Most polled Canadian organizations unprepared for cyber attack: Deloitte Canada

Just one in five Canadian companies taking part in a recent Deloitte Canada survey report being prepared to effectively respond to a cyber attack.

The survey – results of which are detailed in Navigating a harsh cyber security landscape – involves input from information technology leaders from 100-plus Canadian businesses representing all major sectors of the Canadian economy.

The results indicate some positives, suggests a press release issued Thursday by Deloitte Canada. For example, the majority of Canadian companies surveyed report they consider themselves to be prepared for a cyber attack.

But now for the bad: just 36% of respondents say their businesses have in place effective procedures and technologies to protect critical assets, and only about a tenth of companies polled have a high level of preparedness in the face of cyber threats (secure, vigilant and resilient procedures are in place), the company statement adds.

“Cyber threats are becoming increasingly common as attackers fine-tune strategies and tactics to avoid detection. Yet many Canadian companies have not prepared for a cyber attack – and they don’t even know it,” Nick Galletto, Partner, Deloitte Cyber Risk Services Leader for the Americas and Canada, says in the press release.

Calling the lack of preparedness “very concerning,” Galletto explains that companies “are not ready face numerous cyber risks, including advanced persistent threats, where a system is secretly infiltrated by cyber entities that remain behind the company’s walls gathering information. This kind of attack can go on for months and years if a company is unsuspecting and result in significant, expensive and brand-damaging data security and privacy breaches.”

Among the better-prepared companies, Deloitte Canada reports the majority work with a managed security service provider, or MSSP. That said, fewer than half of Canadian companies surveyed have partnerships like this.

“MSSP clients were more likely to have defined cyber resiliency processes, test their preparedness through cyber drills, monitor cyber chatter about their brand, products, and what’s being said about their environment,” Deloitte Canada notes.

Making the right investment in people, technology and processes can help not only to identify cyber threats, but also to recover from an attack, Galletto says. Noting that these kinds of companies show proactive threat management, “they are vigilant, they learn from their experience, and the experience of others, so they can become more resilient,” he continues.

Other survey results include the following:

• just 43% of polled companies are performing even periodic vulnerability and compromise assessments to protect against these threats;
• only 22% of companies would be able to rapidly recover in the event they were attacked; and
• only one-third of polled organizations have a formal process to gather and share cyber threat intelligence.

Deloitte Canada recommends that businesses looking to bolster their cyber preparedness do the following:

• protect the things that matter – understanding the value of critical assets and interactions;
• recognize that traditional cyber defences are not enough – where appropriate, sharing information within an industry can help organizations in that sector collectively limit their exposure of an attack;
• prepare for the inevitable – businesses must proactively test their incident response processes and procedures through cyber attack simulations to truly understand their capabilities;
• develop a holistic cyber security strategy – recognizing that securing the business alone is not enough, organizations must also have in place the right people, processes and technology and cyber security ecosystem; and
• understand that an organization cannot go it alone – businesses need to recognize where they need help and engage a co-sourced or outsourced MSSP.