February 10, 2016 by Canadian Underwriter
More than half (51%) of Canadian respondents to a cybersecurity study have experienced an incident involving the loss or exposure of sensitive information within the last 12 months, Toronto-based IT firm Scalar Decisions Inc. said on Tuesday.
Commissioned by Scalar, the second annual security study involved a survey of 654 IT and IT security practitioners in Canada, with research independently conducted by Ponemon Institute. Respondents – the majority of whom reported their position at or above the supervisory level – came from a wide variety of industries and nearly two-thirds worked at companies with between 251 and 5,000 employees in Canada, said Scalar, which has offices in Vancouver, Edmonton, Calgary, Winnipeg, London, Toronto, Ottawa and Montreal.
Respondents to the survey, titled The Cyber Security Readiness of Canadian Organizations, reported an average of 40 cyberattacks per year, an increase of 17% over last year’s report. Seventy per cent reported that their organizations experienced situations where exploits and malware have evaded their intrusion detection systems, and 82% said that cyberattacks evaded their antivirus solutions.
On average, over the last 12 months, organizations spent approximately $7 million each on the following: damage to reputation and marketplace image ($2.6 million); damage or theft of IT assets and infrastructure ($1.6 million); disruption to normal operations ($1.1 million); lost user productivity ($950,625); and clean up or remediation ($766,667). With organizations reporting an average of 40 attacks per year, this makes the average cost per attack approximately $175,000.
In terms of response, only 38% of respondents said that their organizations have systems and controls in place to deal with advanced persistent threats (APTs), and organizations have an average of almost one separate APT-related incident per month, the study found. IT downtime, business disruption and theft of personal information were the primary consequences of APTs or zero-day threats experienced.
According to a press release from Scalar, only 37% of Canadian organizations believed they are “winning the cybersecurity war,” a decrease of 4% over 2015’s study. The primary challenges cited as contributing factors were insufficient numbers of in-house personnel and lack of in-house expertise. The majority of respondents also believed that cybersecurity crimes in their companies are increasing in severity (80%), sophistication (71%) and frequency (70%).
“IT leaders are feeling less equipped to handle the changing landscape of cyber crime,” said Ryan Wilson, chief technology officer, security, with Scalar. “The year-over-year increase in cyber attacks coupled with an increase in their severity and complexity highlights the need for specialized, trained IT professionals with the tools and proficiency to provide effective security to Canada’s companies.”
Perhaps not surprisingly, mobile devices and applications were seen as the greatest IT security risk. Mobile devices, third party applications and negligent third party risk were the top three concerns of 72%, 68% and 45% of respondents, respectively. “These risks all have in common the human factor, which requires both technology and governance to reduce the threat,” the study said.
Other highlights of the report include:
• Loss of intellectual property was experienced by 33% of respondents in the last 24 months and 36% believed it caused a “loss of competitive advantage”;
• Cybersecurity spending has increased slightly from last year, with an average of 11% of the IT budget dedicated to information security (versus 10% in 2015);
• Overall, the greatest threat to IT networks was reported to be web-borne malware attacks, with 80% pointing to this risk as the most frequent security compromise, followed by rootkits (65%); and
• Sixty per cent of respondents either fully or partially participate in an initiative or program for exchanging threat intelligence with peers, government and/or industry groups, believing it improves the security posture of their organization in addition to improving situational awareness.