4 minute read 1 Jun. 2020
computer screen reflected in eyeglass lens

Managing cyber risk: Are private companies exposing their most valuable asset?

By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

4 minute read 1 Jun. 2020

Recent headline-grabbing data breaches should be triggering a reality check for owners of Canada’s private, mid-market companies.

After all, if security breakdowns can occur in huge firms with presumably extensive cyber-risk controls in place, what kind of risks threaten you? 

Three elements are boosting the development of data protection models

Organizations are nowadays going through intense challenges and transformations but three of them are significantly pushing data protection (cybersecurity and privacy) to become a more mature and integrated function: 

  1. Digitization and placing data at the core. Regardless of your business’s size or sector, your company’s data may be the single most valuable asset of your organization. Data isn’t a by-product of the business; more and more, it’s the core of your business, the element driving the digital transformation. The impact of a data protection incident – whether it comes from a malicious attack or simple carelessness - can devastate the business and your brand. Yet few have implemented appropriate controls and protection around this high-value strategic asset. Meanwhile, material changes in the way you conduct business are also driving new risk exposures.
  2. Increase interaction with third parties. The extended enterprise is growing and the number of third parties a company has to interact with is growing. Cloud service providers are among the vendors with the most significant growth in interacting with organizations. Cloud-based tools and services have enabled businesses to unlock value chain improvements, enable innovations and reach new markets. But working in the cloud extends your company’s risk environment because parts of your business are being managed, stored and serviced by third-party providers. Suddenly, data protection has to be viewed as an end-to-end process that goes beyond traditional boundaries, now the organization needs to look for the extended enterprise to cover all those entities that support portions of the data processing activities.
  3. Compliance challenges. The evolving regulatory environment is putting new pressure on Canadian companies to manage and protect their data. The EU’s new General Data Protection Regulation (GDPR) contains significant privacy obligations for those companies hoping to do business in the European market. At the same time, changes to Canada’s own Personal Information Protection and Electronic Documents Act (PIPEDA), which took effect in November 2018, also demand a new degree of active management of cybersecurity compliance and reporting. Amidst growing demand for privacy and data protection, it’s reasonable to predict that such obligations will continue to increase for the foreseeable future. 

So how can you protect your business?

Start with a thorough risk assessment

In the face of daily business pressures, you may find it difficult to dedicate the necessary time and resources to identify the risks that could significantly impact you. But leading businesses are built on a clear understanding of the diversity of risk challenges that threaten their success, including cyber-risks. A strong ‘risk management discipline’ will help you remain aware of your evolving risk environment even as you embrace new technologies and businesses processes and protect yourself accordingly.

Embrace protection by design

You need to embed data and privacy protection into your processes from the start. This entails identifying the potential cyber-risks at the beginning, then defining the controls to protect against them. Adding on security controls after the fact is like trying to change a flat tire while the car is hurling down the road. You’re perpetually scrambling to respond to threats, instead of building in protection from the beginning. What’s more, building in robust protection and countermeasures from the start enables you to cope with evolving regulatory expectations.

Consider security as a service-managed solution

Companies of all sizes are struggling to keep up with the rapid evolution of cyber threats, coupled with the rapidly growing data sets they have to manage and protect. Fundamentally, a security approach should fit the degree and nature of risk that your business is trying to anticipate and manage. Finding a fit-for-purpose data security system while keeping an eye on the bottom line may mean considering a cloud based, managed service approach. Just as private companies have turned to the cloud for so many business-enabling tools, this environment also offers “Security as-a-Solution” platforms to fit your unique needs. Consider it your virtual Chief Information Officer providing expertise, evolving threat protection and active management 24/7 more cost-effectively than an in-house solution.

Provide training and education

While it’s tempting to think about cybersecurity as a tech issue, it’s actually a thread that weaves throughout all three key pillars of a business: its people, technology and processes. Training, education and awareness is essential; what’s more, cyber security and privacy compliance need to be the responsibility of every employee in your organization. It’s an exciting time to be leading private business in Canada as data driven technologies fuel growth and offer new capabilities. But with growing opportunity comes inevitable risk. By embedding robust data and privacy risk assessment, protection and countermeasures into every stage and facet of your business, you can continue to thrive in today’s transformative environment. 

We can help

To learn more about how our Private Client Services professionals can help you protect your business, contact us at privatecompanyinfo@ca.ey.com.

Summary

Regardless of your business’s size or sector, your company’s data may be the single most valuable asset of your organization. Data isn’t a byproduct of the business; more and more, it’s the core of your business. The impact of a security incident – whether it comes from a malicious attack or simple carelessness - can devastate the business and your brand. Yet few have implemented appropriate controls and protection around this high-value strategic asset.

About this article

By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.