69% of surveyed Canadian businesses experienced cyber attack in a 12-month period: report

Preparedness against cyber crime among Canadian businesses is lacking despite seven in 10 polled organizations being the victim of a cyber attack, suggests a survey released this week by the International Cyber Security Protection Alliance (ICSPA).

“Across business communities, there is a general lack of strategy, procedures and trained personnel to combat cyber crime,” notes the survey report, Study of the Impact of Cyber Crime on Businesses in Canada: Fighting Cybercrime Together.

The report suggests two factors could be responsible for the lack of preparedness: the damages (financial or reputational) caused by cyber attacks have not been significant to merit shifts in attitudes and behaviour; and/or organizations do not have enough awareness and knowledge of what strategies they should be implementing to minimize their vulnerability against such attacks.

Sponsored by Above Security, BlackBerry, CGI Group Inc. Lockheed Martin and McAfee Inc., the quantitative study involved 520 small, medium and large Canadian businesses in the finance, airline/shipping, telecommunications, utilities, aerospace and defence, and retail sectors. A set of 10 interviews was also conducted by senior research staff.

“Cyber crime is fairly prevalent among Canadian businesses, with 69% reporting some kind of attack within a 12-month period,” the report states. A total of 5,866 attacks were reported by respondents.

Malware and virus attacks (occurring among 51% of surveyed businesses) are shown to be the most prevalent, with phishing and social engineering (reported by 18% of respondents) being second most common. “The distribution of application-based maleware for mobile devices using cloud-based services for both personal and business use will become a new threat vector of the future,” the report predicts.

Certain cyber crimes have an impact on fewer organizations, but occur frequently, including unauthorized access or misuse of corporate websites (13% of affected businesses); misuse of social networks (15%); and telecommunications fraud (8%).

The report notes that cyber crime attacks conducted over the past 12 months resulted in total financial losses of approximately $5.3 million on average. Some of the related costs include the following:

• financial fraud accounts for the largest portion – 36%, about $1.9 million;
• theft of devices containing company information – 16%, $849,499;
• maleware and virus attacks – $771,937 (although the average loss per incident is relatively low at $454); and
• sabotage of data and networks – $583,298.

“Total cost due to cyber crime attacks increases with revenues: on average, an incident costs large organizations $1,181 compared to $991 in medium, and $741 in small ones,” the report adds.

Despite 64% of respondents reporting that senior management take cyber crime threats seriously, there are considerable gaps in preparedness. “Large businesses are somewhat better prepared than medium and small one, but still much remains to be done to prevent and deal with such attacks.”

Additional survey findings related to preparedness include the following:

• risk assessment processes are not common among surveyed businesses, with only 22% employing them, and the likelihood of employing such processes increasing with a business’ revenues (45% of large businesses, 23% of medium and 17% of small);
• just 6% of polled businesses report accreditation of IT security standards, with this percentage is equally low across all industries and revenue levels; and
• 69% of organizations do not have formal procedures in place to follow in the event of a cyber crime, while 28% do, with such procedures being more common in large businesses than in medium or small ones.

With regard to IT budget allocation toward cyber crime prevention, about 6% of respondents do not apportion any amount; 8% allocate 6% to 25%; 2% apportion more than 25%; and 32% do not know if anything is allocated, or how much.

The report suggests there is a need for improved communications and education with regard to cyber crime threats, their effect and what actions to take. But a further need exists to improve education not only within businesses, “but in messaging from government to the business community.”

Less than half, 44%, of affected organizations enlisted the help of external agencies to assist with cyber crime incidents, with private agencies being far more likely to be engaged than those from government. “Overall, few organizations (11%) ever involved the RCMP or other government agencies in relation to cyber crime and the survey shows the need for greater awareness and information to business from government bodies,” the report states.

Survey respondents noted they believe Public Safety Canada and the RCMP are the appropriate bodies to enhance that message to the business community.

The Canadian survey is one of a series of studies planned by ICSPA that will form a view of cyber crime in different parts of the world. The alliance is a business-led, not-for-profit organization global that channels funding, expertise and assistance directly to assist law enforcements cyber crime units.