A new survey commissioned by the federal privacy commissioner has found that over half of Canadian firms have little to no concern over a potential data breach affecting their systems.
The survey, simply titled “2017 Survey with Canadian businesses on privacy-related issues,” was prepared by Phoenix Strategic Perspectives for the Office of the Privacy Commissioner of Canada (OPC). The study concluded in January, and the results were published on May 31, 2018.
In total, 1,014 Canadian senior decision-makers participated in the survey. When asked to rate their level of concern about a possible data breach within their own companies, nearly 23% of the respondents said that they are extremely concerned, while 36% said they were not at all. In general, almost half (48%) were moderately concerned while half (50%) expressed low or no concern at all.
“The low level of concern amongst some businesses is surprising given the significant number of major breaches we see occurring,” commented privacy commissioner Daniel Therrien in a statement. “The risk of a breach is an issue every business that collects and uses personal information must be alert to. Breaches can have negative consequences for affected individuals, but also for the organization, including, for example, loss of consumer trust.”
The study also found that only four in 10 firms said they have policies or procedures in place in the event of a breach involving the information of their customers – a statistic that has remained relatively unchanged since 2015, the survey noted.
Ironically, the survey revealed that 68% of respondents said their company places “high importance” on the protection of their customers’ personal information.
Kevvie Fowler, a partner and national resilience leader at Deloitte Canada, told IT World Canada that the survey implies that businesses are complacent with their level of “security.” Fowler said that although many companies are aware that their firm complies with Canadian privacy law, only 40% of respondents said they have an actual data breach policy. He suggests that some organizations are mistaking compliance with having cyber security in place, “which of course isn’t the case.”