The better the question. The better the answer. The better the world works. У вас есть вопрос? У нас есть ответ. Решая сложные задачи бизнеса, мы улучшаем мир. У вас є запитання? У нас є відповідь. Вирішуючи складні завдання бізнесу, ми змінюємо світ на краще. Meilleure la question, meilleure la réponse. Pour un monde meilleur. 問題越好。答案越好。商業世界越美好。 问题越好。答案越好。商业世界越美好。

Could your biggest cyber risk be the one you can’t see coming?

Global Information Security Survey 2018-2019
Canada highlights

Canadian companies boosting their cybersecurity budgets

According to the EY Global Information Security Survey (GISS), 70% of Canadian respondents have increased their cybersecurity budgets in the last 12 months, while 91% said they will inject more resources into cybersecurity in the next year.

While it seems Canadian organizations are considering cybersecurity threats a reality, cybersecurity budgets remain low when compared to overall IT budgets. In fact, 63% say their total spend on information security is less than 10% of the overall IT budget.

This comes in a time of regulatory changes. In 2018, the world witnessed the enforcement of the General Data Protection Regulation (GDPR) in Europe, which reinforces privacy rights for individuals and raises obligations for personal data controllers and processors. The GDPR has impacted other jurisdictions, and as of 1 November 2018 Canada has announced changes to the Personal Information and Electronic Documents Act (PIPEDA), making the notification of data breaches under certain circumstances mandatory.

Canada is on track to become one of the world’s leading technology innovation hubs. To protect the Canadian economy from risks in the cyber world, the federal government recently launched the National Cybersecurity Strategy, which outlines specific actions to reduce risk. With this strategy, Canada has found a way to strike a balance between innovation and protection.

Privacy compliance and reputational risk

Top most valuable information to cyber criminals:

  1. Customers’ personal identifiable information and passwords
  2. Financial information and strategic plans
  3. Senior executives’ and board members’ personal data

These values reflect two specific concerns: privacy compliance failure and reputational risk.

Canadian and global organizations are right to prioritize these issues. Privacy regulations are responding to the new needs of the digitized world and are reinforcing mechanisms to make organizations accountable for the decisions they make when processing personal identifiable information. Organizations that don’t protect personal data can face significant penalties. And if they ever have to report a data breach, it can have a significantly negative impact on their reputation.

58 of Canadian respondents say information security has little or no influence on the business strategy or plans

While Canadian companies are increasingly recognizing that cybersecurity and privacy strategies are important, they continue to be more reactive than proactive. Privacy and security need to be implemented and operationalized in every organization, not because regulations like the GDPR require it, but because of the benefits these frameworks present. Defining controls in the early stages of information system and process design could reinforce compliance, reduce risks and cut costs significantly.

64 of Canadian respondents confirmed they do not have a data protection program, or they have an informal one

Although Canadian businesses are concerned about how valuable and attractive personal data is to cyber criminals, 64% of respondents say they don’t have a data protection program or only have an informal one. Canadian organizations need to be concerned about data protection and should act by defining the mechanisms to effectively enable cybersecurity and privacy controls in a proactive way.

The human factor

35 say phishing was the top threat in the past 12 months

Top three vulnerabilities faced in the last 12 months:

  1. Careless or unaware employee (39%)
  2. Outdated information security controls or architecture (24%)
  3. Unauthorized access (11%)

According to 27% of Canadian respondents, the most likely source of a cyber attack is a careless employee. As businesses continue to increase their digital footprint, 36% of respondents cite poor user awareness and behaviour as the top risk associated with the growing use of mobile devices.

People remain the weakest link when it comes to cybersecurity. To build an effective threat prevention strategy, organizations need to offer effective cybersecurity training and education programs to ensure employees can identify and prevent cyber security threats.

Board oversight

68 of Canadian respondents say the person with direct responsibility for information security is not a member of the board or executive.
Only 16 say their board has a comprehensive understanding of information security to fully evaluate the cyber risks the organization faces and the measures it takes.

Effectiveness of the organization’s information security reports

EY - Effectiveness of the organization’s information 68% security reports

Detecting and responding to cybersecurity threats is a business issue that makes in-depth cybersecurity education at the board level critical. In order to make the right decisions and develop effective countermeasures, board members should fully understand the cybersecurity risks and challenges their organization is facing and know how to effectively respond to threats and measure success.

Can we use Digital as an enabler for progress?

Evidence has shown us over time that organizations tend to be more reactive than proactive when it comes to designing a cybersecurity program.

91 of Canadian respondents say the discovery of a breach that impacted the organization would cause an increase in their information security budget.

Since the early 2000s, organizations have been increasingly investing in IT. In comparison, investments have been considerably lower in cybersecurity. This so-called security gap illustrates that investments in IT are being made without properly addressing the associated cybersecurity risks.

According to EY’s Growth Barometer, 86% of respondents are planning to adopt artificial intelligence (AI) over the next seven years. And while the adoption of emerging technologies like AI may help improve business processes over time, it may also expose businesses to new risks. Their success will depend on how they respond to those risks, how willing they are to increase budgets to close the security gap, and how effective they are in protecting data and information.


Canadian companies recognize the importance of having specialized teams that are focused on cybersecurity. Of those surveyed, 72% say they have a Security Operations Centre (SOC) and 27% say that's how they discovered the most recent significant cybersecurity incident. Canadian companies also consider themselves very mature in incident management, policy and standards framework definition and cybersecurity strategy adoption. However, in areas such as data infrastructure, third-party risk management and the availability of specialized cybersecurity programs, they need to improve significantly:

  • 67% do not have a threat intelligence program or only have an informal one
  • 45% do not have a vulnerability identification capability program or have an informal one
  • 52% do not have a breach detection program or have an informal one
  • 31% do not have an incident response program or have an informal one
  • 44% do not have an identity and access management program or have an informal one
Only 13 say they are excellent at crisis management

As many organizations have learned — sometimes the hard way — cyberattacks are no longer a matter of if, but when. This means that prevention and dissuasion are not enough. Companies need to know how to react, how to respond, how to recover and how to maintain their security. In other words, organizations need to be resilient.

To do this, companies should keep their business continuity and disaster recovery approaches up to date. Equally important, organizations should develop robust incident and crisis management plans and test them often through table top exercises involving staff and executives to ensure they are prepared should they become victim of a cyberattack.

Cyber threats are one of the top business risks facing organizations. Building your cyber resiliency can have the greatest impact to address this risk and should be a top priority.


83 of Canadian respondents say their information security function is partially meeting their organizational needs, but there are plans to improve.

Canadian organizations understand their cybersecurity programs demand attention. Limited knowledge on cybersecurity matters at the board level and the increased interest on assigning more budget to the function show a community committed to improving their cyber resilience, in an environment where government supports and organizations innovate.

Among the challenges for developing a mature cybersecurity function in Canada and around the world is the lack of skilled resources. The good news is that many universities and colleges in Canada are developing cybersecurity and privacy programs and labs which will help build the cyber talent pool and will eventually provide a workforce capable of keeping up with current threats. Managing cybersecurity is an ongoing and constantly evolving journey; no organization can anticipate every threat that will emerge. However, by making cybersecurity a key part of the company’s culture, taking the necessary steps to become cyber resilient, and investing judiciously in a proactive cyber program, even the risks organizations can’t see can be mitigated.

Key Canadian findings

Key Canadian findings

Back to Top

Survey methodology

The 21st annual edition of the EY Global Information Security Survey captures the responses of over 1,400 global C-suite leaders and information security and IT executives/managers, including 43 Canadian respondents, representing many of the world’s largest and most recognized global organizations. The research was conducted from April to July 2018.

“Larger organizations” are defined in this report as organizations with annual revenues of US$1b or more. This group represents one-third of the total respondents to this survey. “Smaller organizations” are defined in this report as organizations with annual revenues below US$1b. This group represents two-thirds of the total respondents to this survey.

Contact us

Let’s explore how we can help you implement and improve your cyber and cloud security programs.

Contact one of our leaders:


Yogen Appalraju

Cybersecurity Leader

+1 416 932 5902

Thomas Davies

Associate Partner, Cybersecurity

+1 416 943 2013

Bryson Tan

Associate Partner, Cybersecurity

+1 416 943 3925

Ryan Wilson

Associate Partner

+1 416 943 7170

Carlos Perez Chalico

Senior Manager, Cybersecurity

+1 416 943 5338


Brian Masch

Associate Partner,
Western Canada Cybersecurity Leader

+1 403 206 5096


Adam Sultan

Senior Manager, Cybersecurity

+1 514 879 2826

21st Global Information Security Survey

Related reading