Press release

8 Jun. 2020 Toronto, CA

EY survey finds board-business dynamic is contributing to cyber risk

Disconnect leading to one-third of Canadian organizations unable to articulate potential threats

Press contact
Victoria McQueen

EY Canada Specialist, Public Relations

Supporting the development and distribution of external communications and social media across Canada. Can be found by the lake in the summer and on the slopes in the winter.

Related topics Cybersecurity Risk
  • 34% of Canadian organizations have yet to fully articulate their cyber risks
  • 43% of Canadian boards are unable to quantify cybersecurity in financial terms 
  • Only 10% say there’s consultation between the cybersecurity team and lines of business

(Toronto, June 8, 2020) A disconnect between cybersecurity efforts and business functions is putting more Canadian organizations at risk as information gaps leave leaders with a limited understanding of potential threats and how to mitigate exposure. The 2020 EY Global Information Security Survey finds that 34% of Canadian organizations have yet to fully articulate their cybersecurity risk, compared to 16% of global peers. 

“With more businesses moving — and potentially staying — online or working remotely, organizations are increasingly vulnerable to cyberattacks,” says Yogen Appalraju, EY Canada Cybersecurity Leader. “Amid the immense pressure felt from COVID-19, a cyberattack — and its ramifications on brand, reputation and financials — is the last thing an organization wants to happen while they’re already navigating significant disruption. Bridging the divide between the security function, lines of business and the board can be an enabler to proactively address heightened risks and help advance digital transformation.” 

The EY survey finds that just 21% of Canadian boards understand how to fully evaluate their organization’s cybersecurity risks, compared to 48% globally. Meanwhile, 43% are unable to quantify cybersecurity effectiveness in financial terms, compared to 24% of global respondents. 

“Cybersecurity teams must learn to speak the board’s language to better communicate the severity and business impact of different risks,” says Appalraju. “Increased education and engagement among this group should trickle down into the business to drive awareness, while helping to secure the buy-in for funding and resources needed to address growing threats.” 

The survey finds that cybersecurity teams need to develop better alliances across all business functions of the organization. Right now, only 10% of Canadian survey respondents say there’s a high level of trust and consultation between cybersecurity teams and the broader business. 

“Cybersecurity needs to be present at the development stage of any product, service or initiative as businesses look to make greater digital investments to support an online transition in this new environment,” says Appalraju. “This is what we call a security by design approach — a strategy that improves engagement between the cybersecurity team and the rest of the business to create a mutual understanding of potential threats, the impact to assets and how to proactively mitigate cyber risk exposure early in the creation or acquisition of assets.” 

Access the full Canadian highlights of the EY Global Information Security Survey.

– 30 –

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets. Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate. Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.  Follow us on Twitter @EYCanada.