3 minute read 3 Jun. 2021
looking computer hacker

Six things to consider when evaluating cyber and privacy risk

Carlos Perez Chalico
By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

3 minute read 3 Jun. 2021
Related topics Cybersecurity Digital EY Private
Upvote

Show resources

Cybersecurity is not just an IT issue. As attacks continue to evolve, so will their effect on the organization as a whole. 

The frequency and severity of cyber attacks are rapidly increasing. In January 2019 alone, the breach identified as Collection #1 revealed that 773 million records were exposed.¹

Cybersecurity is not just an incident that results in information loss. It affects a company’s reputation and results in theft of protected or sensitive information — including intellectual property, credit card and personal information — and the disruption of computer-controlled operations or access to online systems. A single breach can be very costly to fix.

The 2019 Global Risk Report issued by the World Economic Forum includes cyberattacks among the top 10 most concerning global risks. Cybersecurity is a broad business risk that affects most companies; the Canadian Personal Information and Electronic Documents Act (PIPEDA) was amended on 1 November 2018 to make data breach notification mandatory under certain circumstances.

While many of the recent highly publicized attacks don’t appear to have been directly targeted at financial systems, the access gained by the attackers enabled them to manipulate or modify financial records, such as billing/cost and interest rates, modify key automated business rules and automated controls relied upon by management.

How EY can help

Forensic & Integrity Service Offerings

Companies that embed the value of integrity in their strategic vision and day-to-day operations develop stronger businesses, sustain their long-term competitive advantage and deliver more value to shareholders. EY Forensic & Integrity Services can provide the broad sector experience, deep subject-matter knowledge, the people, technologies, processes, tools and insights that help you to instil a culture of integrity in your business

Read more

Evaluating your cybersecurity and data privacy risk

While it’s critical to receive regular updates on cybersecurity and data privacy, there is a clear gap between expectations and reality. The EY 2018 Global Information Security Survey found that 83% of Canadian respondents say their information security function is only partially meeting their organization’s needs and improvements are needed.

When evaluating your cybersecurity and data privacy risks, consider the following six important actions:

  1. Identification: identify the top three to five threats that are most relevant to your organization given its particular characteristics.
  2. Protection: summarize the actions your management team has taken to manage these threats and which actions were considered but not pursued. Associate this to your risk appetite, tolerance and capacity.
  3. Detection: explore what mechanisms are used to detect incidents, how management evaluates and categorizes incidents identified. Determine which ones to elevate to senior leadership and what activity has been seen since your last update.
  4. Response and recovery: look at how your organization responded to higher risk incidents.
  5. Value generation: consider how cybersecurity and data privacy add value to your organization, including through risk reduction and efficiencies from integrating these functions to your enterprise risk management program.
  6. Education: determine which initiatives are being managed to educate your staff on cybersecurity and data privacy matters.

Here are critical questions for you and your management team to consider:

  • How are your company’s most critical information assets being identified, inventoried and protected? Have the related cyber risks been prioritized?
  • Are incident-response plans in place in your organization should a material data breach occur? Is your organization ready to respond to the data protection regulations in jurisdictions where the company operates? Has management practiced its incident-response plan and developed a crisis management plan for this type of breach?
  • Have you considered the talent implications and re-evaluated the enterprise level at the company to effectively manage cybersecurity risks?
  • Do you understand the insurance coverage in place and its impact on potential claims?
  • How are your employees trained and made aware of their role in managing cybersecurity risks? Are internal threats appropriately considered?

As attacks continue to evolve, so will their effect on the organization as a whole. And private companies are not immune. It’s time to take cyber out of IT and make it a strategic business priority.

  • Show article references

    1. The 773 Million Record “Collection #1” Data Breach, https://www.troyhunt.com/the-773million-record-collection-1-data-reach/

Summary

Cybersecurity is not just an IT issue or a matter that results only in information loss. It affects a company’s reputation and has resulted in theft of protected or sensitive information — including intellectual property, credit card and personal information — and the disruption of computer-controlled operations or access to online systems.

About this article

Carlos Perez Chalico
By Carlos Perez Chalico

EY Canada Private Cybersecurity and Privacy Leader

I have over 23 years of experience in cybersecurity, IT risk management and privacy matters. In my free time, I read, write, go route-cycling and volunteer.

Related topics Cybersecurity Digital EY Private
Upvote