Press release

8 Jun 2020 Toronto, CA

EY survey finds board-business dynamic is contributing to cyber risk

Disconnect leading to one-third of Canadian organizations unable to articulate potential threats

Press contact

Victoria McQueen

EY Canada Specialist, Public Relations

Supporting the development and distribution of external communications and social media across Canada. Can be found by the lake in the summer and on the slopes in the winter.

Related topics Giss Cybersecurity Risk
  • 34% of Canadian organizations have yet to fully articulate their cyber risks
  • 43% of Canadian boards are unable to quantify cybersecurity in financial terms 
  • Only 10% say there’s consultation between the cybersecurity team and lines of business

(Toronto, June 8, 2020) A disconnect between cybersecurity efforts and business functions is putting more Canadian organizations at risk as information gaps leave leaders with a limited understanding of potential threats and how to mitigate exposure. The 2020 EY Global Information Security Survey finds that 34% of Canadian organizations have yet to fully articulate their cybersecurity risk, compared to 16% of global peers. 

“With more businesses moving — and potentially staying — online or working remotely, organizations are increasingly vulnerable to cyberattacks,” says Yogen Appalraju, EY Canada Cybersecurity Leader. “Amid the immense pressure felt from COVID-19, a cyberattack — and its ramifications on brand, reputation and financials — is the last thing an organization wants to happen while they’re already navigating significant disruption. Bridging the divide between the security function, lines of business and the board can be an enabler to proactively address heightened risks and help advance digital transformation.” 

The EY survey finds that just 21% of Canadian boards understand how to fully evaluate their organization’s cybersecurity risks, compared to 48% globally. Meanwhile, 43% are unable to quantify cybersecurity effectiveness in financial terms, compared to 24% of global respondents. 

“Cybersecurity teams must learn to speak the board’s language to better communicate the severity and business impact of different risks,” says Appalraju. “Increased education and engagement among this group should trickle down into the business to drive awareness, while helping to secure the buy-in for funding and resources needed to address growing threats.” 

The survey finds that cybersecurity teams need to develop better alliances across all business functions of the organization. Right now, only 10% of Canadian survey respondents say there’s a high level of trust and consultation between cybersecurity teams and the broader business. 

“Cybersecurity needs to be present at the development stage of any product, service or initiative as businesses look to make greater digital investments to support an online transition in this new environment,” says Appalraju. “This is what we call a security by design approach — a strategy that improves engagement between the cybersecurity team and the rest of the business to create a mutual understanding of potential threats, the impact to assets and how to proactively mitigate cyber risk exposure early in the creation or acquisition of assets.” 

Access the full Canadian highlights of the EY Global Information Security Survey.

 

– 30 –

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

For more information, please visit ey.com/ca. Follow us on Twitter @EYCanada.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com.