Battle Ready

Are organizations winning the war on cyber security in 2017? Chances are the majority of Canadian companies are not.

This was the central finding of the latest Cyber Security Readiness survey from Scalar Decisions Inc. and Ponemon Institute. In all, 658 IT and IT security practitioners in Canada, responses from whom were captured via a web-based survey conducted by Ponemon Institute in October 2016, were asked about their organizations’ readiness and ability to prevent and respond to cyber threats.

This year’s results found that only one in three Canadian companies are confident enough in their readiness to feel as though they were winning the war on cyber security – a number that has declined substantially over recent years.

Ryan Wilson, Chief Technology Officer, Security, Scalar Decisions Inc.

Since the study was first released in 2015, respondents’ optimism about the cyber security capabilities of their organizations has dropped to 34% from 41% in the initial report. Part of the reason for this is that attacks are becoming more frequent, sophisticated and complex. On average, surveyed organizations report having experienced 44 cyber attacks in the past 12 months, an increase from an average of 34 attacks in 2014.

Not only has the frequency of attacks been increasing, but so, too, has the severity. The number

of organizations that have, in the past 12 months, experienced an incident resulting in the loss or exposure of sensitive information has risen to 53% from 46% in 2015. Respondents also believe that cyber threats are becoming more sophisticated, with 79% reporting that their anti-virus or intrusion detection system failed to prevent an attack.

The threat landscape is rapidly evolving and Canadian companies must continually renew their knowledge of cyber security to stay ahead. While criminal syndicates and lone-wolf hackers remain the top security concern for companies, insider threats have surpassed corporate espionage and hacktivists for the first time since 2015.

The study found that 44% of respondents report their organizations monitor individuals with access to sensitive information, but almost half (47%) say their organization does not detect and monitor internal threats through controls like security information and event management, network traffic surveillance, identity and access management, and user behaviour analytics. This creates a unique threat for a Canadian company, where identifying and mitigating an attack – both from outside and within – becomes increasingly difficult.

IOT = INTERNET OF THREATS

A key reason for the increase of cyber threats to organizations and individuals is the proliferation of connected devices, such as smartphones and tablets, the study shows. In late 2015, Gartner Inc. forecast that 6.4 billion connected things would be in use worldwide in 2016, up 30% from 2015, and would reach 20.8 billion by 2020.

Current survey respondents rank mobile devices as the greatest potential security risk to their organizations, followed by third-party applications. As more and more companies adopt a BYOD (bring your own device) strategy, allowing their employees to connect their personal smartphones and tablets to corporate networks, this threat is only going to continue.

Going forward, the Internet of Things will present an even greater threat because these “headless” connected devices often do not prioritize security and present new vectors for attacks.

INCREASING COSTS OF BREACHES

The survey also points to the far-reaching consequences of cyber threats for Canadian companies. In 2016, cyber security compromises cost organizations an average of $7.2 million in losses, up from $6.9 million in 2014. The biggest losses were reported in damage to organizations’ reputation and marketplace image ($2.5 million) and damage or theft of IT assets and infrastructure ($1.7 million).

Additionally, companies are experiencing more intellectual property theft than ever before, which resulted in an average estimated loss over time of $6 million as a result of lost competitive advantage based on prior internal assessments.

NEW DISCLOSURE REQUIREMENTS

Until now, companies have been reluctant to disclose information breaches. In fact, only 21% of polled companies that were affected by ransomware chose to report it, the latest survey shows.

However, this year and beyond, Canadian companies will have to be especially mindful of how they handle data breaches and security compromises as the Digital Privacy Act, not yet in force, makes it mandatory to disclose “breaches of security safeguards that create a real risk of significant harm” to users and report them to the Privacy Commissioner.

With new regulations will come new demands for Canadian organizations after a breach has occurred, but they should also spur new considerations ahead of these situations.

NEED FOR INCREASED IN-HOUSE CAPABILITIES

Though survey participants indicate their organizations are spending more on IT budgets and security measures than in previous years, they are still facing systemic and organizational obstacles to improving their cyber security capabilities. The main challenge to an effective cyber security posture is a lack of in-house expertise – IT leaders report a deficit of properly trained personnel in the workforce, and only 31% of respondents currently engage an external breach response provider to resolve major security incidents (another 44% plan to do so in the next 12 months).

The lack of in-house expertise is followed by insufficient personnel and lack of collaboration with other functions.

Troublingly, these have been the top challenges to an effective cyber security posture identified in all three years that the survey has been conducted. This indicates that Canadian companies have not been able to address these issues at the workforce or organizational levels since 2014.

APPROACH OF HIGH-PERFORMING ORGANIZATIONS

In general, high-performing organizations have a greater awareness of the cyber security threat landscape, spend more on security and more effectively measure the return on investment of their technology investments. In fact, these companies spend an average of $5 million more per year on security than their low-performing peers, and tend to have an IT security strategy that is better aligned to the overall business goals and mission. This may be a reason why they receive higher budgets.

Companies looking to boost the effectiveness of their cyber security posture should ensure their cyber security strategy aligns with their overall mission, invest in technologies to reduce insider threat, build an experienced IT workforce, engage in threat-sharing intelligence, conduct risk assessments and audits to identify vulnerabilities, and develop effective strategies to protect the identified vulnerabilities.

When asked about the security technologies they consider the most effective, respondents from high-performing organizations were significantly more likely to name identity management and authentication, web application firewalls and encryption for data at rest as worthwhile investments. They were also more invested in measuring the effectiveness and outcomes of cyber security technology.

If one thing is for certain, it is that the stakes in the cyber security war are only increasing. Recognizing the importance of a strong security posture, adopting new strategies and adapting to emerging threats will be the key factors that determine both the winners and losers in this high-stakes game.