they often don’t know it until it’s too late.
But Bugal also points to a quieter, more insidious risk: what he calls “digital detritus.” These are the old routers, firewalls, and VPNs, many of them out-of-support and unpatched, still quietly running at the edge of many networks. In 2024 alone, nearly 30 percent of attacks exploited these forgotten devices. “It’s like leaving your back door open,” he notes, “because no one remembers there’s even a door there.”
The illusion of safety
Perhaps the most unsettling trend is that even good security hygiene is no longer enough. Multi-factor authentication, once the gold standard of login protection, is now being actively bypassed. Attackers are using phishing platforms to intercept authentication tokens in real time, creating a false sense of safety for users who assume that a 6-digit code is impenetrable.
A new wave of social engineering tactics has also emerged in the form of silly-sounding “shings” that may downplay the idea of an attack. There’s “qishing” or QR code phishing, then “vishing” (voice phishing), and email bombing. In many cases, these methods are not after systems, but normal people like us. The implication is that cybersecurity must extend beyond firewalls and into the realm of human behavior, policy, and education where the goal should start from anticipation and proactivity rather than waiting for the execution.
A defense pivot for Sophos
If any of that sounds grim, it’s because it is. But for Torjuss Gylstorff, this moment represents an opportunity to redefine how security is delivered, cutting through the pain of organizations that are tired of juggling dozens of disconnected tools. “They want convergence,” he explains. “They want one pane of glass, one platform that tells the full story.”
This vision is already shaping Sophos’ trajectory. In a significant move earlier this year, the company acquired customer assets from Secureworks, a strategic play that Gylstorff describes as a “milestone” in strengthening Sophos’ Managed Detection and Response (MDR) capabilities.
Now supporting over 28,000 organizations globally, Sophos positions itself as a leading pure-play MDR provider. One that’s particularly attuned to the needs of high-risk sectors including healthcare, retail, finance, and critical infrastructure where the cost of failure is especially high.
Behind that strategy is Sophos Central, the company’s unified security operations platform. A dashboard in plain sight, it’s the nervous system for organizations juggling endpoints, cloud assets, and hybrid networks. For many, especially SMEs with limited in-house expertise, it means having AI-powered defenses and real-time threat visibility without the need for a full security operations center.
Asia Pacific at an inflection point
Gylstorff sees the Asia Pacific region as both vulnerable and vital. It’s a growth engine for digital transformation, but often one that lacks the security infrastructure to match. Sophos is betting on that gap, and investing heavily in closing it.
With the expanded MDR services, enhanced XDR capabilities, and deeper integration into sectors like manufacturing and government, the company aims to provide not just tools, but strategic defense especially for organizations with limited internal resources.
Sophos is also amplifying access to its threat intelligence, giving businesses in Southeast Asia better regional visibility and real-time threat insights. That kind of information sharing will be critical to leveling the playing field.
Unified future
What becomes clear in conversation with Bugal and Gylstorff is that cybersecurity’s future won’t be defined by any single tool or technique. It will be shaped by platforms that can integrate, learn, and act across attack surfaces and by companies that are nimble enough to evolve alongside the threats they face.
“The problem with fragmented security,” Gylstorff says, “is that it creates blind spots. The more complex your system is, the harder it is to see what’s happening.” And in a world where bots don’t sleep and threats don’t wait, visibility might be the most valuable asset of all.
