This opinion piece is by Hartaj Nijjar, National Leader of Risk Services and Cybersecurity at KPMG in Canada, and Robert Moerman, Partner and National Leader of Cyber Defence at KPMG in Canada.
Opinions expressed by contributors are their own.
Canadian organizations are facing an onslaught of increasingly sophisticated cyberattacks from criminals who are leveraging artificial intelligence (AI) to attack harder and faster.
Over the past year, for example, ransomware crippled hospitals, business email compromise (BEC) drained millions from unsuspecting companies, and bad actors breached government data.
As many as 86% of 501 Canadian business leaders that we recently surveyed view cyberattacks as the top threat to their three-year growth plans. Yet, many companies still aren’t investing enough to combat the growing complexity of threats. While they may be aware of the vulnerabilities posed by underinvesting, they are also facing increased economic pressure to cut back on spending across the board.
Still, not investing enough in a company’s cyber defences is not just risky, but dangerous, and it is giving criminals the upper hand.
Why we delay: The psychology of risk perception
With so many recent examples, the case for bolstering cyber in Canada has never been stronger. Why, then, are so many leaders not investing what is required to protect their organization from cyberattacks? The answer lies in how our brains are wired.
Humans are naturally biased to focus on immediate, visible threats. Cyber risks feel abstract until they aren’t, and by then it’s too late. This proximity bias means we prioritize what’s right in front of us, even if the looming danger is far greater.
There’s also optimism bias, the belief that ‘it won’t happen to us.’ Many executives assume their company is too small, too obscure, or too well-defended to be a target. However, the data says otherwise. Attackers are increasingly targeting small-to-medium sized businesses and exploiting overlooked vulnerabilities.
The reality is that most organizations operate under a false sense of security. In KPMG’s 2024 Cyber Threat Simulation Challenge, 74% of participating organizations failed to detect simulated attacks. Most had never tested their detection capabilities before yet believed they were sound. As a result, when a real attack comes, they’re caught off guard.
Evolving threats demand immediate action
Cyberattacks can be devastating, from disrupting supply chains, shuttering private and public sector organizations such as hospitals, libraries, and power utilities, to forcing organizations to pay ransoms just to regain access to their own data. In many cases, backups were either encrypted, deleted, or inaccessible, leaving organizations with no means of recovery.
Cyber criminals have varying strategies when it comes to breaching defences, but highly sophisticated attacks are perhaps the most alarming. This strategy involves criminals playing the long game by gaining access to an organization’s data, but choosing to wait and attack when it’s most beneficial for them. Attackers will often use this method during nation-state attacks when targeting governments or organizations with highly sensitive data. The problem is that, without proper cyber hygiene, companies may have been compromised and not even know it.
Think about it as if someone made a copy of the key to your house, but decide to not use it right away. Instead, they have access to your home but may wait months or years to rob you. Then when they do rob you, they find sensitive information about your neighbour that makes it easier to break into their home. Now, imagine this happening to all of the homes in your community. This is the threat currently facing Canadian businesses.
A recent KPMG survey shows that 88% of Canadian business leaders are concerned nation-state actors are stockpiling encrypted data, using a ‘harvest now, decrypt later’ strategy, and will retroactively decrypt corporate, medical, or defence data once quantum machines become powerful enough.
To stay protected, Canadian companies need to strengthen their core defences by pairing tools that can catch threats before they spread with systems that keep track of suspicious activity. With AI-powered attacks on the rise, companies should be ready to update their defences proactively.
GPT-4 was shown to exploit vulnerabilities using public advisories with alarming success. If your team doesn’t have the resources to monitor your environment round the clock, consider outsourcing incident detection and response services, which can help you respond to threats in real time.
For anything to really change it is essential to have executive buy-in so that cybersecurity is being championed at the highest levels, with resources and attention to match. Leaders need to be aware of their biases and actively challenge why they are not matching their level of investment with their level of threat.
Failure to do so risks making their company the next target.
The threats are real, the costs are rising, and the time to act is now. Don’t wait until a breach is right in front of you to realize what should have been done all along.
