5 minute read 6 Oct 2020
Waves crashing against the Cliffs of Moher, Doolin, Clare, Ireland

How the cyber threat landscape is changing

By Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

5 minute read 6 Oct 2020
Related topics Cybersecurity GISS Risk

Cyber incidents can seriously impact the delivery of critical services, so why do some businesses still believe it will never happen to them?

In brief
  • The cyber threat landscape is constantly evolving.
  • The COVID-19 pandemic is having a direct impact on the increasing cyber risk level.

Cyberattacks make headline news and continue to exercise the minds of cybersecurity professionals around the world. Denial of service attacks, man-in-the-middle attacks, phishing and malware have become common parlance in a world battling with the challenge since the Morris Worm – which caused some 6,000 computers to crash and left a repair bill in the tens of millions of dollars. And that was more than 30 years ago.

Businesses can be divided into two parts – those that have been victims of a cyberattack, and those that have but didn’t yet know it. As businesses, organizations, and even governments have been victims of these cyber breaches, it is no surprise that our perception (if not the reality) of the danger is increasing.

The figures speak for themselves: the latest EY Global Information Security Survey revealed that almost half (48%) of all corporate boards believe a cyberattack or data breach will harm their businesses to some extent over the next 12 months. They also think that 40% of those attacks will come from organized criminal groups or social "hacktivists." This makes it challenging as we pursue digital opportunities to evolve our business models and increase operational efficiency.

This was the focus of the discussion during a webcast I recently hosted, Does cybersecurity only become a priority once you’ve been attacked?  Joining me for the discussion were my esteemed colleagues in cybersecurity, including Georgina Crundell, Associate Partner Cyber Assurance, Ernst & Young Australia; and Professor Lam Kwok Yan, Professor of Computer Science, Nanyang Technological University, Singapore.

Incidents can have minimal impact or be very disruptive

Contrary to popular belief, many cyberattacks do not occur for monetary gain but for other reasons. Georgina Crundell explains that "what they are doing is attacking an organization for the disruption it causes, or to aid their political agenda."

We know this to be true. Many of our clients have experienced disruption to their supply chains or have experienced a severe impact on critical services delivery. Manufacturing production lines can be brought to a total standstill, and months of valuable time and money lost in remediation, rather than investing in growth. 

Meanwhile, some prefer to speak about cyber "incidents" rather than cyber "crime."

An "incident" encompasses all the cyber threats that an organization needs to tackle – such as a breach – whereas an attack is more deliberate. Attacks can often be successfully defended against, while a breach is often caused by non-compliance with certain internet requirements, such as personal data being accessed without authorization. These are often deliberate attacks, but can also happen accidentally.

However the incident occurs, the damage can be significant. And the danger doesn’t always seem to come from an external source. Trusted insiders such as employees and third parties who have access to your systems and data are also a significant risk that can’t be overlooked.

But whether we talk about an "incident" or a "crime," "intended" or "accident," the need to "protect" is paramount. Visibility of cyber incidents still seems low – only 30% of organizations polled during the webcast reported a significant cyber experience in the last 12 months, suggesting that not all incidents are being identified or reported up to senior management. Increasing regulation, accelerating cybersecurity costs and protecting against potentially damaging and costly data breaches are fueling the issue’s "visibility" with the board, and enabling more investment.

Mounting regulation is indeed a particular challenge. Having an effective cybersecurity regime protects against financial and reputational loss. It also, of course, supports compliance in a regulatory environment that is often disconnected and confusing, and where the cost of getting it wrong can result in eye-watering fines.

The regulatory environment and cyber threat landscape are evolving

In Australia, for example, regulators are coming down hard in areas where they feel that an industry is not managing the risks appropriately, notably in the finance and energy sectors. In Singapore, laws and regulations are becoming more sophisticated, and the protection of personal data and digital identities is a focus. In China, security regulations are updated frequently, and across the Asia Pacific region, I detect a clear move towards sovereign protection. Some jurisdictions are more prescriptive than others, causing more than a few headaches for the larger multinational organizations to navigate their way through.

Similarly, the regulatory environment is constantly evolving, so the cyber threat landscape changes as we embrace a digital world. Consumers are becoming more aware of their privacy, and the increased risk of mobile devices and the Internet of Things delivers greater connectivity. With everything being interconnected, attacks are becoming more frequent and intense, and ransom demands are on the rise. 

The elephant in the room – the COVID-19 pandemic – is also having a direct impact on risk. EY surveyed the impact of the COVID-19 crisis on cybersecurity operations. More than 80% of security leaders surveyed reported some disruption to day-to-day security operations due to the pandemic. Remote working was a challenge, as was the need to implement new business models without the due diligence that might typically be expected in a digital transformation program.

Find out what you don’t know and prioritize

Whether cybersecurity only becomes a priority after you’ve been attacked is a moot point. Professor Lam Kwok Yan believes that even if you don’t have the time and resources to control cyber risks immediately, you should find out what you don’t know and prioritize accordingly.

Targeting investment to identify and mitigate the highest risk is a sensible strategy, and Security by Design the new imperative: "This is especially true," he says, "in an age where the threat environment is a lot more complicated and extremely challenging."

Most seem to be taking his advice. Over half the organizations (56%) we polled during the webcast say they have a clear cyber assurance program or strategy in place. Perhaps the statement regarding taking action only after a cyber breach may have been historically true, or perhaps their investment was prompted by previous bad experience. 

Whatever the case, it still leaves 36% who have a plan or are talking about developing a plan, but that plan is yet to be put in place, and an alarming 8% think it will never happen to them.

The frightening thing is that it will happen to them, for no organization is immune. And as the adage has it, failing to plan is planning to fail.


The rising threat of cyber incidents can pose financial and reputational damage. However, many businesses are failing to protect themselves from potentially catastrophic harm.

About this article

By Richard Watson

EY Global and Asia-Pacific Cybersecurity Consulting Leader

Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

Related topics Cybersecurity GISS Risk