Survey shows Canadian companies still have much to do to guard against cyber threats

EY Global Information Security Survey highlights gap between risk and spending

  • Share
  • 63% of survey respondents say cybersecurity spend is less than 10% of overall IT budget
  • 64% don’t have a formal data protection program, or only have an informal one
  • 58% say that information security has little or no bearing on their business strategy or plans

(Toronto, 4 October 2018) – While Canadian companies are increasingly recognizing the importance of protecting themselves and their customers from cybersecurity threats, most are still allocating small budgets to the issue and lack the formal internal processes to proactively deal with a cybersecurity breach, a new EY survey finds.

While 70% of Canadian companies polled for the 2018 EY Global Information Security Survey said they increased their cybersecurity budgets in the past year, and 90% plan to do so in the next 12 months, almost two thirds (63%) said their total spend in this area is still less than 10% of their overall Information Technology budget.

What’s more, 64% of respondents said they don’t have a formal data protection program, or only have an informal one. More than half (52%) also said they lack a formal breach detection program, or have an informal one in place.

“Canadian companies know that the stakes are high when it comes to cybersecurity threats. A breach can erode customer trust, require costly remediation and even create lasting damage to a firm’s reputation,” said Yogen Appalraju, EY Canada Cybersecurity Leader. “While no organization can prevent every threat, it’s clear companies need to pay more attention to cybersecurity and give it the urgency it deserves.”

The survey findings come as new regulatory changes in Canada promise to drive even more scrutiny around corporate cybersecurity breaches. As of 1 November 2018, Canadian companies subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to notify impacted individuals when a breach occurs.

Corporate data breaches and theft occur on a daily basis, and organizations that fail to protect this data may face stiff penalties. Even so, 58% of Canadian companies still say that information security has little or no bearing on their business strategy or plans.

“Cyberattacks are a matter of ‘when,’ rather than ‘if,’ and organizations have to be ready to react, respond, recover and maintain their security,” says Appalraju. “This sort of resiliency, bolstered by proactive, ongoing and risk-based business continuity plans and crisis response approaches, will become the competitive differentiator for companies in the years ahead.”

– 30 –

About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

For more information, please visit Follow us on Twitter @EYCanada.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit