Over half of APAC businesses unsure if cyber security up to par: EY

• Some 73% saw an increase in the number of disruptive attacks over last 12 months
• Also, 47% warn their organisation’s budget is inadequate 

Businesses are now exposed to more and increasingly sophisticated cyber attacks, yet over half (57%) of Asia-Pacific businesses are unsure if their cybersecurity defenses are strong enough to combat hackers’ new strategies, according to the 2021 EY Global Information Security Survey (GISS).

Even so, the cyber spend of Asia-Pacific businesses remains low at just 0.05% of their annual revenue, on par with the global average of 0.04%, the advisory firm said in a statement.

The low allocation of budget to counter cybersecurity risk is surprising, given that almost three in four (73%) Asia-Pacific companies warn of an increase in the number of disruptive attacks, such as ransomware, over the last 12 months (compared to 47% in last year’s GISS), the firm said.

Almost half of the respondents (48%) are more concerned than they have ever been about their company’s ability to manage cyber threats, higher than their counterparts in the Americas (41%), it added.

About two-fifths (41%) of businesses in Asia-Pacific expect to suffer a major breach that could have been avoided through better investment, higher than in the Americas (29%), EY said.

“Businesses are planning a new wave of technology investments to thrive in the post Covid-19 era” said Richard Watson, cyber leader, EY Asia-Pacific.

“If cybersecurity is left out of investment discussions, the threat will continue to grow in years to come,” said Richard Watson, cyber leader, EY Asia-Pacific. They should consider sharing the cost of cybersecurity across the business to support transformation,” he added.

Increased cyber risk

The majority of cyber leaders in the region say they have never been as concerned as they are now about their ability to manage the cyber threat, slightly higher than the global average of 43%. More than half (56%) say their organisations have sidestepped cyber processes to facilitate new requirements around remote or flexible working.

According to Steve Lam,cybersecurity leader, EY Asean, organisations are realising that the stop-gap technology solutions deployed during the initial stages of lockdowns are inadequate for the security needs of the new normal.

With some parts of Southeast Asia still in lockdown, Lam said the acute shortage and high turnover rates for cyber security talent in local markets further compound the challenge for chief information security officer (CISOs) in Southeast Asia.

“There is a unique opportunity to harness the ongoing business and technology transformation in response to the Covid-19 pandemic, and undertake cyber transformation to build a future-ready cybersecurity model, if the CISO is able to overcome the talent challenges,” he argued.

Crisis into opportunity

Meanwhile, the essential relationships between cyber security leaders in Asia-Pacific and other functions in the business lack positivity and strength, according to the survey.

Almost 80% of respondents in the region say cybersecurity teams are not always consulted or briefed in a timely manner until after the planning stage has finished, slightly higher than the global average of 76%, the survey revealed.

Also, 71% of Asia-Pacific cyber security leaders would describe their relationships with business owners as being neutral or negative, while just over four in ten (44%) say their dealings with the marketing and HR functions are poor, it added.

Only 20% of organizations in the region include cyber security in the planning phase of any digital transformation programme.

Respondents believe that the lines of business recognise cyber security’s traditional strengths, such as in controlling risk, but they do not always perceive the function as a strategic partner, EY said.

“CISOs must make difficult decisions, realigning cyber security requirements to better meet changing business needs after the Covid-19 pandemic.

“Mapping cybersecurity strategy and their organisation’s risk profile against business and IT goals will ensure alignment and cement strategic relationships between CISOs, CEOs and the rest of the C-suite,” argued Watson.

He added that at a time of greater distrust and with the cyber function being under more scrutiny than ever, CISOs have an opportunity to better demonstrate the strategic importance of their role and raise their profiles within the business, especially in the aftermath of the pandemic.