5 minute read 11 Mar. 2022
cyber team visualizing data

Your employees are the weakest link in your cybersecurity chain

By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

5 minute read 11 Mar. 2022

Employees are a major access point for cyber attackers. Companies need to make sure their employees are part of their cyber plan to build resiliency.

As consumers become more aware of the power of their data, the pressure is on companies to have a robust data privacy strategy to build and retain trust with their customers. All companies are potential targets for data breaches. Hackers don’t care about your industry, revenue size or number of employees. They only care about the data you have and will stop at nothing to get their hands on it. 

What regulations do you need to comply with?

Regulators and governing bodies are playing catch-up to protect consumers and their data at home and abroad:

  • All Canadian companies must notify the Office of the Privacy Commissioner of data breaches and affected individuals when the event represents a real risk of significant harm to affected individuals.  
  • Expected Canadian amendments to privacy regulation, including the Personal Information and Electronic Documents Act to give more power to consumers on how companies use their personal information.
  • The General Data Protection Regulation (GDPR) in Europe allows individuals to object to companies using their personal information for sales or non-marketing related purposes and forces companies to comply with data privacy measures.
  • California’s Consumer Privacy Act (CCPA) gives consumer rights relating to the access, deletion and sharing of their personal information that has been collected by businesses.

Companies need to take a critical view of their data privacy risk posture to ensure they can withstand an attack and comply with the above regulations.

But is this enough?

Threats are everywhere, both within your company and outside, and it’s inevitable you will be breached. The reality is that even with the renewed focus on bringing in new legislature, we are still seeing privacy breaches occurring daily. While these events keep the ever-evolving privacy landscape top of mind for businesses, it’s not stopping cyber criminals from infiltrating your networks to steal your most valuable assets.

Throughout this article, we will showcase the findings from our EY Global Information Security Survey (EY GISS) to show how Canadian executives are responding to cybersecurity and privacy so you can assess how your business stacks up. This survey captured the responses of over 1,400 global C-suite leaders and information security and IT executives/managers, including 43 Canadian respondents, representing many of the world’s largest and most recognized global organizations.

How can you take action today?

To have a robust and effective privacy program, a solid cybersecurity strategy is necessary. But cybersecurity is often misunderstood, not just by the public, but by corporate executives and their employees. This lack of knowledge could be the reason why:

Cybersecurity budgets remain low


of Canadian respondents said their cybersecurity budget is less than 10% of their total IT budget.

Do you know what your most valuable digital assets are? It’s not always as obvious as credit card information or SIN numbers. The bread and butter for cyber criminals are:

  • Customers’ personal information and passwords
  • Financial information and strategic plans
  • Senior executives’ and board members’ personal data

Data that may seem harmless to your employees, like phone numbers or email addresses, can be used by cyber criminals for further hacking and scamming.

Data protection program


of Canadian respondents confirmed they have either no data protection program or only an informal plan, meaning that confidential documents are low-hanging fruit for cyber criminals.

Knowing what data cyber criminals are looking for is a great first step to equip your front line of defence, but it’s vital to assess how they plan on getting it and strategies to stop them in their tracks.

The weakest link

People are often the prime target for a cyber-attack. Employees continue to increase their digital footprint without being aware of the associated risks. 

The human factor


of Canadian respondents consider careless or unaware employees as their top vulnerability to a cyberattack.

Phishing and social hacking are becoming increasingly common techniques cyber criminals use on employees to gain access to a company’s confidential files. Although mobile phones and laptops may continue to be targeted by cyber criminals, companies can build an effective threat prevention strategy by offering data protection training and education programs to ensure employees can identify and prevent threats. It’s imperative that you invest in your weakest link.

Top-down misunderstanding

Responsibility for information


of Canadian respondents say that the person with direct responsibility for cybersecurity is not a member of the board or an executive.

Technological transformation is increasingly on top of executive agendas. So, while board and executive members are pushing ahead with their digital plans, they’re leaving security in the dark and their assets exposed.

Despite this being a clear problem, the response is straightforward. If companies train their board members or introduce data protection consultants into their upper management, they’ll be better equipped to guide the organization through digitization while remaining secure.

Reactive not proactive

A cyberattack can significantly damage a company’s reputation, profits, and compliance with the law. One of the best ways to prevent a cyberattack is to plan for the worst-case scenario with your workforce. By implementing evolving and thorough cybersecurity and privacy plans early on, companies can significantly reduce the risk of data being exposed.

Also, in the event that a breach occurs, companies with strategies in place will be able to respond to threats quicker and can implement damage control to mitigate or resolve the attack before it does serious damage. Rather than scrambling in the event of a breach, companies should develop and continuously test strong plans to be prepared to respond to them when a breach occurs.

Just like the digital world, data protection is ever-evolving, and there is no one-size-fits-all solution. To reach cybersecurity and privacy functions’ effectiveness, coordination among these two is necessary. The IAPP-EY Annual Privacy Governance Report provides trends that can help make the privacy function and its interaction with other business units more effective.

By implementing evolving and thorough cybersecurity and privacy plans early on and proactively, companies can significantly reduce the risk of data being exposed.


As companies race to implement new technologies, invest in innovation and digitize their data management systems, they’re neglecting to commit time and resources to adopt a proactive data protection strategy to keep the organization, its people and its assets safe. Canadian companies need to have an employee-first mentality when developing their cybersecurity and privacy programs, according to EY Global Information Security Survey. Considering only senior executives when it comes to protecting your business puts you at risk of misunderstanding the role that employees play in an effective cybersecurity program.

About this article

By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.