Press release

3 Mar 2020 Singapore, SG

Businesses consider cybersecurity as an afterthought despite growth in attacks, EY survey finds

SINGAPORE, 03 MARCH 2020. Despite the overall growth in cyberattacks, only one-third of organizations say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS).

Press contact
EY Singapore

Multidisciplinary professional services organization

  • 59% of organizations (Southeast Asia [SEA] and global) saw more attacks in the past year but only 43% in SEA (global 36%) involve their cybersecurity function in the early stages of any new digital initiative
  • Six in ten (59%) of SEA organizations (global 48%) think their boards have the required understanding to really evaluate cybe
  • Activist attacks are the top most common motive for cyber attacks in SEA (and second top motive globally)

Despite the overall growth in cyberattacks, less than half of organizations (SEA 43%, global 36%) say the cybersecurity function is involved at the planning stage of a new business initiative, according to the EY Global Information Security Survey (GISS)

This year’s GISS surveyed almost 1,300 cybersecurity leaders at organizations worldwide, including 76 across SEA that covers Singapore, Malaysia, Philippines and Vietnam. The survey showed that 59% of organizations (SEA and global) have faced an increased number of disruptive attacks in the past 12 months. 

Gerry Chng, EY Asean Risk Leader comments: 

“Successful security breaches on companies are now becoming commonplace and most have realized that despite the best efforts, a determined perpetrator will be able to cause some form of disruption, directly or indirectly. 

As enterprises leverage emerging technology to transform their businesses to meet customers’ evolving expectations for 24/7 on-demand services, such disruptions today go beyond mere inconvenience. Enterprises could suffer short-term loss of revenue and longer-term impact on customer trust and brand equity.”

Moreover, cyber threats are increasingly driven by social activism instead of traditional motives such as financial gain. Over the last year, in SEA, activists were responsible for 20% (global 21%) of successful cyber attacks, followed closely by organized crime groups at 19% (global 23%). Activist threats pose a new challenge to chief information security officers (CISOs), who now have to recognize and be ready to manage this new threat motive.

Kris Lovejoy, EY Global Cybersecurity Leader, Advisory, says:

“Cybersecurity has traditionally been a compliance activity, bolted on by a checklist approach instead of built into every technology-enabled business initiative. This is not a sustainable model. If we ever hope to get ahead of the threat, we must focus on creating a culture of security by design. This can only be accomplished if we successfully bridge the divide between the security function and the C-suite and enable the CISO to act as a consultant and enabler instead of the stereotypical roadblock.”

Critical role of CISO in engaging the board and rest of the business 

The survey found that board-level awareness and support for the cybersecurity agenda is higher in SEA markets, compared to the rest of the world. More than half (59%) of SEA organizations (global: 48%) believed that their boards have the required understanding to evaluate cyber risks. As well, 76% of SEA organizations (global: 72%) agreed that their boards see cyber risk as significant. 

However, CISOs in this region – as well as globally – can do more to drive traction in board communications and work on gaining better representation on boards. Less than half (47%) of SEA organizations (global: 54%) regularly schedule cybersecurity in their board agendas. Only in four in ten organizations (SEA: 37%, global: 36%) have a Head of Cybersecurity who is also a member of the board or executive management team. 

While CISOs need to drive engagement at the board level, they must not forget to invest in building relationships across the business. According to the survey, while cybersecurity teams generally have good relations with adjacent functions such as IT, audit, risk and legal, there is a disconnect with other parts of the business. 

Only 37% of SEA organizations (global: 59%) said that the relationship between cybersecurity and the lines of business is, at best, neutral, if not mistrustful or non-existent. Forty-six (46%) of SEA respondents (global 57%) said the same for the finance function, on which they depend on for budget authorization, while 58% of SEA organizations (global: 74%) shared similar sentiments with the marketing team.  

Chng shares how CISOs and the business can work together to close the gap: 

“It is only in the last few years that technology has started to be seen as an integral part of the business strategy. Deeper trust and meaningful dialogue will happen only when a common understanding and language is established between the business owners and CISOs. 

Both sides will need to put in the effort to see progress. Business owners need to truly appreciate technology’s benefits and value proposition, to bring forth innovative approaches to address evolving customer expectations, while CISOs need to start understanding how to articulate the return on cybersecurity investments needed in business terms.”

In addition to relationship building, CISOs need to effectively manage operational issues. Currently, the most challenging aspect of managing cybersecurity operations is procuring or justifying budget (SEA 18%, global 17%), followed by proving to the board and C-suite that cybersecurity is performing in line with expectations (SEA 14%, global 22%).


Notes to Editors

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation is available via For more information about our organization, please visit

This news release has been issued by Ernst & Young Advisory Pte. Ltd, a member of the global EY organization.