With cybersecurity breaches on the rise, many Canadian business leaders are less confident in their ability to deal with an attack, underscoring more than ever the importance of staying vigilant even if they feel buffeted by near-term headwinds like a potential recession, finds new KPMG research.

According to KPMG International’s Global CEO Outlook Survey, the number of CEOs at large Canadian companies who said they were “well prepared” or “very well prepared” for a cyberattack fell 17 percentage points from last year and those who said they were “underprepared” jumped three-fold. They reported an even bigger drop – nearly five-fold -- in their level of preparedness against a specific cyberattack like ransomware (malicious software that holds data hostage in exchange for a ransom).

Yet when asked what keeps them up at night, CEOs put cybersecurity seventh behind a range of other pressing near-term risks such as the economy, a potential recession, regulatory issues, and disruptive technologies.

By comparison, their counterparts at small- and medium-sized businesses (SMBs) said in a separate KPMG in Canada survey they feel more prepared to handle a cyberattack (up 9 percentage points), although more than two-thirds admit their cyber defences could be “a lot stronger”, including raising awareness about cybersecurity among employees. They ranked cybersecurity as their second single-most-pressing concern today.

“Many large companies have invested in cybersecurity technology, tools, and employee education programs over the years, but cyber threats are becoming more frequent and more sophisticated,” says Hartaj Nijjar, Partner and National Cybersecurity Industry Leader at KPMG in Canada. “So while companies may be fixated right now on near-term risks like a recession, it’s important not to take their eye off the ball when it comes to cybersecurity, because data breaches can cost organizations millions of dollars, and that’s not something most companies can afford in an economic downturn. Keeping company data secure is an investment that will always pay future dividends,” he added.

“The situation is different for small- and medium-sized organizations because many went from having little or no digital platforms pre-pandemic to having them today. Last year, as they were building their platforms, they may not have prioritized cybersecurity to the extent they are today,” says Robert Moerman, a cybersecurity partner at KPMG in Canada. “Now they better understand the risks and are either investing or planning to invest in appropriate defences to protect their organizations.”

Canadian highlights from KPMG International’s CEO Outlook Survey

  • 56 per cent of the CEOs at large Canadian companies say they are ‘well prepared’ or ‘very well prepared’ for a future cyberattack, down from 73 per cent in 2021.
  • 20 per cent say they are ‘underprepared’ for a cyberattack, up from 7 per cent last year.
  • 24 per cent say they do not have a plan to address a potential ransomware attack, up from 5 per cent last year.
  • Cybersecurity is the seventh most-pressing concern today. Economic issues, regulatory concerns and disruptive technology were listed as top concerns.
  • 62 per cent said geopolitical uncertainty is raising concerns of a cyberattack in their organizations (lower than the global average of 72 per cent).
  • 59 per cent said building a strong cybersecurity culture is just as important as building technological controls, down from 83 per cent last year (and lower than the global average of 73 per cent).
  • 37 per cent do not think prioritizing and building a strong cyber culture is as important as technological controls, up from 3 per cent last year.

When asked if they view cybersecurity as a strategic function and a potential source of competitive advantage, three quarters (75 per cent) of large company CEOs agreed, down from 82 per cent who agreed last year. Notably, 17 per cent of respondents said they do not view cybersecurity as a strategic function, up from zero last year – something Mr. Nijjar said is concerning.

“Cybersecurity is not just an information technology issue, it’s one of the most critical business issues in any modern economy. A strong cybersecurity ecosystem can help boost the integrity of a company’s product or service, its customer experience, regulatory compliance, brand reputation and even investor confidence,” says Mr. Nijjar. “Most importantly, it builds trust. If stakeholders don’t have trust in an organization, they will look elsewhere for more trustworthy alternatives.”

SMBs increasingly prioritizing cybersecurity

With over half of SMBs saying they’ve been the victims of cybercrime in the past year, nearly eight in ten SMBs said building a cybersecurity culture is just as important as building technological controls.

“This is a very encouraging sign. It’s just as crucial to educate and arm your entire workforce with proper cyber training as it is to have appropriate defence technologies,” says Mr. Moerman. “Building a robust cyber culture is necessary because a company’s cyber controls are only as strong as their weakest link and often that weak link is human error or an inadvertent mistake.”

KPMG in Canada SMB poll highlights

  • 73 per cent are well prepared for a cyberattack, up from 64 per cent last year.
  • 56 per cent of SMBs said they had been attacked by cybercriminals in the past year (examples include an attack on electronic infrastructure and/or gaining unauthorized access to company data, phishing, malware, ransomware, denial of service, or insertion of malicious code).
  • Half said they have had to deal with a ransomware attack in the past year.
  • 59 per cent said their insurance companies covered their cyberattack-related losses.
  • 68 per cent said they have a plan to address a ransomware attack if faced with one.
  • 68 per cent said geopolitical uncertainty is raising concerns of a cyberattack in their organizations.
  • 73 per cent said they view information security as a strategic function and a potential source of competitive advantage.
  • 78 per cent agreed that building a cybersecurity culture is just as important as building technological controls.

During Cybersecurity Awareness Month in October, KPMG in Canada’s cybersecurity professionals are helping students, teachers, and parents, become more cyber aware through interactive classroom sessions on safe use of personal data, social media, cyber bullying, online gaming, phone use and more. To learn more about KPMG’s Global Cyber Day Initiative, visit: Get cyber smart - KPMG Global (home.kpmg)

Join KPMG in Canada on October 27 at 1 pm ET for a DX Coffee Chat to learn more about key cyber and privacy trends and how Canadian organizations can mitigate cybersecurity risks and safeguard their data.

About KPMG in Canada SMB Outlook Survey

KPMG in Canada surveyed business owners or executive level C-suite decision makers at 503 small- and medium-sized Canadian companies between August 16 and September 1, 2022 using Schlesinger Group’s Methodify online research platform. Thirty-two (32) per cent of the companies reported annual gross revenue of over $500 million; 26 per cent between $300-$499 million; 18 per cent between $200-299 million; 16 per cent between $100-$199 million; and 8 per cent below $50 million. The vast majority (85 per cent) of the SMBs surveyed are privately held and the remaining 15 per cent are publicly traded. Fifty-seven per cent of the SMBs are family-owned businesses.

About KPMG’s Global CEO Outlook Survey

The eighth edition of the KPMG Global CEO Outlook provides unique insight into the mindset, strategies and planning tactics of the CEOs of some of the world’s largest and most-influential companies. KPMG International surveyed 1,325 international CEOs in 11 countries (Australia, Canada, China, France, Germany, India, Italy, Japan, Spain, the U.K., and the U.S.) between July 12 and August 21, 2022. All respondents helm corporations with annual revenue of more than US$500 million. Thirty-nine per cent of the 75 CEOs surveyed in Canada lead organizations of more than US$10 billion in annual gross revenue, 31 per cent reported between US$1 billion to US$9.9 billion in revenue, and the remaining 31 per cent have revenue of between US$500 million to US$999 million. Seventy-nine per cent of the Canadian companies surveyed are publicly traded. Forty per cent of the Canadian respondents are from the financial services industry. NOTE: some figures may not add up to 100 per cent due to rounding.

About KPMG in Canada

KPMG LLP, a limited liability partnership, is a full-service Audit, Tax and Advisory firm owned and operated by Canadians. For over 150 years, our professionals have provided consulting, accounting, auditing, and tax services to Canadians, inspiring confidence, empowering change, and driving innovation. Guided by our core values of Integrity, Excellence, Courage, Together, For Better, KPMG employs more than 10,000 people in over 40 locations across Canada, serving private- and public-sector clients. KPMG is consistently ranked one of Canada's top employers and one of the best places to work in the country.

The firm is established under the laws of Ontario and is a member of KPMG's global organization of independent member firms affiliated with KPMG International, a private English company limited by guarantee. Each KPMG firm is a legally distinct and separate entity and describes itself as such. For more information, see kpmg.com/ca.

For media inquiries:

Roula Meditskos
National Communications and Media Relations
KPMG in Canada
(416) 416-549-7982