Almost every day news headlines continue to prove that no organization, regardless of size, scale or sector, is immune to cybersecurity threats. From ransomware hacks to data theft and denial of service assaults on corporate and government networks, these incidents hit the bottom line and damage the brand and reputation of the impacted organizations.
Governments around the world have responded with tough privacy and data protection regulations like the European Union’s General Data Protection Regulation (GDPR) and Canada’s own Personal Information Protection and Electronic Documents Act (PIPEDA), which mandate that organizations must take care with the data they collect and install robust cybersecurity safeguards.
Canadian companies are responding by putting their money where their mouths are and expanding cybersecurity budgets. Executives now recognize that the amount of Internet-connected devices on their networks and the people connected to them – all potential points of vulnerability – will continue to grow at a rapid pace.
Is it enough? The EY Global Information Security Survey 2018-19 – Canada highlights suggests that Canadian companies’ cybersecurity budgets still remain relatively small. The majority (63%) have a budget that accounts for less than 10% of their overall information technology spending. Similarly, many Canadian companies lack the formal processes and procedures to detect, identify and respond to a cyber threat.
Executives may be more tuned into the real – and often expensive – risk posed by digital threats but the boardroom strategy is still too reactive rather than proactive. Nearly 6 in 10 survey respondents said that cybersecurity has little or no influence on their business strategy or plans.
It’s no surprise, then, that there’s still significant room for improvement when it comes to data infrastructure, third-party risk management and having dedicated teams in place to respond to cyber threats. More than half of survey respondents (52%), for instance, said they don’t have a formal or only have an informal breach detection program in place. And almost a third of respondents (31%) said they don’t have an incident response program. Where does that leave us? Only 13% said they excel at crisis management.
These sorts of shortcomings could see increased attention and exposure starting in November, when it will become mandatory for Canadian companies to report data breaches to the Privacy Commissioner and those impacted.
Companies that dedicate themselves to cybersecurity can’t rest on the basics either. Just as hackers are constantly developing new ways of stealing or corrupting data, so too must companies innovate and adapt to ensure they are meeting the threats head on, instead of simply reacting to them.
If cyberattacks are now a matter of “when,” rather than “if,” organizations have to be prepared to react, respond, recover and maintain their security. This sort of resiliency, bolstered by proactive, ongoing and risk-based business continuity plans and crisis response approaches, will become a competitive advantage and a significant factor in building trust in the years ahead.
Access more findings from the EY Global Information Security Survey 2018-19 – Canada highlights here.