Press release

17 Aug 2021

EY Study: Adoption of telework in pandemic highlights problems related to the underfunding of the cyber defense area

  • 56% of respondents say that businesses have sidestepped cyber processes to facilitate requirements around remote working
  • 77% of respondents warn of an increase in the number of disruptive attacks
  • 39% warn their organization’s budget is not adequate to manage new challenges 

Adopting to new working practices, as a result of the COVID-19 pandemic, has businesses exposed to more and increasingly sophisticated cyber attacks and brought underfunded cyber defenses into the spotlight, according to the EY Global Information Security Survey 2021 (GISS).

This year's GISS, which surveyed more than 1,000 cybersecurity leaders at organizations worldwide, finds that more than half (56%) say that businesses have sidestepped cyber processes to facilitate new requirements around remote or flexible working. At the same time, cyber leaders say they have never been as concerned as they are now about their ability to manage the cyber threat (43%) with more than three in four (77%) warning that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months (compared to 59% in previous year’s GISS).

Cybersecurity budgets are out of sync with need

Despite the growing threat of cyber attacks, cybersecurity budgets remain low relative to overall IT spend, according to this year’s GISS. While respondents’ organizations had average revenues of US$11b in the last financial year, the average spend on cybersecurity was just $5.28m.

Almost four in ten respondents (39%) warn that their organization’s budget is below what is required to manage the new challenges that have arisen in the last 12 months. The same percentage say that cybersecurity expenses are not factored adequately into the cost of strategic investments, such as an IT supply chain transformation. At the same time, more than one-third (36%) say it is only a matter of time until their organizations suffer a major breach that could have been avoided had there been more appropriate investment in cybersecurity defenses.

Building relationships with the C-suite can turn crisis into an opportunity

The essential relationships between cybersecurity leaders and other functions in the business, lack positivity and strength, according to the 2021 GISS.

Responding cyber leaders (41%) describe their relationship with the marketing function as negative, while 28% say their relationship with business owners is poor. As a result, while 36% of respondents in 2020 were confident that cybersecurity teams were being consulted at the planning stage of new business initiatives, this figure has fallen to 19% in 2021. Just 25% think senior business leaders would describe their organization’s cybersecurity function as commercially minded.

While CEOs are on a path to realize their vision and transform their business through technology, they can’t afford to turn a blind eye to the cyber risks this poses. At the same time, it falls on CISOs to ensure that CEOs have the right understanding of the value that investing in cybersecurity brings and that they recognize that as an integral part of the transformation journey.

Specific aspects for Romania

The major investments that have taken place in the last 10 years in the IT area for Romania have led to a standardization of working practices and procedures in the area of cyber security similar to those in Western Europe and the USA. The experience of the last months has shown that also for the Romanian companies the investments in the area of cyber-defense have increased, even if on average we are not at a reasonable level of resilience both in the public and private domain. Antivirus solutions remain the most widely used way of protection, but this has proved to be insufficient if it does not complement with other solutions. Furthermore, should not be neglected the implementation of the NIS Directive transposed in the legislation of Romania by Law no. 362/2018. New rules and regulations are adopted and form the necessary framework for the implementation of the NIS directive. Similar to the situation in which the GDPR legislation was implemented, in the near future we will witness the moment when the regulations that complement law 362/2018 will be complete. This moment will represent an important milestone that Romanian companies should think about, as non-compliance with this legislation can lead to important sanctions. Thus, the sooner the measures in the area of cyber-defense will be taken, the better the companies will be protected from possible risks generated by exposure to cyber threats but also from possible legislative sanctions.
Cristian Zaharia
Manager, Forensic Technologies and Discovery Services, EY Romania


About EY Romania

EY is one of the world's leading professional services firms with 298,000 employees in more than 700 offices across 150 countries, and revenues of approx. $37.2 billion in the financial year that ended on 30 June 2020. Our network is the most integrated worldwide, and its resources help us provide our clients with services allowing them to take advantage of opportunities anywhere in the world.
With a presence in Romania ever since 1992, EY is the leading company on the market of professional services. Our more than 800 employees in Romania and Moldova provide seamless assurance, tax, legal, strategy and transactions, and consulting services to clients ranging from multinationals to local companies. Our offices are based in Bucharest, Cluj-Napoca, Timisoara, Iasi and Chisinau. In 2014, EY Romania joined the only global competition dedicated to entrepreneurship, EY Entrepreneur Of The Year. The winner of the national award represents Romania at the world final taking place every year in June, at Monte Carlo. The title of World Entrepreneur Of The Year is awarded in the world final. For more information, please visit:


About the 2021 EY Global Information Security Survey
The data in this year’s GISS report is based on a survey of CISOs and other senior leaders at 1,010 organizations, carried out between March and May 2021. CISOs and other C-suite professionals comprised 50% of respondents; the others were C-1 cybersecurity professionals.

This was a global survey with Europe, Middle East, India and Africa (EMEIA) accounting for 43% of respondents, the Americas 36% and the Asia-Pacific region 20%. Respondents included CISOs or their equivalents from the financial services; consumer products and retail; health and life sciences; energy; government and technology; and media and entertainment, and telecommunications (TMT) sectors. Each business included in the data for this report had annual revenues exceeding US$1b.

Comparisons with 2020 represent a snapshot in time during 2020 and 2021, based on similar sample profiles year-on-year. Companies with annual revenues below US$1b were included in 2020 but not in 2021.