Security firms slow to react to spear phishing like that used in China hack