Chinese companies respond to global cyber threats by increasing spending on cybersecurity, EY survey finds

Shanghai, 27 March 2018

  • Share
  • Organizations are increasingly hyper-connected and this connectivity exposes them to high risk of cyber attacks.
  • Innovative organizations able to be imaginative about the nature of potential future threats can build agility into their cybersecurity so that they can move fast when the time comes.
  • In addition to dealing with various types of attacks and threats, Chinese organizations must follow up with the increasingly stringent regulatory requirements and pay close attention to compliance risks.

EY speakers attend the press conference in Shanghai


EY has officially released its 20th Global Information Security Survey (GISS): Cybersecurity regained: preparing to face cyber attacks. For the 20th consecutive year, the annual survey examines the most important cybersecurity issues facing organizations today. This year, the report shows that: organizations are increasingly hyper-connected and this connectivity has exposed them to a high risk of cyber attacks.

Findings reveal that most organizations continue to increase their spending on cybersecurity. With more than 90% respondents say that they expect to have a higher budget this year, higher than last year’s 55%. Mounting threat levels require a more robust response and 87% of the surveyed organizations said that they require up to 50% more budget. However, only 12% expect to receive an increase of more than 25%. All of the respondents in Greater China (including mainland China, Hong Kong, Macau and Taiwan) have maintained or increased their budgets over the past 12 months and over the next 12 months, while 4% of the global respondents choose to decrease their budgets on cybersecurity.

EY - Keith Yuen, Winson Woo, and Gary Gu attended a group interview with several mainstream media


The survey of nearly 1,200 C-level leaders of the world’s largest and most recognized organizations examined some of the most urgent concerns about cybersecurity and their efforts to manage them. Paul van Kessel, EY Global Advisory Cybersecurity Leader, says: “The increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introducing new risks and vulnerabilities across the organization. Not only data and privacy can be easily attacked, the Internet of Things (IoT) exposes the organizations’ operational technologies to attackers, offering them an opportunity to shut down or subvert industrial controls systems. Therefore, as organizations transform into the digital age, they must examine their digital ecosystem from every angle to protect their businesses today, tomorrow and far into the future. The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organizations.”

Richard Watson, EY Asia Pacific Advisory Cybersecurity Leader, says: “In a complex and evolving landscape, it can be difficult to see the wood for the trees. Cybersecurity threat is often well-camouflaged, hidden in plain sight. While all organizations discuss cybersecurity in their boardrooms, often making huge investments, it is not always clear which problem they’re solving.”

From left to right are Gary Gu, EY Advisory Cybersecurity Partner, Winson Woo, EY Advisory Cybersecurity Partner, Paul van Kessel, EY Global Advisory Cybersecurity Leader, Richard Watson, EY Asia Pacific Advisory Cybersecurity Leader, and Keith Yuen, EY Greater China Advisory Cybersecurity Leader


Most of the surveyed organizations also realized that fail to devote the resources necessary for adequate cybersecurity will find it very difficult to manage the risks they face. 56% of respondents say either that they have made changes to their strategies and plans to take account of the risks posed by cyber threats, or that they are about to review strategy in this context. However, 20% of the respondents admit that they are not fully aware of the need to assess current cybersecurity impacts and vulnerabilities.

Keith Yuen, EY Greater China Advisory Cybersecurity Leader, says: “It is a kind of very forward-looking behavior to consider the information security implications of their current strategy, and that their risk landscape incorporates and monitors relevant cyber threats, vulnerabilities and risks. This will be the new trend of enterprise risk management in the future. Putting cybersecurity at the heart of an organization’s strategy will help maintain and even enhance the trust of consumers, regulators and the media.”

Understanding the threat landscape

Nowadays, all organizations are digital by default. The business operations reflect the culture traits, technology and processes of the Internet era. The digital landscape is vast, with every asset owned or used by the organization representing another node in the network. Cyber attackers can be either indiscriminative or highly targeted; attacking large and small organizations in both public and private sectors.

The numerous ransomware incidents that occurred in 2017 have resulted in great influences on businesses around the world. The EY survey shows that 43% of the global organizations surveyed considered ransomware as the biggest threat to them, topping the list with phishing mails. It is significantly higher than 16% (malware) and 12% (phishing mails) in Greater China.

Looked from the loophole angle, Chinese respondents said that the most likely source of attack is hackers (54%), followed by careless members of staff (50%) and malicious employees (47%). However, the global survey has quite different findings: careless members of staff (77%), criminal syndicates (56%) and malicious employees (47%).

Pay attention to compliance risks and create a structured defense system

Winson Woo, EY Advisory Cybersecurity Partner, says: “Organizations are likely to be confronted by a wave of attackers of varying levels of sophistication, and they can and must fight back. The response must be multilayered: focused on repelling the most common attacks/threats that the organization is more confident of defending against, but also conscious that a more nuanced approach is necessary for dealing with advanced and emerging types of attack. As some of these attacks will inevitably breach the organization’s defenses, the focus needs to be on how quickly they are detected, and how effectively they are dealt with.”

55% of the Chinese businesses surveyed said that in the future 12 months, they will put DLP (Data Loss Prevention) as a high-priority cybersecurity task, followed by business continuity/disaster recovery (42%) and privacy protection (39%). These three areas are much higher than the global respondents of 11%, 11% and 20% respectively. This is closely related to the China Cybersecurity Law – China’s first law involving cybersecurity and privacy protection – which became effective on 1 June 2017. In addition to dealing with various kinds of attacks and threats, Chinese organizations must follow up and understand the increasingly stringent regulatory requirements and pay attention to compliance risks.

Emergency service: responding to an attack

Organizations are wise to operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. Having a cyber breach response plan (CBRP) that will automatically kick in when the breach is identified represents an organization’s best chance of minimizing the impact. But a CBRP must span the entire organization and it must be led by someone with the experience and knowledge to manage the organization’s operational and strategic response.

Gary Gu, EY Advisory Cybersecurity Partner says: “We believe that in the future, businesses will collaborate and work with each other to share knowledge to help increase cyber resilience. It is imperative, therefore, that organizations move beyond thinking about cybersecurity as an IT issue, and focus on good cybersecurity governance and security-by-design.”

- Ends -

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit

This press release is issued by the EY China practice, a part of the Ernst & Young global network.