PwC Addresses Excuses for Not Investing in Cybersecurity

PwC Survey of Canadian Private Companies Finds Cybersecurity an Issue, but Not a Priority

TORONTO, May 20, 2015 — We all know cyber-attacks have had an increased presence in today’s interconnected world, however cybersecurity isn’t an issue faced strictly by large firms. PwC’s recent survey of Canadian private companies found that 88% of firms agreed or strongly agreed that cybersecurity is an important issue for their organization. However, firms are more in the dark about what they need to do, where their vulnerabilities lie and what to do about them.

“We’re not a target.”

Just because a company does not accept credit card payments or store personal information, does not mean they will be immune to a cyberattack. Attacks are also on health information, SINs and employee lists, as information brokers in the black market place increased value on personal information.

Jason Green, Director in PwC’s Cyber Resilience team, comments, “Today’s cybercriminals often target companies that have been slower to invest in security as a platform to launch an attack on other organizations.”

Even as a gateway, there are legal implications for a company that is used to gain access to information from another company. To thrive in today’s rapidly changing risk environment, companies need a well thought-out cybersecurity and privacy strategy, along with the right skills and resources to implement it.

“It’s not in our budget.”

The cost to a business that is hacked may be measured by loss of customers, lawsuit payouts, interruption to business or reputational damage. Protecting the business from cyber-attacks needs to be seen as a business imperative, not discretionary spending. Simply put, the response to “we can’t afford to” is “you can’t afford not to.”

David Craig, Leader of PwC’s Risk Assurance Services Cybersecurity and Privacy practice, notes, “Investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach.”

Companies do not need to invest in off-the-shelf packages. In fact, PwC would advise companies look at a customized and scalable solution that addresses a company’s specific vulnerabilities and critical information protection requirements. These solutions can be much more affordable than packages that cover a gamut of problems that may not even be an issue for every company.

“I wouldn’t know where to start.”

1. Learn where your blind spots are and understand your cyber ecosystem
2. Identify your most valuable data and who has access to it
3. Train your employees as your first line of defense (75% of breaches are driven by insiders, but 42% of respondents said they never conducted formal cybersecurity employee training)
4. Implement suitable controls over the most sensitive data from the most likely means of compromise
5. Have protocols in place that identify responsible parties in the event of a breach (49% of respondents said that if a cyberattack happened to them tomorrow, they either wouldn’t, or don’t know if they would be able to respond effectively)

These steps are not only important to protect a company’s operations in Canada, but it may become necessary to prove the right protocols are in place in order to do business with companies in the United States and certainly necessary if a company is looking to grow its business in international markets.

A full copy of the report is available at: http://www.pwc.com/ca/en/private-company/business-insights.jhtml

Follow PwC on Twitter at @PwC_Canada_LLPOpens in a new window and on Facebook at www.facebook.com/pwccanadaOpens in a new window.