Canadian organizations lag global firms in cybersecurity maturity, finds EY

09 June 2020 3 min. read
More news on

Canadian organizations trail global firms in cybersecurity maturity, according to EY’s Global Information Security Survey (GISS). Thirty-four percent of Canadian businesses said they have not articulated their cybersecurity risks, compared to only 16% of global respondents, the survey of 1,300 C-suite and IT leaders found.

In order for Canadian companies to catch up to their global peers and thrive amid disruption – including a huge shift to digital infrastructure and remote work in the pandemic era – EY recommends embracing “security by design,” which integrates risk thinking at the initiation of any new product, service, or project.

Security by design requires a mature security function, which can be achieved through efforts in board engagement, increased cyber budgets, and alignment and integration of IT among all business functions, according to the report.

Canadian boards are currently out of the loop on IT: 43% are unable to quantify cybersecurity effectiveness (compared to 24% of global boards) and just 21% of Canadian boards understand how to fully evaluate their organization’s cybersecurity risks (compared to 48% of global boards).

However, boards that are effectively engaged in cybersecurity can work with IT departments to reduce risk and protect the future of their companies. “Establishing a strong relationship and speaking the board’s language can help present cybersecurity risks in a way board members can relate to, expediting funding for initiatives and technologies needed to address the risk facing the organization,” said Yogen Appalraju, EY Canada’s cybersecurity leader.Canadian organizations lag global firms in cybersecurity maturityFunding is the next key part of achieving maturity, with Canadian companies unfortunately devoting less revenue to cybersecurity than their global counterparts. The EY survey found that 83% of Canadian companies were spending less than 5% of revenue on cybersecurity, compared to 64% of global companies.

EY noted that it is important to focus investments on connecting people and devices securely, so that any entity connecting with the digital ecosystem has a verified identity. Also, with many firms switching to cloud systems, it’s important to configure and govern the cloud securely.

Third, companies need to improve alignment and integration in cybersecurity across business functions. According to the survey, only 10% of Canadian respondents said there is a high level of trust and consultation between cybersecurity teams and the broader business. Furthermore, approximately 75% of data breaches were the result of employee weakness such as weak passwords, phishing, or not updating – indicating that employees in many departments may not be as well-informed or trained as they should be.

A productive alliance across functions means that IT security understands the assets and processes of each business line, and each business line knows the impact of key assets and the consequences of disruption. This will lead to a better mutual understanding of how to mitigate risks, according to EY.

“With more businesses moving — and potentially staying — online or working remotely, organizations are increasingly vulnerable to cyberattacks,” said Appalraju. “Amid the immense pressure felt from COVID-19, a cyberattack — and its ramifications on brand, reputation and financials — is the last thing an organization wants to happen while they’re already navigating significant disruption. Bridging the divide between the security function, lines of business, and the board can be an enabler to proactively address heightened risks and help advance digital transformation.”