Press release

19 Oct. 2023 Toronto, CA

Canadian organizations averaged 25 cybersecurity incidents in the past year, finds EY survey

Preparing for worst-case scenarios now, can minimize costly repercussions when attacks occur

Press contact
Dina Elshurafa

EY Canada Specialist, Public Relations

Constantly asking questions, generating new ideas and creating innovative solutions to achieve measurable results. Always caffeinated and on the look out for hole-in-the-wall restaurants in Toronto.

Related topics Consulting Cybersecurity
  • 58% of respondents take six months or longer to detect an incident
  • 44% of Canadian organizations spend US $50 million or above on cybersecurity
  • Canadian respondents say balancing security and innovation is their top challenge

The EY 2023 Global Cybersecurity Leadership Insights Study finds that 81% of Canadian organizations had experienced at least 25 cybersecurity incidents in the last 12 months, compared to 73% of global respondents.

At the same time, cyber leaders report mounting costs associated with cybersecurity. Globally, the median cost of a breach to an organization has increased by 12% to US$2.5m in 2023 and is anticipated to reach US$4m. In Canada, 44% of organizations reveal a total annual spend of US$50m on cybersecurity — compared to 59% of US companies.

“Although cyber risk perception differs in Canada compared to the US or other jurisdictions where competition in a much larger population can be a whole lot fiercer, Canadian organizations are now starting to experience more costly and high-profile breaches, in line with what’s already been happening south of the border,” says Yogen Appalraju, EY Canada Cybersecurity Leader.

Despite increasing levels of spending, detection and response times appear slow with the survey sharing that more than half of respondents (58%) say their organizations take an average of six months or longer to detect and 60% saying it takes more than a month to respond.

Balancing security and innovation a top challenge as new technology emerges

Almost half of Canadian survey respondents say their organization’s main challenge to cybersecurity is difficulty in balancing security and innovation. While emerging technologies hold a lot of promise for businesses looking to bolster their cyber defences, Canadian and global leaders alike rank cloud and IoT as the biggest technology risks in the next five years.

“As shifts towards the adoption of generative artificial intelligence, wide usage of IoT, cloud at scale and other trends spur progress for Canadian businesses, they’re also opening new pathways to additional cyber risks,” adds Appalraju. “To close these gaps, organizations must make cyber integral to every part of the organization, shifting the function from an inhibitor to a value driver."

Cybersecurity integration from the top down

Only one-in-five Chief Information Security Officers (CISOs) and C-suite executives surveyed considered their organization’s cybersecurity to be effective today and well-positioned for tomorrow. Similarly, only 49% say they’re satisfied C-suite’s integration of cyber into business decisions — quite a bit lower than 58% of global counterparts, indicating that Canadian organizations’ cyber approach may be less mature than other jurisdictions.

“There appears to be a significant gap in how leaders factor cybersecurity into business decisions as a true value driver, which could result in delayed vigilance and potentially disastrous implications,” explains Appalraju. “By weaving cybersecurity into the fibre of an organization, emphasizing simplicity and adopting holistic thinking, cyber leaders can reduce risk and improve visibility.”

– ends –

About EY

EY exists to build a better working world, helping create long-term value for clients, people and society and build trust in the capital markets.

Enabled by data and technology, diverse EY teams in over 150 countries provide trust through assurance and help clients grow, transform and operate.

Working across assurance, consulting, law, strategy, tax and transactions, EY teams ask better questions to find new answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit  Follow us on X @EYCanada.

This news release has been issued by Ernst & Young LLP