While 88% of private companies in Canada “agreed or strongly agreed” that cybersecurity is an important issue for their organization, firms are in the dark about what they need to do, where their vulnerabilities lie and what to do about them, suggests a new report from PwC Canada released this week.
The study, PwC Canada’s 10th annual Business Insights Survey of Canadian private companies, titled Balancing digital opportunity with cybersecurity risk, found that 42% of respondents said that they’ve never conducted formal cybersecurity employee training. A total of 52% of respondents also said that “employee training related to cybersecurity is not a priority for their business.”
Respondents cited hackers (66%), former employees (41%) and competitors (32%) as their most likely sources of cyberattacks. “Today’s cybercriminals often target companies that have been slower to invest in security as a platform to launch an attack on other organizations,” said Jason Green, director in PwC’s Cyber Resilience team, in a statement. “Private companies need to assume a stronger security posture. When clients hire us to conduct security testing, we can bypass their technical security controls nearly every time.”
The cost to a business that is hacked may be measured by loss of customers, lawsuit payouts, interruption to business or reputational damage, the statement notes. “Investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach,” added David Craig, leader of PwC’s Risk Assurance Services Cybersecurity and Privacy practice.
The report suggests that companies look at a “customized and scalable solution” that addresses a company’s specific vulnerabilities and critical information protection requirements, rather than investing in “off-the-shelf” packages. Companies should also:
• Learn where blind spots are and understand their cyber ecosystem;
• Identify the most valuable data and who has access to it;
• Train employees as the first line of defense (75% of breaches are driven by insiders);
• Implement suitable controls over the most sensitive data from the most likely means of compromise; and
• Have protocols in place that identify responsible parties in the event of a breach (49% of respondents said that if a cyber attack happened to them tomorrow, they either wouldn’t or don’t know if they would be able to respond effectively).