Cyber readiness of Canadian manufacturing sector ‘worrisome,’ says CATA VP

The state of cybersecurity in advanced Canadian manufacturing and critical infrastructure firms leaves a lot to be desired if a survey conducted earlier this year is representative.

Although Canada has a national cybersecurity strategy and has been encouraging organizations to improve readiness since 2010, the recently-released survey of 208 firms had a number of concerning results:

  • only 60 per cent of respondents said their firm had a written cyber security program;
  • only 57 per cent had appointed a cybersecurity official (for example a chief information security officer to lead their efforts. The rest were led by someone with an IT background;
  • only 30 per cent of respondents had a CISO, a written program and regular security audits, three elements report authors think defines a cyber secure mature firm;
  • 23 per cent of respondents feel somewhat or very dissatisfied with their cyber preparedness;
  •  65 per cent said their firm spends less than $100,000 a year on cybersecurity.

Study leader Jean-Guy Rens, vice-president of the Canadian Advanced Technology Alliance (CATA), which commissioned the report, said the results are “worrisome.”

“[Companies] are aware of the problem, but they are very limited in what they deploy,” he said in an interview. “They don’t receive a lot of help from the government, and we end up with this result.”

There isn’t a sense of mobilization in the sector, he added.

Rens called on Ottawa as well as the manufacturing industry to do more, including finding ways for firms to share more threat intelligence and best practices.

Rens, who is senior partner at marking firm Sciencetech Communications, which wrote the report, acknowledged that the small survey sample — only 208 of 2,421 invited firms responded —  is a concern. However, he explained it away by noting many companies refuse to talk publicly about cybersecurity.

The report comes after the federal privacy commissioner’s office said it received 680 reports of violations of security controls in Canadian firms covering over 28 million people in the first 12 months of mandatory data breach reporting.

The CATA report was largely paid for by Siemens Canada and CyberNB, an arm of the New Brunswick government. It studied physical cybersecurity in so-called Industry 4.0 manufacturing and critical infrastructure firms. These are companies with production automation and network integration. Critical infrastructure organizations include government, banking, energy, transportation, hospital and other sectors identified by the federal government.

Fifty-five per cent of participating firms were in the manufacturing sector, and 45 per cent were in critical infrastructure. Generally, Rens said, the critical infrastructure firms were in better shape than the manufacturing companies. That’s probably because they have bigger cyber budgets, he said, are often regulated and are more used to working with each other.

In addition to the survey, report authors interviewed 27 experts to learn about best practices. The report also includes 27 brief case studies of Canadian organizations, the cybersecurity problems they face and how some of them are being addressed.

According to the report, from looking at the responding firms “cybersecurity has difficulty distinguishing itself from IT and when it is separated from it, it is in some cases still entrusted to the finance department … Linking cybersecurity directly to senior management is still exceptional outside the banking sector and government. Only one respondent reported making presentations to his company’s board of directors.”

“Too often,” the report concludes, “cybersecurity is buried in the administrative hierarchy.”

“IT and cybersecurity should be treated equally, and that means giving more value to the cybersecurity department,” said Rens.

The fact that only 60 per cent of respondents have a written cybersecurity plan is a problem, he added.

“If you don’t have a formal cyber security program that means it [cybersecurity] can be interpreted in many ways, and that means it’s not taken seriously.”

A mature firm, he added, has a CISO, a written cyber security plan and regularly conducts penetration tests. Only 30 per cent of respondents had all three.

“That is a very bad result,” said Rens.

The report also identified eight major issues.

  • lack of cyber information sharing between companies and with Ottawa;
  • a shortage of IT pros. To meet that the report suggests firms urge computer scientists and even non-IT specialists to become cyber security experts;
  • a need to enhance the CISO function in organizations;
  • a lack of employee awareness. To boost this, the report suggests putting cyber security in every employees’ job description, and link it to performance reviews and salary;
  • a lack of awareness about cyber security among small and medium-sized businesses. The report suggests an unspecified form of financial incentives for SMEs to improve their maturity;
  • low adoption cyber insurance;
  • and a need to address data sovereignty problems. The report suggests creating a public or quasi-public sector co-location facility to house Canadian providers of cloud and cybersecurity solutions.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now