Canadian organizations must prepare for worst-case cyber threats now

Planning for worst-case cyber breaches is essential for organizations looking to stay ahead in this evolving risk landscape. 

In brief

• Compared to the United States and other markets, Canadian cyberattacks have been relatively limited in size and scale.
• That reality is changing, but organizations in Canada don’t yet recognize the magnitude of this looming threat, particularly around its correlation to stakeholder brand perception.
• Planning for worst-case cyber breaches is essential for organizations looking to stay ahead in this evolving risk landscape.

Hampered supply chains, shuttered ecommerce sites and debilitated infrastructure are increasingly prevalent in Canada as hackers seize on vulnerabilities to shut businesses down. In fact, new EY research shows cybersecurity incidents are high in Canada when compared with global counterparts — and this trend is expected to worsen.

Even so, many business leaders may not fully recognize the substantial business risks cyber threats represent. That is a problem, but also an opportunity: Canadian organizations that prepare for worst-case scenarios now have the best possible chance of reducing costly repercussions when — not if — attacks occur.

Organizations are under constant attack. The 2023 EY Global Cybersecurity Leadership Insights Study shows some 81% of Canadian organizations had experienced at least 25 cybersecurity incidents and subsequent breaches in the prior 12 months. That’s compared to 73% of global respondents who cited the same number of attacks.

What’s more, while emerging technologies hold a lot of promise for businesses looking to bolster their cyber defences, nearly half of Canadian survey respondents said their organization has difficulty balancing security and innovation.

At the same time, Canadian organizations are starting to experience more costly and high-profile breaches, in line with what’s already been happening in the United States. Public transportation systems. Leading consumer product retailers. World-class energy and natural resource organizations. Any business or industry is fair game for cyber criminals. It only takes a quick glance online to see that more and more Canadian companies are falling victim to the kinds of highly visible and sophisticated attacks that leave businesses — and those they serve — feeling pain after shocks for weeks or months at a time.

But, while the cost of cyberattacks is becoming increasingly expensive, leaders don’t appear to be factoring cybersecurity into business decisions as a true value driver. In fact, only 8% of Canadian Chief Information Security Officers (CISOs) and C-suite executives surveyed said their organization’s current approach to cybersecurity impacted the way key stakeholders viewed their brand. That’s a significant gap compared to counterparts in the United States, 22% of whom linked cybersecurity approach to brand perception. This differing view puts Canadian organizations at risk of delayed vigilance, and potentially disastrous implications.

Value perception is key to strengthening cybersecurity

Clearly, cyber risk perception differs in Canada compared to the United States and other jurisdictions, where competition in a much larger population can be a whole lot fiercer. At the same time, Canada hasn’t yet seen cyberattacks at the scale and sophistication level of what’s occurred in the United States.

Meanwhile, the very nature of the Canadian economy is unique. Businesses here have less competition than in larger markets. And with less competition, the brand and reputation impacts of cyber incidents is less relevant than in highly competitive markets such as the US. Deeply grounded in natural resources, manufacturing and energy, Canadian companies have been adopting new technologies differently — think internet of things (IoT) or cloud — compared to their US counterparts. And while many large Canadian businesses rely heavily on operational technical (OT) and IoT, OT security in the US is more mature than in the Canadian landscape. US firms are more mature in adopting cloud at a large scale too.

Overall, the Canadian threat landscape is simply different in scale than in the United States. That limits cyber threat exposure and potential risk.

The thing is: many of these factors are changing. As shifts towards digital transformation, generative artificial intelligence (gen AI), wide usage of IoT, cloud at scale and other trends spur progress for Canadian businesses, they’re also opening new pathways to additional cyber risks. As higher-profile and increasingly sophisticated breaches become more frequent, everything from a business’s brand to consumer trust and loyalty could be impacted. In the past, cyberattacks have actually caused enough of an impact to affect Canadian citizens’ day-to-day lives. The general public doesn’t yet fully connect cybersecurity and data privacy to brand perception. And Canadian businesses have been complacent about the value of cyber security. Now that more sophisticated cyber attacks are starting to empty physical shelves, render consumer service points unusable and expose healthcare data, both Canadian citizens and businesses are collectively witnessing and experiencing the true impact that cyber breaches can create.

In this environment, the best cybersecurity defence starts with built-in resilience.

How can Canadian companies evolve cybersecurity now? 

Companies can strengthen their cybersecurity by emphasizing resilience and building this priority into critical business processes and their underlying technologies across the organization.

What should Canadian businesses keep in mind?

1. Simplify the cyber technology stack to reduce risk and improve visibility. Automation and orchestration can reduce clutter in the technology environment, allowing you to detect signals more quickly and respond more effectively.

2. Standardize and automate supply chains wherever possible. This can help by improving cyber vigilance and enabling you to continuously monitor performance without adding undue additional layers of bureaucracy. Be sure to involve security teams in the vendor selection process.

3. Communicate the cybersecurity narrative across the organization. Business stakeholders must understand what the organization is up against. The most effective CISOs can translate that story effectively, in ways that resonate with the business in terms of risk buydown, business impact and business creation.

4. Combine incremental and well-designed training with automation. Human error continues to be a leading cause of cyber breaches. The right mix of employee training and technology — think prevention tools — can make your workforce cyber-secure by design.

5. Dismantle silos to weave cybersecurity into the organization’s fabric. Cybersecurity should be viewed as a value driver, not an inhibitor or a cost centre. Connecting cybersecurity to every functional department and area of the business instills the confidence necessary to innovate, and opens new revenue and market opportunities.

6. Invest in business resilience. Organizations must also be prepared to detect and withstand incidents by reacting decisively and immediately when a breach occurs. Build out robust plans that go beyond early detection alone to cover instant-response and disaster-recovery planning, and clear outlines of responsibilities, roles and accountabilities. Then, simulate and prepare so that everyone involved knows exactly what they’ll do, when and how to isolate problems, and keep critical systems/operations going in the event that an attack takes place.