All the Rage

Cyber is all the rage these days. It is also potentially all the harm, all the mischief and all the incalculable loss.

This is disconcerting, to be sure, given that cyber is a threat everyone is concerned about and most agree – a coming together that has been slower than advisable – must be addressed.

The state of affairs is unnerving, as well, because Canada seems not to be translating concern into swift enough action, achieving an oh-so-blah “C+” for its cyber security readiness. Or so suggests Maryland-based Tenable Network Security.

True, the network monitoring company is a tough marker: an overall ranking of 77% equates to a C+.

But that grading – Canada’s was just slightly higher than the overall global score of 76% or “C” – is put into perspective when one considers almost 40% of respondents to the company’s recent global survey report feeling “about the same” or “more pessimistic” about the ability of their organizations to defend against cyber attacks compared to last year.

Respondents largely believe they have the tools in place to measure overall security effectiveness (B-), although they question whether or not their executives and board members are investing enough to mitigate security risks (C).

But solid belief does not necessarily equate to the ability to defend or respond. Just one in five Canadian firms taking part in a recent Deloitte Canada survey report that their organizations are prepared to effectively respond to a cyber attack.

In fact, just 36% of the information technology leaders say their businesses have in place effective procedures and technologies to protect critical assets, and just 22% would be able to rapidly recover if attacked.

Any organization in any sector in any country needs to understand the risk exists. But misperceptions die hard.

A new survey from Zurich Insurance Group shows concern over cyber crime among 3,000 C-suite executives and managers at small and medium-sized enterprises (SMEs) has doubled this year. Sounds impressive, but that brings the total to only 8%, up from 4% in 2013.

One in six SMEs still consider themselves to be “too insignificant to attract the attention of cyber criminals.”

Of course, it is not all doom and gloom. Moody’s Investors Services reported in November that more than 50 insurers globally are now offering standalone cyber coverage, with others providing cyber-related endorsements.

Despite the belief that cyber insurance has significant further growth potential, though, Moody’s views the significant expansion by insurers into the cyber risk insurance market as credit negative, similar to expansion into other high-risk/return product segments, as underwriters test the risk/return spectrum of the product.

As all that unfolds, a little help from friends is welcome.

The RCMP has released a cyber crime strategy detailing its operational framework and action plan to help the police service reduce the threat and impact of cyber crime in Canada. It will focus on identifying and prioritizing cyber crime threats through intelligence collection and analysis; pursuing cyber crime through targeted enforcement and investigative action; and supporting cyber crime investigations with specialized skills, tools and training.

But services, governments, organizations and individuals – sometimes perpetrators of inadvertent and unintentional missteps that can, nonetheless, produce breaches and information losses that can put an organization at risk – all need to do their parts.

Ken Hughes, the City of Ottawa’s auditor general, recommended in his most recent annual report that the city’s chief information officer and city-wide managers “continue to improve the identification and assessment of IT and related mitigation strategies.” This should be supported via improved governance, leadership and reporting structure.

Cyber’s potential is slowly shaping from concern into understanding. But getting the bigger picture demands looking wider, detecting more, collaborating and sharing information to protect the thing that is bigger than any one entity: security.