In an increasingly complex digital landscape, cybersecurity is no longer just about installing a basic antivirus. Last week, Frédérik Bernard (President of Secure01) and François Michaud (President of Oriso) came together for a webinar, hosted by Jonathan Maybury, to shed light on the vulnerabilities companies too often overlook.

The findings are striking: according to recent data from CDW, 68% of Canadian companies have weak or nonexistent cybersecurity foundations. Here are the five critical mistakes identified by our experts, along with practical steps to better protect your organization.

Not Knowing Your Data

Since the early 2000s and the shift from physical to digital, organizations have accumulated vast amounts of digital assets without always maintaining proper control, creating a lack of visibility. Today, not knowing what data you have, where it is stored, and how it is used represents a major operational and legal risk—often underestimated.

With the introduction of Law 25, maintaining a rigorous inventory of personal information is no longer optional—it’s a strict requirement.

Beyond compliance, this lack of awareness weakens organizational resilience. In the event of an incident, being unable to identify compromised data can paralyze crisis management and customer communications. Too often, sensitive information such as passwords or credit card numbers sits in easily accessible files, turning businesses into prime targets.

“The more data a company stores, the more attractive a target it becomes.” — Frédérik Bernard

To reduce your attack surface, it is now critical to systematically delete or anonymize data as soon as it is no longer needed.

Collecting Too Much Personal Information

Identifying what you already have is one thing—rethinking what you collect moving forward is another.

A common mistake is collecting more personal information than necessary. While often done for administrative convenience, this practice unnecessarily increases your attack surface. Sensitive data such as driver’s license or health insurance numbers are frequently collected without long-term justification.

While some industries (like car dealerships) may require this information temporarily, retaining it longer than necessary creates vulnerabilities.

Similarly, storing payment data for convenience or relying on browser auto-fill introduces significant security risks. Every piece of retained data becomes a liability in the event of a breach.

The golden rule remains: collect only what is strictly necessary, and educate both users and employees on this principle. When it comes to data, less is definitely more.

Lack of Clear Data Governance

One of the weakest links in many digital strategies is the absence of clear accountability for data. Without defined ownership, data management becomes unclear, opening the door to uncontrolled use of emerging technologies.

The rapid adoption of AI and SaaS platforms without strong internal policies exposes organizations to uncontrolled disclosure of trade secrets or sensitive financial data. Once this information is integrated into external tools or AI models, it becomes nearly impossible to remove—creating a permanent vulnerability.

To address this, data risk management must be treated as a strategic priority, not just a technical task. It should be integrated into executive discussions and governance processes (such as annual ISO 27001 audits).

A strong governance framework not only protects the organization but also ensures transparency with partners and regulators.

Granting Too Much Access (Internal and External)

Proper access management is more critical than many realize. Excessive permissions remain a widespread vulnerability.

Too often, employee access rights are not reviewed after role changes or departures, allowing individuals to retain access to sensitive data no longer relevant to their responsibilities. At a minimum, annual access audits are essential to ensure users only access what they need.

This challenge becomes even more critical with the rise of AI tools. These systems act like human users and can instantly scan all accessible data. Poorly configured permissions can lead to major internal incidents—such as exposing company-wide salary data through a simple AI query.

Speed of deployment should never come at the expense of control. Without a well-structured permission system, you’re simply accelerating the potential exfiltration of your most valuable data.

Not Being Prepared for a Data Incident

Lack of an incident response plan is often the beginning of a disaster. Without a structured crisis management approach, organizations risk making improvised decisions and failing to meet legal obligations.

A documented plan only has value if it is accessible—and tested. Like discovering a faulty fire escape during an emergency, an untested plan creates a false sense of security.

Annual simulations are essential to build real “muscle memory” within teams.

A fast, coordinated response is the only way to minimize the impact of a breach and accelerate recovery. This requires having a list of key contacts ready in advance (legal, IT, communications, insurers).

Preparation should also extend beyond your organization: ensure your IT vendors can demonstrate their own incident response capabilities.

In cybersecurity, it’s no longer a question of if you’ll be targeted—but when. The difference between a setback and a business failure lies entirely in your level of preparedness.

By 2026, cybersecurity can no longer be reduced to software purchases. With one in two companies affected and service disruptions approaching 20 days, improvisation is no longer an option.

The reality is clear: having the best tools is useless if 60% of organizations still fail to build a coherent response plan.

To avoid becoming part of these statistics, the path forward is clear:

• Gain full visibility into your digital inventory
• Practice data minimization to reduce your attack surface
• Establish strong governance to control AI and SaaS usage
• Rigorously audit access rights
• Regularly simulate incident response plans

The question is no longer whether you’ll experience a breach—but whether you’ll be prepared to survive it.