One in three cyberattacks in the past year resulted in a security breach for Canadian companies, new Accenture survey finds

Roughly one in three targeted cyberattacks over the past year resulted in an actual security breach for Canadian companies, according to a new survey from global professional services company Accenture.

Despite these breaches – which equate to three effective attacks per month for the average Canadian company – about two-thirds of Canadians surveyed are confident in their ability to protect their enterprises from cyberattacks, the report found.

For the report, titled Building Confidence: Facing the Cybersecurity Conundrum, Accenture surveyed 2,000 enterprise security practitioners, including 124 in Canada, representing companies with annual revenues of US$1 billion or more in 15 countries about their perceptions of cyber risks, the effectiveness of current security efforts and the adequacy of existing investments. Executives were surveyed from 12 industries, including insurance, in countries across North and South America,  Europe and Asia Pacific.

The survey also revealed that the length of time taken to detect these security breaches often compounds the problem, Accenture said in a press release on Wednesday. More than half (52%) of Canadian executives said that it takes months to detect sophisticated breaches, and as many as one-third of all successful breaches are not discovered at all by the security team.

“Cyberattacks are a constant operational reality across every industry today and our survey reveals that catching criminal behavior requires more than the best practices and perspectives of the past,” said Russell Thomas, Canadian cybersecurity lead for Accenture, in the release. “There needs to be a fundamentally different approach to security protection starting with identifying and prioritizing key company assets across the entire value chain. It is also clear that the need for organizations to take a comprehensive end-to-end approach to digital security – one that integrates cyber defence deeply into the enterprise – has never been greater.”

But embracing new technologies or cyber defence tools is sometimes easier said than done, the report revealed. For example, while Canadian survey respondents said internal breaches have the greatest impact, 62% prioritize heightened capabilities in perimeter-based controls instead of pivoting to address high-impact internal threats. In addition, “most Canadian companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat,” the release said. Slightly less than one-third (29%) of Canadian respondents said that they are competent in business-relevant threat monitoring; 52% are confident in their ability to monitor for breaches, and 48% said the same about minimizing disruptions.

Accenture noted that recent high-profile cyberattacks have driven significant increases in cybersecurity awareness and spending.  “Yet, the sentiment among those surveyed suggests Canadian organizations will continue to pursue the same countermeasures instead of investing in new and different security controls to mitigate threats,” the release said.

Given extra budget, 46% to 54% of Canadian respondents would “double down” on their current cybersecurity spending priorities, “even though those investments have not significantly deterred regular and ongoing breaches.” These priorities for Canadian companies include protecting the company’s reputation (54%), safeguarding company information (56%), and protecting customer data (50%). Compared to the global average, Canadian companies exhibit higher confidence in their ability to perform every capability. As well, far fewer Canadian companies would invest the extra funds in efforts that would directly affect their bottom line, such as mitigating against financial losses (20%) or investing in cybersecurity training (22%).

Highlights of the report from a country perspective include:

• Overall, it takes longer to spot a breach in the United States and the United Kingdom, with over one-quarter of organizations taking a year or more to detect a successful attack. (30% in the US; 26% in the U.K.);
• Organizations in Canada (52%), Germany (52%) and the U.K. (50%) are the most confident in monitoring for breaches compared to the global average (38%);
• Organizations in France, Australia and the U.S. are among the least confident in their ability to monitor for a breach compared to the global average; and
• Organizations in France spend the most (4%) of their total IT budget on cybersecurity compared to the global average of 8.2%. Canadian organizations are among those who spend the lowest amount of their IT budget on cybersecurity (7.3%).