(As originally published on LinkedIn, 22 June 2018)
Recent headline-grabbing data breaches should be triggering a reality check for owners of Canada’s private, mid-market companies. After all, if security breakdowns can happen to huge companies that presumably have extensive cyber-risk controls in place, what kind of risks threaten smaller businesses that may not have invested much time or budget in securing their data?
Family businesses and small to-medium-sized organizations in all sectors are ready to take cybersecurity seriously. They’re asking important questions about today’s threat environment, and what they can be doing to protect their organizations.
Three factors are accelerating the cyber risk conversation
Owners are realizing that regardless of their business’s size or sector, their data may be their single most valuable asset. Data isn’t a byproduct of the business — more and more, it’s the core of the business. The impact of a security incident — whether it comes from a malicious attack or simple carelessness — can devastate the business and its brand. Yet few have implemented appropriate controls and protection around this high-value strategic asset.
Meanwhile, material changes in the way these companies conduct business are also driving new risk exposures. Cloud-based business tools and services have enabled mid-market firms to unlock value chain improvements, enable innovations and reach new markets. But working in the cloud extends a company’s risk environment because parts of the business are being managed, stored and serviced by third-party providers. Suddenly, data protection has to be viewed as an end-to-end process.
And then there’s the evolving regulatory environment, which is putting new pressure on Canadian companies to manage and protect their data. The EU’s new General Data Protection Regulation (GDPR) contains significant privacy obligations for those companies hoping to do business in the European market. At the same time, changes to Canada’s own Personal Information Protection and Electronic Documents Act (PIPEDA), which take effect in November, also demand a new degree of active management of security compliance and reporting. Amid growing demand for privacy and data protection, it’s reasonable to predict that such obligations will continue to increase for the foreseeable future.
So how can private companies protect themselves?
Start with a thorough risk assessment
In the face of daily business pressures, many owners find it difficult to dedicate the necessary time and resources to identify the risks that could significantly impact them. But the smartest businesses are built on a clear understanding of the diversity of risk challenges that threaten their success, including cyber-risks. A strong “risk management discipline” will help companies remain aware of their evolving risk environment even as they embrace new technologies and businesses processes, and protect themselves accordingly.
Embrace protection by design
Private companies need to embed data and privacy protection into their processes from the start. This entails identifying the potential cyber-risks at the beginning, then defining the controls to protect against them. Adding on security controls after the fact is like trying to change a flat tire while the car is hurtling down the road. The company is perpetually scrambling to respond to threats, instead of building in protection from the beginning. What’s more, building in robust protection and countermeasures from the start enables companies to cope with evolving regulatory expectations.
Consider security as a service-managed solution
Companies of all sizes are struggling to keep up with the rapid evolution of cyber threats, coupled with the rapidly growing data sets they have to manage and protect. Fundamentally, a security approach should fit the degree and nature of risk that the business is trying to anticipate and manage. Finding a fit-for-purpose data security system while keeping an eye on the bottom line may mean considering a cloud-based, managed service approach. Just as private companies have turned to the cloud for so many business-enabling tools, this environment also offers “security as a solution” platforms to fit a business’s unique needs. Consider it a virtual chief information officer providing expertise, evolving threat protection and active management 24/7 more cost effectively than an in-house solution.
Provide training and education
While it’s tempting to think about cybersecurity as a tech issue, it’s actually a thread that weaves throughout all three key pillars of a business: its people, technology and processes. Training, education and awareness is essential; what’s more, cyber security and privacy compliance need to be the responsibility of every employee.
It’s an exciting time to be leading a private business in Canada, as data-driven technologies fuel growth and offer new capabilities. But with growing opportunity comes inevitable risk. By embedding robust data and privacy risk assessment, protection and countermeasures into every stage and facet of the business, private companies can continue to thrive in today’s transformative environment.
Learn more about how we help private companies with data privacy and cybersecurity challenges, visit ey.com/ca/private.
Private Client Service
+1 416 943 5338