Photo Credit:

Canadian organizations and supply chains are too complex, posing 'concerning' levels of cyber and privacy risks

Thursday, November 18, 2021 2:25:00 PM

- Canadian executives say their organizations and supply chains are too complex, posing 'concerning' levels of cyber and privacy risks. -

- Over 80 per cent of Canadian executives say that avoidable organizational complexity poses 'concerning' cyber and privacy risks
- Only 41 per cent of Canadian respondents say they thoroughly understand the risk of data breaches through third parties
- Only a 3rd of Canadian respondents report having a mature data trust processes across four areas: data discovery, protection, minimization and governance
- Only 30 per cent of Canadian respondents quantify cyber risks to understand financial exposure and prioritize security spend

This week, PwC Canada launched its 2022 Canadian Digital Trust Insights from the perspectives of leading business and technology executives, making predictions about the next 12 months. Notably, 70 per cent anticipate an increase in cybercrime (60 per cent globally) and identify mobile, the Internet of Things (IOT) and cloud as top targets. Predictions on cyber spending rose from last year, 66 per cent vs. 56 per cent in 2021.

Deliberate about simplification

Over 80 per cent of Canadian executives say that too much avoidable, unnecessary organizational complexity poses 'concerning' cyber and privacy risks. Globally, CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments and crossover from IT to operational technology (OT). We've heard similar concerns from Canadian CEOs and executives.

When Canadian executives were asked to prioritize initiatives aimed at simplifying cyber programs and processes, they displayed a slight preference for adoption of a cloud-technology strategy. The other key initiatives included were: integrated controls across risk disciplines, integrated data governance, technology rationalization and supply chain rationalization.

"Digital connections continue to multiply and form complex webs that grow more intricate with each new technology. The answer here isn't just adding more technology, instead it's about working together as a unified whole, from the tech stack to the boardroom. This requires C-suite to make hard and deliberate choices on simplification to make organizations easier to secure," said Sajith Nair, Partner & National Technology & Cloud Leader, PwC Canada. "Digital and cloud transformation, when done thoughtfully, provides organizations tremendous opportunities to simplify. Many however are unintentionally introducing additional complexities which are exposing them to unnecessary and avoidable cyber and privacy risks."

Value of data trust

Data is a chief point of concern. Data governance and data infrastructure are considered to be areas of 'unnecessary and avoidable' complexity by a majority of Canadian respondents (80 per cent and 81 per cent, respectively). However, only a third of Canadian respondents report having mature, fully implemented data trust processes in four key areas: governance, discovery, protection and minimization. While nearly one in five Canadian respondents says they have no formal data trust processes in place at all.

Organizations can benefit from setting up a good foundation of data trust. This ensures organizations are using data responsibly, securely, accurately and ethically and therefore is a reliable tool when making business decisions. This year's data shows that a mere 36 per cent have mapped all their data, meaning they know where it comes from and where it goes. Even fewer (29 per cent) have mature data minimization processes. It is imperative for organizations to mature their data trust practices, especially when compliance regulations arise such as Bill 64 in Quebec and the expected reintroduction of the federal Consumer Privacy Protection Act (Bill C-11).

Blind spots hide the risks

Organizations can't secure what they can't see. And most respondents to this year's survey seem to have trouble seeing their third-party risks. The risks are obscured by the complexities of their business partnerships and vendor networks. Only 41 per cent of Canadian survey respondents say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter in Canada have little or no understanding at all of these risks, this is a major blind spot of which cyber attackers are well aware and willing to exploit. The organizations that have had the best cyber outcomes over the past two years have consolidated technology vendors as a simplification move. Paring the number of tech and other third parties reduces complexity and increases the ability to know how secure they are.

CEO's role in cybersecurity

There are diverging views in this year's data, as it pertains to CEOs' involvement in their company's cyber goals. Canadian CEOs indicate that they participate in discussions about the cyber and privacy implications of mergers and acquisitions, future changes to their operating model and future strategy. Non-CEO executives observe their CEOs getting involved in cyber when a crisis strikes, but CEOs think they're more engaged. When asked how CEOs frame the cyber mission in their organization, more than half of the CEOs globally chose bigger-picture, growth-related objectives from their security team. According to the Canadian insights of PwC's 2021 CEO Survey, their sentiments are the same, in fact CEOs identified cyber as the top threat to growth, even ahead of the pandemic.

"CEOs have a great responsibility in leading the simplification. They can be instrumental in setting the foundational principles that communicate security and privacy as a business imperative for building trust in a digital world. The tone and involvement from the top has an impact," said Jennifer Johnson, National Cybersecurity, Privacy and Financial Crime Markets Leader, PwC Canada. "CISOs and their teams can benefit from broadening their outreach beyond CIO or CTO relationships to the greater C-suite, to create business-informed solutions. Quantification of cyber risks will help CISOs better engage C-suite on cyber exposure and get their support for cyber program."

The 2022 Canadian Digital Trust Insights is a survey of business, technology and security executives conducted in July and August 2021. This year's report delves into the impact of an engaged CEO in cyber goals, how a complex organization is an obstacle to sound security, securing your organization against the most important risks, and understanding third-party cyber and privacy risks.

SOURCE: PwC Management Services LP