Few Canadian firms are prepared to face most cyber attacks, if a new poll of 253 small and mid-sized firms is to be believed.
Fewer than two in five respondents to the online survey by KPMG Canada, released on the eve of Cyber Security Awareness Month — which starts today — believe they can fully detect and fend off cyberattacks.
In addition, only just over half (56 per cent) said their firm tests the effectiveness of their cyber-defences.
“For the most part Canadian companies – and this is not unique to Canada – aren’t prepared as they should or could be for cyber attacks,” Hartaj Nijjar, a partner in KPMG’s cybersecurity practices, said during an interview about the results.
“It’s a reflection of the challenge organizations are facing.”
“I think there is a long way to go. It’s a journey and there’s more that could be done with respect to the amount of funding organizations reserve for cyber. It’s receiving more attention now. It could receive more,” he said. “It’s going to take time, it’s going to take more awareness and training, and, frankly, it’s going to take more funding.”
“The challenge of cyber is not an easy one,” he added. “The larger the digital footprint of an organization the more difficult it becomes. Particularly organizations that have legacy systems with lots of interconnections and they’re making acquisitions, the problems become that much more difficult.”
Among other survey results
–only 38 per cent of respondents said cyber security is “deeply embedded” into all aspects of their business;
–just 39 per cent said they are “very confident” in their ability to detect and respond to a cyberattack, while 59 per cent were “somewhat confident;”
–48 per cent of respondents plan to increase their cyber security budgets by up to 20 per cent in the next 12 months. One-third plan to increase cyber spending by less than five per cent in the same period.
In fact, Nijjar said some of the responses “were a bit optimistic.”
“When we visit our clients I struggle to think of more than a handful that would suggest cybersecurity is deeply embedded into all their business,” he said. “They consider cyber at different stages and projects, but it’s not deeply embedded.”
While just over half of respondents said their firm has incident response playbooks, Nijjar said few of these documents are expansive enough. Often they cover commonly reported attacks including ransomware, phishing, and distributed denial of service attacks. “But what we find they are not necessarily paying attention to are non-common types of attacks.”
And while 94 per cent of respondents said their firm monitors their environments for potential cyberattacks, Nijjar though that number is “obviously too high.” Few fit his definition of monitoring, which includes watching for “a myriad of different attacks, constantly turning your monitoring controls. “
When it was suggested the results are a glum beginning for this year’s Cybersecurity Awareness Month, Nijjar said “it could certainly look better.
“Even though for me some of the numbers are a little bit optimistic, I think it’s a relatively fair reflection” of the preparedness today of Canadian organizations.
Recommended actions
Nijjar said three things need to be done to improve the cybersecurity maturity of organizations:
–solve the shortage of people with cybersecurity skills;
–the importance of cybersecurity to the organization needs to be pushed from C-suite down;
–focus on core security fundamentals including patching, identity and access control and vulnerability management instead of new products.