73% of respondents saw an increase in the number of disruptive attacks
47% warn their organization’s budget is inadequate to manage challenges that have emerged over the past 12 months
56% of respondents say that businesses have sidestepped cyber processes to facilitate requirements around remote working
Businesses are now exposed to more and increasingly sophisticated cyber attacks, yet over half (57%) of Asia-Pacific businesses are unsure if their cybersecurity defenses are strong enough to combat hackers’ new strategies, according to the 2021 EY Global Information Security Survey (GISS). Even so, the cyber spend of Asia-Pacific businesses remains low at just 0.05% of their annual revenue, on par with the global average of 0.04%.
The low allocation of budget to counter cybersecurity risk is surprising, given that almost three in four (73%) Asia-Pacific companies warn of an increase in the number of disruptive attacks, such as ransomware, over the last 12 months (compared to 47% in last year’s GISS). Almost half of the respondents (48%) are more concerned than they have ever been about their company’s ability to manage cyber threats, higher than their counterparts in the Americas (41%).
Cybersecurity investment out of sync with need
About two-fifths (41%) of businesses in Asia-Pacific expect to suffer a major breach that could have been avoided through better investment, higher than in the Americas (29%).
Richard Watson, EY Asia-Pacific Cyber Leader says:
“Businesses are planning a new wave of technology investments to thrive in the post-COVID-19 era. If cybersecurity is left out of investment discussions, the threat will continue to grow in the years to come. They should consider sharing the cost of cybersecurity across the business to support transformation.”
Increased cyber risk in pandemic-era transformation
The majority of cyber leaders in the region say they have never been as concerned as they are now about their ability to manage the cyber threat, slightly higher than the global average of 43%. More than half (56%) say their organizations have sidestepped cyber processes to facilitate new requirements around remote or flexible working.
Steve Lam, EY Asean Cybersecurity Leader says:
“Organizations are realizing that the stop-gap technology solutions deployed during the initial stages of lockdowns are inadequate for the security needs of the new normal. Further, with some parts of Southeast Asia still in lockdown, the acute shortage and high turnover rates for cybersecurity talent in local markets further compound the challenge for CISOs in Southeast Asia. There is a unique opportunity to harness the ongoing business and technology transformation in response to the COVID-19 pandemic, and undertake cyber transformation to build a future-ready cybersecurity model, if the CISO is able to overcome the talent challenges.”
Building relationships with the C-suite can turn crisis into an opportunity
The essential relationships between cybersecurity leaders in Asia-Pacific and other functions in the business lack positivity and strength, according to the survey.
Almost 80% of respondents in the region say cybersecurity teams are not always consulted or briefed in a timely manner until after the planning stage has finished, slightly higher than the global average of 76%. Meanwhile, 71% of Asia-Pacific cybersecurity leaders would describe their relationships with business owners as being neutral or negative, while just over four in ten (44%) say their dealings with the marketing and HR functions are poor.
Only 20% of organizations in the region include cybersecurity in the planning phase of any digital transformation program. Respondents believe that the lines of business recognize cybersecurity’s traditional strengths, such as in controlling risk, but they do not always perceive the function as a strategic partner.
Watson says: “CISOs must make difficult decisions, realigning cybersecurity requirements to better meet changing business needs after the COVID-19 pandemic. Mapping cybersecurity strategy and their organization’s risk profile against business and IT goals will ensure alignment and cement strategic relationships between CISOs, CEOs and the rest of the C-suite.”
“At a time of greater distrust and with the cyber function being under more scrutiny than ever, CISOs have an opportunity to better demonstrate the strategic importance of their role and raise their profiles within the business, especially in the aftermath of the pandemic.”
Notes to editors
EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.
Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.
About the 2021 EY Global Information Security Survey
The data in this year’s GISS report is based on a survey of CISOs and other senior leaders at 1,010 organizations, carried out between March and May 2021. CISOs and other C-suite professionals comprised 50% of respondents; the others were C-1 cybersecurity professionals.
This was a global survey with Europe, Middle East, India and Africa (EMEIA) accounting for 43% of respondents, the Americas 36% and the Asia-Pacific region 20%. Respondents included CISOs or their equivalents from the financial services; consumer products and retail; health and life sciences; energy; government and technology; and media and entertainment, and telecommunications (TMT) sectors. Each business included in the data for this report had annual revenues exceeding US$1b.
Comparisons with 2020 represent a snapshot in time during 2020 and 2021, based on similar sample profiles year-on-year. Companies with annual revenues below US$1b were included in 2020 but not in 2021.