Leaders of many Canadian organizations still think they won’t be the victim of a cyber attack, says the head of the cybersecurity practice of a major consulting company.
“What I’ve noticed in Canada is a lot of organizations say ‘It’s not going to happen to me.’ “ Peter Morin, national cybersecurity leader at Grant Thornton Canada, said in an interview after the firm released its first in what is hoped to be an annual Cybersecurity in Canada report. British-based Grant Thornton International is a global tax and advisory consultancy.
“A lot of companies bury their heads in the sand when it comes to cybersecurity,” Morin said. “It’s a cost centre. In many cases a lot of organizations don’t know how to turn it into more of an advantage. It’s just a cost centre.
“A lot of organizations in Canada — and abroad — will say, ‘We have an IT team. We have four, five, six people in IT. And Sally and Bob are going to be designated as cyber people.’ And they don’t necessarily have the cyber skillset to do that work but that’s their assignment – in addition to their regular IT jobs.”
But, he added, awareness of management is changing for a number of reasons: The sudden need to protect employees working remotely from home due to COVID-19, the increase in ransomware, and the scrutiny of boards of directors.
Another is pressure from insurance companies.
“We’ve worked with a lot of companies that have said, “I’m not too worried. I’m going to get [cyber] insurance. And if there’s ever a problem I’m going to lean on insurance.’ They go to their insurance provider who they’ve been dealing with for 25 years and they do a quick assessment and they can’t get coverage any more because there are too many gaps in cyber hygiene. It’s simple things like lack of two-factor authentication, not properly monitoring endpoints. At that point it gets up to management, and they say, “This is bad. If we can’t get insurance we really have to deal with it. We now realize we have a big exposure.
“And these companies come to us and say, ‘We’re really scared, what do we do?’ And they’re not five-man organizations. These are manufacturing plants, or providing service to clients.”
Infosec pros have to focus more on detection and not only on prevention of attacks, he said.
The 17-page Cybersecurity in Canada report notes Canada, like other nations, is seeing an increase in all types of cyberattacks.
In 2022, the report predicts, there will be continued stress for organizations trying to protect their assets. “Threat actors are progressively more brazen and agile — and Canadian businesses of all sizes will not be immune to new strategies to derail much of the cybersecurity protection that they have diligently put in place,” it said.
The report also predicts that the demand for and shortage of experienced cybersecurity staff here and in other countries will drive up salary demands. It doesn’t help, Morin added, that some infosec pros are leaving because of stress caused by the sudden shift in strategy to deal with remote work during COVID-19. Others are tired of working from home themselves.
“A lot of people in cybersecurity — even in the consulting world — have gone back to their roots,” he said, such as application development and network engineering. Others are abandoning cybersecurity for other areas of IT. “It’s intensified the cyber shortage we had even prior to COVID.”
“We have to continue to increase the ranks, including what we were doing pre-pandemic: Providing training, bringing more people into the industry, and trying to find ways to keep people in cybersecurity. Whether that’s cross-training more people in organizations to take some of the burden off cyber people, or internal training so they can continue their growth or other things.”