Press release

19 Mar 2020 Kuala Lumpur, MY

Businesses consider cybersecurity as an afterthought despite growth in attacks, EY survey finds

MALAYSIA, 19 MARCH 2020. Despite the overall growth in cyberattacks, less than half of organizations surveyed (SEA 43%, global 36%) say the cybersecurity function is involved at the planning stage of a new business initiative.

  • 59% of organizations (Southeast Asia [SEA] and global) saw more attacks in the past year but only 43% in SEA (global 36%) involve their cybersecurity function in the early stages of any new digital initiative
  • Six in ten (59%) of SEA organizations (global 48%) think their boards have the required understanding to really evaluate cyber risks
  • Activist attacks are the top most common motive for cyber attacks in SEA (and second top motive globally)

Despite the overall growth in cyberattacks, less than half of organizations surveyed (SEA 43%, global 36%) say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).

This year’s GISS surveyed almost 1,300 cybersecurity leaders at organizations worldwide, including 76 across SEA that covered Singapore, Malaysia, Philippines and Vietnam. The survey showed that 59% of organizations (SEA and global) have faced an increased number of disruptive attacks in the past 12 months.

Gerry Chng, EY Asean Risk Leader comments:

“Successful security breaches on companies are now becoming commonplace and most have realized that despite their best efforts, a determined perpetrator will be able to cause some form of disruption, directly or indirectly.

As enterprises leverage emerging technology to transform their businesses to meet customers’ evolving expectations for 24/7 on-demand services, such disruptions today go beyond mere inconvenience. Enterprises could suffer short-term loss of revenue and longer-term impact on customer trust and brand equity.”

Moreover, cyber threats are increasingly being driven by social activism instead of traditional motives such as financial gain. Over the last year, in SEA, activists were responsible for 20% (global 21%) of successful cyber attacks, followed closely by organized crime groups at 19% (global 23%). Activist threats pose a new challenge to Chief Information Security Officers (CISOs), who now have to recognize and be ready to manage this new threat motive.

Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, says:

“Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and enabler instead of the stereotypical roadblock.”

Critical role of CISO in engaging the board and rest of business

The survey found that board-level awareness and support for the cybersecurity agenda is higher in SEA markets, compared to the rest of the world. More than half (59%) of SEA organizations (global 48%) believed that their boards have the required understanding to evaluate cyber risks. As well, 76% of SEA organizations (global 72%) agreed that their boards see cyber risk as significant.

However, CISOs in this region – as well as globally – can do more to drive traction in board communications and work on gaining better representation on boards. Less than half (47%) of SEA organizations (global 54%) regularly schedule cybersecurity in their board agendas. Only in four in 10 organizations (SEA 37%, global 36%) have a Head of Cybersecurity who is also a member of the board or executive management team.

While CISOs need to drive engagement at the board level, they must not forget to invest in building relationships across the business. According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business.

Only 37% of SEA organizations (global 59%) said that the relationship between cybersecurity and the lines of business is, at best, neutral, if not mistrustful or non-existent. Forty-six percent of SEA respondents (global 57%) said the same for the Finance function, on which they depend  for budget authorization, while 58% of SEA organizations (global 74%) shared similar sentiments with the Marketing team. 

Jason Yuen, Malaysia Cybersecurity Leader, Ernst & Young Advisory Services Sdn Bhd shares how CISOs and the business can work together to close the gap:

“The role and function of the CISO is relatively new in Malaysia, with Bank Negara leading the way in mandating the establishment of the CISO role in financial institutions. CISOs should focus on building a common understanding of cybersecurity, risks and their value proposition. A key skill that will be required is the ability to keep complex technology and cybersecurity issues simple. Business owners on the other hand need to recognize that with the continual opportunities and innovation offered by deploying technology, cybersecurity risks and issues are not going to go away. Both sides will therefore need to work together to effectively manage cybersecurity.”

In addition to relationship building, CISOs need to effectively manage operational issues. Currently, the most challenging aspect of managing cybersecurity operations is procuring or justifying budget (SEA 18%, global 17%), followed by proving to the board and C-suite that cybersecurity is performing in line with expectations (SEA 14%, global 22%).


Notes to Editors

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation is available via For more information about our organization, please visit

This news release has been issued by Ernst & Young Advisory Services Sdn Bhd, a member of the global EY organization.