Canadian companies averaged 25 cybersecurity incidents in past year
Eighty-one percent of Canadian organizations had at least 25 cybersecurity incidents in the last 12 months, according to EY’s 2023 Cybersecurity Leadership Insights study.
The frequency of cyber incidents was higher than the global average, where 73% experienced at least 25 incidents in the last year.
Compared to the US market, Canadian cyberattacks have so far been limited in size and scale. As such, 44% of Canadian companies spend US$50 million on cybersecurity compared to 59% of US companies.
The US – as the leading global economic and military power – attracts the bulk of attention from state and non-state cybercriminals abroad, foremost among them Russia and China. American companies are also more mature in their uptake of digital technologies – driving more threat exposure as well as corporate awareness, prioritization, and spending on cybersecurity.
However, Canada’s recent geopolitical headbutting with China and India could drive more attention from foreign hacking rings. And though digital maturity is at a lower level in Canada, it won’t stay that way forever.
Yogen Appalraju, EY Canada cybersecurity leader, explains that cyber risk perception is also different in Canada because of its industry mix and level of competition. “Businesses here have less competition than in larger markets. And with less competition, the brand and reputation impacts of cyber incidents is less relevant than in highly competitive markets such as the US,” he noted.
Canada’s economy is also deeply grounded in natural resources, energy, and manufacturing – driving different adoption of new technologies such as IoT and cloud. Canadian firms' operational technical security is also less mature than US counterparts, while also having lesser adoption of cloud-at-scale.
“Overall, the Canadian threat landscape is simply different in scale than in the United States. That limits cyber threat exposure and potential risk,” Appalraju said.
The EY survey also found that organizational response times to breaches are fairly slow. More than half (58%) of Canadian cyber leaders and C-suite execs said their companies take an average of six months or longer to detect breaches, while 60% said it takes more than a month to respond to breaches.