Corporate Boards are finally putting data security on the agenda

Canadian companies are doing more than most to secure their data, but boards need to keep the pressure on




Since the world’s most secure organization was infamously exposed by a contractor, companies have been on the lookout for their very own Edward Snowdens. In a recent survey of corporations, the top four groups labelled most likely to be the source of cyber security incidents all worked inside the building.

North American respondents to PricewaterhouseCoopers “The Global State of Information Security Survey 2016” (including 157 Canadian firms) rated current employees as the most likely source of breaches, followed by former workers, then current and former service providers, consultants and contractors:


When not even the NSA’s panopticon-level security apparatus can save it from being breached, what can the average business hope to do to keep its information secure? A lot more, it turns out. While Canadians were more likely than the rest of the survey respondents to have security measures in place, the numbers are still remarkably low for a business population that witnessed first hand the Ashley Madison/Avid Media hack last year. While 92% of Canadian respondents have some sort of security framework in place, only 57% employ employee training and awareness programs and just half conduct threat assessments.

The one grace note to these generally middling results: boards are starting to pay more attention to the risks associated with information security. Active participation in security budgets doubled from a quarter to half from 2014 to 2015, while discussion of specific policies and technologies also increased significantly (from 25% to 37% and 16% to 36% respectively).

As consumers become more aware and concerned about companies’ use and protection of their data, cyber security is likely to move up board agendas.  In the digital age, a major hack can sink a business just as easily as a tsunami.