Majority of Canadian firms have no data protection plan

A new report by EY suggests companies may be ill-prepared, as new regulations bring increased focus on cybersecurity.
Locking A Virtual Lock In A Lineup Of Open Locks

A new survey from Ernst & Young (EY) shows that while Canadian companies recognize the need to protect themselves and their customers from cybersecurity threats, the majority of them don’t have a formal data protection plan in place.

Of the Canadian companies polled for the global firm’s 2018 Global Information Security Survey, 63% said they have no formal plan for data protection and 58% said that information security has “little or no bearing” on their business strategy. What’s more, more than half (52%) indicated they have no formal breach detection plan in place, either.

While companies recognize that cyber-related threats are a reality that must be addressed, according to EY, overall spend on cybersecurity remains low, with 63% of companies saying it represents less than 10% of their IT budget. That said, that number may be set to increase as the vast majority (70%) noted having upped their cybersecurity budgets over the last year, and 90% intend to so over the next 12 months.

A cybersecurity breach can be detrimental to customer trust and can even create “lasting damage” to an organization’s reputation, noted Yogen Appalraju, EY Canada’s cybersecurity leader, in a press release. “While no organization can prevent every threat, it’s clear companies need to pay more attention to cybersecurity and give it the urgency it deserves.”

The findings come as new regulations bring increased attention to cybersecurity and companies’ need to protect their customers. The  European Union’s General Data Protection Regulation (GDPR) has been in effect for less than a year – with one recent study by the CMO Council suggesting that there are already organizational “leaders” and “laggards” when it comes to compliance.

But, more than that, changes to the Canada’s Personal Information and Electronic Documents Act are set to implement on Nov. 1 of this year, making the notification of data breaches mandatory under certain circumstances. As a result, the companies that fail to protect their data may face “stiff penalties.”