The number of cyber-attacks on Canadian companies is clearly on the rise in the last 12 months, but chief information security officers (CISOs) say they are usually working with inflexible budgets and companies often don’t include them in early-stage planning discussions. These are just three findings from the most recent Ernst & Young survey, the EY Global Information Security Survey 2021.

EY says less than one quarter of Canadian organizations bring cyber and privacy in at the planning stages. At the same time, more than half of respondents to the survey say regulatory compliance is the most stressful part of their job. The findings further show that 41 per cent of Canadian leaders have never been as concerned about managing cyber threats the business faces; 75 per cent say they’ve seen an increase in the number of disruptive events occurring over the last 12 months.

“It is no longer acceptable to invite cybersecurity and privacy late to the party – doing so can lead to costly ramifications,” says Yogen Appalraju, EY Canada’s cybersecurity leader. “Progressive organizations are exploring how cybersecurity can creatively protect new products, digital offerings and broader business improvement initiatives. By prioritizing innovation alongside security and privacy, businesses can help build solutions that are more secure at a time when stakeholders are increasingly concerned about their privacy in a hybrid business world.” 

In the report, EY adds that the survey of more than 1,000 senior cybersecurity leaders found them grappling with inadequate budgets, struggling with regulatory fragmentation and failing to find common ground with teams within their respective companies. The report goes on to say that many attacks on companies which have occurred since 2020 could have been avoided had companies embedded security by design throughout the business. Just nine per cent of boards are currently confident in their organizations’ cybersecurity risks and mitigation measures – a clear decline from last year, EY adds.

“The urgency of the (COVID-19 pandemic) crisis meant that security was overlooked even while organizations were opening up systems that had never been open before,” says EY Asia-Pacific cybersecurity risk consulting leader, Richard Watson. “Not all organizations acknowledge they now need to go back and address those issues.”