Canadian Underwriter

Cyber security must be viewed as a business issue, not a technology-only issue: PwC Canada

January 14, 2016   by Angela Stelmakowich, Editor

Print this page

Canadian companies are taking steps towards establishing holistic, integrated safeguards against cyber security attacks, progress that will need to continue as the number of breaches increases, the threat landscape becomes more complicated and attacks grow sophisticated, suggests PwC Canada.

Adopting layered protections are advisable, starting with the first line of defence.

Cyber security must be viewed as business issue

“If the company views cyber security as an IT or a technology-only issue, they leave themselves open to that first line of defence – their employees, their contractors, their customers – to that area of vulnerability,” David Craig, a partner in PwC Canada’s cyber security and privacy practice, told Canadian Underwriter during a company event in downtown Toronto on Wednesday.

“Organizations need to take a holistic view that says it’s not just a technology issue; it’s a people and process issue,” Craig said, emphasizing the need for staff and partners to be well-informed so they do not fall prey to social engineering.

“For many years, people have socially engineered their way past perceptions. They will either put a suit and tie on and dress up as the auditors, or put a UPS or FedEx uniform on and find their way past that receptionist or that first line of defence,” he said.

“From a social engineering perspective in the cyber environment, they’re able to create an online personality that enables their target to believe (the attacker) is something they’re not,” Craig explained. The person might establish different profiles on sites such as Facebook or LinkedIn, thereby creating a personality and building a relationship with the contact, in the hopes of gathering clues on how to gain access beyond that person to the organization and its systems.

“We’re finding certain hactivists or certain organized crime units will socially engineer their way into an organization,” Craig said, pointing out “there’s a variety of different methods that people can use to socially engineer their way past the first line of defence. We’re starting to see those be much more sophisticated.”

Clearly, though, education is required for all concerned, including the most senior members of companies and organizations.

PwC Canada is hoping to further enhance executives’ understanding of cyber security threats – and how to resource and protect companies – with the launch of a new digital service: an interactive digital game called Game of Threat that simulates the speed and complexity of real-world cyber breaches.

Using gaming theory, the idea is for users to learn about different threats, identify reputational, operational, financial and regulatory impacts, and understand what can be done to prevent an attack, notes a statement from PwC Canada.

Having top-down buy-in contributes to moving cyber security away from being regarded as an IT-only issue, PwC suggests. And that, in turn, has likely fuelled the recent move by Canadian companies to adopt more holistic and integrated protections related to cyber security – as illustrated by Canadian findings in PwC’s Global State of Information Security (GSISS) Survey 2016, issued last fall.

“Because of the impact cyber security attacks can have on the overall health of a company and a brand, boards are playing an increasingly significant role in informing the development of cyber security strategies,” PwC Canada notes.

Specifically, GSISS survey findings show 50% of Canadian companies polled in 2015 report that their board participates in defining the organization’s security budgets, double the 25% in 2014.

There are currently three areas where public and private sector organizations are heavily investing in cyber security, Craig notes in the statement. “Solutions to manage how employees, customers and third-parties access and use data, outsourced ‘managed security services’ to monitor and detect security events more efficiently, and data privacy compliance in anticipation of mandatory breach notifications,” he reports. [click image below to enlarge]

Board participation in cyber security programs

But even positive strides can have a less-positive side. Investment in safeguards against cyber security threats have risen 82% year over year, the survey found, but that investment still accounts for an average of only 5% of overall IT spend.

Whatever form protections take, vigilance is required in light of the increasing number of cyber security incidents that Canada is seeing. Canadian numbers from the GSISS show a hefty 160% increase over 2014 in incidents detected.

Despite the steps being made towards mitigating cyber attacks, “the threat is still very real,” Richard Wilson, a partner with PwC Canada’s cyber security and privacy practice, cautions in the statement. “Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public,” Wilson comments.

One positive from GSISS Canadian respondents may be that, overall, the average financial loss as a result of detected incidents is $1 million, representing an 18% decrease from the previous year. As well, 59% of polled businesses are purchasing cyber security insurance to help mitigate the financial impact of cyber crimes when they do occur.

With regard to incident-related losses covered by cyber security insurance, respondents report the following: personally identifiable information, 47%; payment card data, 41%; intellectual property/trade secrets, 38%; damage to brand reputation, 36%; and incident response, 31%.

PwC Canada notes the current drivers of adoption include service provider contract requirements, handling of third-party data, risk transfer (less common), and breach disclosure (emerging). Risk managers and chief financial officers are among the buyers of cyber insurance.

Other notable findings for Canadian respondents include the following:

  • 50% of respondents have a chief information security officer in charge of the security program (compared to 50% globally);
  • 50% of those surveyed say their organizations conduct threat assessments (compared to 49% globally);
  • 54% of those polled report active monitoring analysis of security intelligence (compared to 48% globally);
  • 57% have employee training and awareness programs (compared to 53% globally);
  • 55% have security baselines/standards for third parties (compared to 52% globally); and
  • 65% of respondents say their organizations have an overall information security strategy (compared to 58% globally).

“We have seen regional differences in the adoption of a cyber security framework,” Craig told CU. “It’s nice to see that Canadian companies are adopting either the NIST (National Institute of Standards and Technology) or the ISO 27000 cyber frameworks to be able to assess their own maturity as well as to be able to identify those areas where they need to improve, and use those frameworks to help them make those decisions.”

PwC Canada reports that the five key cyber security challenges for organizations are as follows:

  • organizational boards or leaders do not always see the link between cyber security and performance;
  • poor visibility of the full range of cyber security threats and impacts that may harm their organizations;
  • organization do not identify their most valuable assets and/or do not specify who or where they may be accessed;
  • leaders view cyber security as an IT issue versus a business issue; and
  • “single layer” cyber security defences (for example, just firewalls) versus a multi-layer strategy.

The impact that a cyber security breach can have on an organization “has evolved far beyond data loss,” Wilson says. “Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public.”

However, harnessing “the power of cloud-based cyber security as a viable tool in Canada has led companies to greater productivity such as streamlined monitoring, advanced authentication, and threat intelligence,” PwC reports. [click image below to enlarge]

Who are the cyber threat actors?

“Those things that were enhanced protections five years ago are now pretty basic today,” Craig told CU. “I think Canadians are waking up to the fact that their data is easily ‘monetizeable’ and when that happens, they begin to take even the most basic steps for protecting it.”

Canadian companies are waking up, too. “The attack that’s happening in South America, North America, China – those are the same types of attacks. They are machines that are reaching out to see what vulnerabilities they can exploit and it’s indifferent as to which country the application or the device that’s being exploited,” he said. “That’s where we’re starting to see greater collaboration of governments to be able to say, look, if an attack is happening in our region, it will be less than 24 hours, maybe even 24 minutes, before that same attack happens in a different jurisdiction.”

Related: Six in ten global businesses purchasing cybersecurity insurance: report