Canadian CEO confidence in facing cyber attacks varies, according to KMPG surveys

While Canadian infosec pros struggle in the trenches with cyber attacks, CEOs stand at a higher level looking over the entire organization. From their viewpoint, what do they think of cybersecurity?

It depends on the size of the company, according to recent surveys by KPMG.

Barely half (56 per cent) of Canadian CEOs of mid-to-large firms questioned believe their companies are prepared for a cyberattack today, with more than nine in 10 (93 per cent) worried that the emergence of generative artificial intelligence (AI) will make them even more vulnerable to breaches.

Less than five per cent of Canadians said their organization is “very well prepared” for a cyberattack.

Those numbers are in KPMG International’s CEO Outlook (registration required), which surveyed 1,325 CEOs in 11 countries this fall whose companies have more than US$500 million in annual revenue. Of those, there were only 75 Canadian CEOs. This survey included questions about a wide range of business issues, including cybersecurity.

By contrast, in a separate survey of business owners or executive-level C-suite decision-makers at 700 small and medium-sized Canadian businesses, 88 per cent of respondents said their company is well-prepared to defend against a cyberattack. Broken down, 41 per cent “agreed strongly” and 47 per cent “agreed somewhat” their firm is well-prepared.

Companies in this survey had between C$10 million and C$1 billion in annual revenue.

Like the global CEO survey, the Canadian SMB survey included questions about cybersecurity as well as a wide range of other issues.

Also as part of the the Canadian SMB survey

• 71 per cent said their legacy systems or infrastructure (i.e., information and/or operational technology) make their company vulnerable to cyberattacks;
• 66 per cent said their company doesn’t have the skilled personnel to implement cybersecurity or monitor for attacks;
• 64 per cent said their company lacks the financial resources to invest in cyber defences;
• 62 per cent said cybersecurity is not regarded as a business priority.

Six in 10 Canadian SMB respondents said their company had paid a ransom to cybercriminals in the last three years, and 59 per cent said their company doesn’t have a plan to address a potential ransomware attack (up from 32 per cent last year).

“Paying a ransom to cybercriminals is a costly expense that companies generally don’t plan for – especially smaller and medium-sized enterprises with fewer resources and limited budgets,” said Robert Moerman, a partner in KPMG’s cybersecurity practice who leads managed security services. “But unfortunately, many SMBs are choosing to pay cybercriminals because ransomware attacks can paralyze or even shut down their operations, and many simply can’t afford that.

“Paying a criminal will likely cost an organization more than it would to establish effective cybersecurity defenses to deter that criminal in the first place. Planned investments in cybersecurity reduce the likelihood and cost of a cyber incident, and cyber insurance can help address the residual risk. For smaller organizations that might not have the capacity or expertise to implement robust cybersecurity programs, external service providers can fill that gap as well,” added Moerman.

The full results of the SMB survey weren’t released.