Canadian organizations are taking more steps than ever to fight online attacks, but a new survey raises questions about whether they are doing enough.
The 157 Canadian respondents (including infosec leaders and senior management) to a PricewaterhouseCoopers global cybersecurity survey said information security budgets in their organizations were up 82 per cent in 2015 over the previous year. On the other hand only 57 per cent said their organization offer employee security training and awareness programs. On the one hand that’s better than the global average of 53 per cent. On the other hand it isn’t 100 per cent.
Similarly, only 55 per cent of responding Canadian organizations said they have security baselines and standards for third parties that connect to their systems. That compares to 52 per cent of global respondents, but considering the important breaches reported in the past few years that leveraged partners or contractors — Target being the most prominent — it isn’t very high.
And only 65 per cent said they have an information security strategy, and only 50 per cent of Canadian respondents said they conduct threat assessments. Only 54 per cent do active monitoring analysis of security intelligence. Only 63 per cent collaborate with others to improve cybersecurity — and while globally 65 per cent of respondents said they collaborate, why isn’t the number higher? For example, only 40 per cent of Canadian respondents said they share information with an industry information security action centre (ISAC), although to be fair not all industries have ISACs.
On the other hand, 92 per cent say they follow of risk-based cybersecurity framework, such as the NIST or ISO 27001.
Last October PwC said that the number of cybersecurity incidents in Canada had jumped 160 per cent in 2015 over the previous year.
Richard Wilson, a partner in PwC’s Canadian cybersecurity and privacy practice, didn’t want to comment on whether the numbers in today’s report are low. But he did say in an interview that organizations respond first to cyber threats by trying to fortify their technical defences. “They’re looking at this as an IT issue,” and think training is a matter for the human resources department. What these organization are missing, he said, is that attackers today are using social engineering to breach networks and not attacking directly infrastructure.
“I don’t think most management teams default to understanding how vulnerable they are around social engineering and their staff, and there for they de-prioritize staff training.”
As for threat sharing, Wilson said some Canadian sectors, particularly finance, are very good at it. Others, such as mining, don’t see cyber threats as a significant risk because they don’t believe they have valuable data to steal — but he added, Canadian mining companies have seen hacktivist attacks not for data but to make political statements.
“There is a fundamental challenge we’re seeing in Canada: People who are responsible for IT security need to be effective at making the connection for management and boards on the effort and investment for cybersecurity and their organization’s strategic objectives … If the cybersecurity leadership can’t adequately say ,’If these threats happen, these breaches occur these are the strategic objectives that we think would be significantly deterred’ then management doesn’t appreciate how important information security is.”
The report also notes the growth of managed security services in the country. Sixty-four per cent of respondents said their organization uses cloud-based cybersecurity services of some sort, including advanced authentication and access management, real-time monitoring and analytics, threat intelligence and endpoint protection.
“Overall, the Canadian data provides solid evidence that Canadian companies are taking steps towards mitigating cyberattacks but the threat is still very real,” Wilson said. “Canadian business and public sector leaders need to better understand the full range of impacts a cybersecurity breach can have on their organizations. This issue has evolved far beyond data loss. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public.”
The report also says half of Canadian companies surveyed indicated that their board participates in defining their organization’s security budgets, up from 25 per cent in 2014.