Mario ToneguzziCanadian companies are allocating small budgets to protect themselves against cybersecurity threats and they lack the formal internal processes to proactively deal with a breach, according to a new survey released on Thursday by EY.

The survey showed that 63 per cent of respondents say their cybersecurity spend is less than 10 per cent of their overall information technology budget; 64 per cent don’t have a formal data protection program, or only have an informal one; and 58 per cent say that information security has little or no bearing on their business strategy or plans.

But the 2018 EY Global Information Security Survey found that 70 per cent of Canadian companies polled said they increased their cybersecurity budgets in the past year and 90 per cent plan to do so in the next 12 months.

“Canadian companies know that the stakes are high when it comes to cybersecurity threats. A breach can erode customer trust, require costly remediation and even create lasting damage to a firm’s reputation,” said Yogen Appalraju, EY Canada cybersecurity leader. “While no organization can prevent every threat, it’s clear companies need to pay more attention to cybersecurity and give it the urgency it deserves.

“Cyberattacks are a matter of ‘when,’ rather than ‘if,’ and organizations have to be ready to react, respond, recover and maintain their security. This sort of resiliency, bolstered by proactive, ongoing and risk-based business continuity plans and crisis response approaches, will become the competitive differentiator for companies in the years ahead.”

EY said the survey findings come as new regulatory changes in Canada promise to drive even more scrutiny around corporate cybersecurity breaches. As of Nov. 1, 2018, Canadian companies subject to the Personal Information Protection and Electronic Documents Act will be required to notify impacted individuals when a breach occurs, it said.

“Corporate data breaches and theft occur on a daily basis, and organizations that fail to protect this data may face stiff penalties. Even so, 58 per cent of Canadian companies still say that information security has little or no bearing on their business strategy or plans,” said EY.

Mario Toneguzzi is a veteran Calgary-based journalist who worked for 35 years for the Calgary Herald, including 12 years as a senior business writer.


The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.