Sleepless in the C-Suite

What keeps Canada’s CEOs up at night? Concern about data breaches and consumers’ intolerance for the consequences of cyberattacks

When CEOs around the world concede that cyber threats and data security are the key issues that keep them up at night, all businesses and organizations that hold data about clients and customers should take notice.
To better understand consumers’ perspectives on security and privacy of personal information, Navigator undertook the first in-depth opinion survey in Canada on the public’s awareness and assessments of data compromises, losses and breaches. The research study explored Canadians’ expectations about how the personal data they have entrusted to retailers, financial institutions, government agencies and technology providers is protected.
The findings reveal that Canadians have little tolerance for security measures that don’t thwart cyberattacks and they have only limited sympathy for organizations that have fallen victim to cybercriminals. Canadians want much stricter laws and regulations to protect consumers.
In a typically Canadian way, respondents balanced their tough assessments with a willingness to assume some personal responsibility for safeguarding their own information and cyber trail. Further, they were prepared to extend at least some latitude to organizations that are hacked, recognizing that in a world of rapidly evolving technologies and increasing online services and capabilities, it may be impossible to fully protect against sophisticated, die-hard cybercriminals.
But, none of these concessions fully mitigate a willingness to lay blame for data breaches squarely with the organizations that are hacked.
The survey found that 70% of Canadians were familiar with data breaches and could easily and accurately identify specific North American retailers and Canadian government agencies that have been subject to cyberattacks. Seventy-nine per cent said they were concerned about data breaches involving personal information, and 38% said they were ‘very concerned.’ The findings also reveal that the level of anxiety about data breaches is growing, with 74% of respondents reporting that they were more worried about potential breaches today, even as they become more familiar with cyberattacks.
Canadian consumers firmly rejected the notion that hacking is the ‘new normal.’ When probed specifically about cyberattacks at retail organizations, 69% believed that large chains were failing to do enough to prevent data breaches. Consumers strongly suspected that companies had been lax in adopting appropriate security measures (87% agreed) or had been unwilling to pay the maintenance and upgrading costs (79% agreed) for systems that effectively protect transaction data and information. They demanded rigorous efforts to improve the security of payment and online systems.
Survey participants were clear about whom they held responsible for retail security breaches: after conceding that the criminal hackers were mostly to blame, 65% of those surveyed pointed to the retailers themselves as being responsible for the breach. Relatively few survey respondents held banks, the payment system or credit card issuers as responsible for attacks that compromised the transaction process or resulted in criminals gaining access to personal credit or debit card information.
As concerned as the public is about retail security breaches, survey respondents were even more worried about the security provided by organizations that hold more detailed and sensitive personal information about citizens. They were most concerned about cyberattacks against such entities as the Canada Revenue Agency, Canadian banks and credit unions, credit card issuers and debit service providers. At the same time, survey respondents registered notable confidence in the ability of both banks (85%) and the government (73%) to protect the confidentiality and security of the data they hold, including during online transactions.
These large organizations can take comfort in knowing that the public has expressed such confidence, but at the same time that confidence would likely take a dramatic hit should a breach occur.
The high level of public anxiety about security, confidentiality and privacy of personal information combined with the pervasive concern about cyberattacks and data breaches demands a regulatory or legislative response.

The high level of public anxiety about security, confidentially and privacy of personal information combined with the pervasive concern about cyberattacks and data breaches demands a regulatory or legislative response.

Three quarters of survey respondents agreed that much tougher laws and regulations are required to better protect consumers. Almost two-thirds (64%) said that data breaches would not be effectively dealt with until government and regulators imposed much stricter rules around the security of personal and customer information that companies and organizations hold.
Clearly, Canadians expect that issues around data security and privacy of information will receive government attention. Given the strength of opinion and concern, the findings suggest that Canadians view issues of security as a priority.
In a federal election year, it will be interesting to see if cyber security receives the attention of the federal political parties and emerges as a key component of their policy platforms.
The survey also reveals that Canadians want organizations that experience data breaches to immediately come clean about the security threat and the potential implications for the privacy of personal information. This stems from having witnessed less than forthcoming responses from some organizations in recent years. Consumers are demanding immediate disclosure, they expect to be contacted quickly about potential compromises of their personal information, and they want the incident to be reported right away to the appropriate government regulator. Our findings indicate Canadians are likely in synch with the U.S. government’s push for legislation that would require that any breach that involves citizens’ information be revealed publicly.
The findings of Navigator’s research study reveal that CEOs at businesses and organizations that hold sensitive information have good reason for sleeping poorly; the public has an extremely limited tolerance for breaches of personal information or breaches that could affect personal transactions and finances. CEOs can add that to their list of cyber worries that includes the security of their systems, the implications of data compromises and the consequences of serious potential reputation damage or liability.
At a time when IT commentators foresee a breach of the ‘cloud’ as inevitable, and as consumers are increasingly worried about the security of their transactions and information, action from government, business and consumers is clearly — and urgently — required.