Canadian Underwriter

Only 43% of Canadian companies could detect a sophisticated cyberattack, EY study finds

February 15, 2017   by Canadian Underwriter

Print this page Share

Only 43% of Canadian companies could spot a “significant cybersecurity incident,” compared to 50% globally, according to EY’s Global Information Security Survey, released on Wednesday.

The survey captured the responses of 1,735 participants around the globe from more than 20 industry sectors, including banking and capital markets (20%) and insurance (7%). Thirty-eight per cent of respondents were from the Americas, the global assurance, tax, transaction and advisory services firm said.

Key Canadian findings from the survey found that almost all (98%) of respondents reported that their cybersecurity function did not fully meet their organization’s needs, EY noted in a press release. Almost as many (94% of) organizations do not evaluate the financial impact of every significant breach.

Other Canadian findings included:

  • 61% of respondents have had a recent significant cybersecurity incident;
  • 60% said that control or process failures led to their most significant cyber breach;
  • 57% are unlikely to detect a sophisticated cyberattack;
  • 52% of organizations rated business continuity management their joint top priority, alongside data leakage and data loss prevention; and
  • 43% identified lack of skilled resources as one of the top obstacles to Internet of Things (IoT) adoption.

“Organizations have stepped up their cyber efforts in the last few years, but these results still point to a gap,” said Abhay Raman, EY’s Canadian cybersecurity leader, in the release. “Creating a robust cybersecurity program is a long, focused process, and many companies haven’t taken that step. That’s why 72% of our survey’s respondents said they need up to 50% more budget for their cyber needs.”

Raman added that only 6% of organizations evaluate the financial impact of “every significant breach. If companies can’t paint a picture of how much a cyberattack dented their bottom line, it’s difficult to make a case for greater investment. Evaluating impact is paramount.”

In EY’s global survey, end user awareness emerged as the top control failure that led to a breach. “This weakness is primarily exploited through phishing, where company employees engage with malicious emails disguised as authentic,” EY explained. “In the process, they unknowingly let the attackers access internal systems.”

The top control or process failures that led to the most significant cyber breach last year included end user awareness, exploited via phishing (43%), poorly secured Internet-facing systems and/or applications (11%) and outdated/unpatched systems (8%).

EY said in the release that IoT is “leading change in the digital landscape, and it’s fast becoming the must-have element of business technology. However, the lack of skilled resources and executive support are hampering the wider adoption of connected devices.”

According to EY’s survey, the main obstacles that need to be overcome to enable the wider adoption of IoT devices are lack of skilled resources (43%), lack of executive awareness or support (43%) and budget constraints (32%).

“Connected devices could bring a new business opportunities, business revenue growth and cost reductions,” Raman concluded. “Especially in our slow-growth economy, businesses should invest in the right talent and internal awareness to increase their competitiveness through IoT.”