In a world where everything is just a click or tap away, companies have become targets for cyberattacks and hacking. As a result, many have chosen to hire IT security specialists to help protect their systems and educate employees on prevention and risks. With a rising number of cyberattacks, is there an increasing fear by Canadian companies that they are losing the war on cybersecurity threats?
TJ (Tongjie) Zhang, senior associate with PwC’s cybersecurity and privacy, risk assurance services, says Canadian companies should shift their mentality from “fighting a war” to “building a wall.” Zhang believes companies should focus more on strengthening their defence baselines and improving security postures. This “wall” is not only on the technical level, such as a firewall, but also on an employee level, when it comes to security awareness. A company’s weakest link in cybersecurity defence, according to Zhang, is its people.
Most of us have heard the warnings “don’t click on suspicious links” and “always lock your laptops.” And although the warnings seem like common sense, Zhang recommends they are repeatedly instilled in employees’ mindsets.
Calling it a “war” is inaccurate, says Henri St. Louis, chairman of SPIE (Security Professionals Information Exchange) and senior security consultant with Secured Net Solutions Inc. “That would imply understanding the threat and acknowledging how to manage the risk that continues to change in a business sense,” says St. Louis. “Companies are beginning to realize the impacts that cyber-threats have on their businesses and are reacting to the associated risk.”
“So the wake-up call has happened and now many companies are putting more focus on cyber/IT risk.” St. Louis says he is seeing more companies searching for information security talent both in Calgary and within Canada, which indicates they are investing more resources towards the problem. “I hope it isn’t a fad but an effort to better understand and manage the associated risks of using IT, which is supposed to enable the business.”
Scalar’s third-annual Cyber Security Readiness of Canadian Organizations survey showed two-thirds of Canadian companies feel they are losing the war on cybersecurity. Scalar is a leading Canadian IT solutions integrator, focused on security, infrastructure and cloud solutions for mission-critical IT environments.
It appears the confidence level among Canadian organizations has continued to decline for the third year in a row as fewer believe they are winning the quickly-evolving war on security, according to Ryan Wilson, Scalar’s chief technology officer of security. “The average number of reported cyberattacks on Canadian organizations rose to an average of 44 attacks per year, up nearly 30 per cent since the initial survey in 2014. The vast majority of respondents also report that both the severity (81%) and sophistication (72%) of attacks are increasing.”
Wilson echoes Zhang’s comments and emphasizes, “Organizations need to continue to focus on effective security awareness training for their users, ensure that processes are in place to prevent accidental loss and disclosure of information, and invest in technology that is effective at stopping the advanced types of threats we see today.”
Surprisingly, it is small businesses that are the most in danger, says Ron McKenzie, senior VP with Shaw Business. Of all the targeted attacks in 2014, sixty per cent were against small and medium-sized businesses according to Symantec’s 2015 Internet Security Threat Report.
Hacks can also be very costly for a company and can seriously hurt a small business by compromising critical data, exposing customer information and costing organizations millions of dollars, warns McKenzie. “The average cost of being hacked as a small business is $36,000 and this amount climbs an additional $8,000 once indirect expenses and damage to reputation are taken into account.”
Like Wilson and Zhang, McKenzie also believes some employees may lack training and awareness and therefore could be easy targets for cyberattacks. “There are several types of viruses, malware (malicious software), hacks and phishing schemes that business may fall victim to. Phishing is a particularly difficult problem to address. Phishing is a common means of invading a company’s network, whereby a hacker masquerades as a trustworthy entity. An employee then clicks on an interesting or seemingly important link in an email, and a small piece of malware automatically downloads, with no one the wiser.”
He adds, “Ransomware is another type of attack that can be crippling for a small business as large ransoms and the resulting reputational damage can be huge costs to bear. These attacks can also grind all business operations to a halt, which is especially impactful during busy holiday shopping periods or other critical times for businesses.”
According to ITinCanadaOnline.ca, a recent survey by Malwarebytes indicated one-third of Canadian companies canvassed had been hit by ransomware attacks. At least 75 per cent of victims paid out anywhere from $1,000 to $50,000 to get their data back.
So what are the greatest risks and how do companies protect themselves? “Constant awareness of new and emerging trends is key, as is implementing security measures like secure IP VPN connections when accessing company networks,” says McKenzie. It is also important companies “separate publicly-available Wi-Fi networks from their private ones to ensure attackers don’t have easy access to their network. In addition, content filtering can allow businesses to protect their clients from malicious content – including adult sites – from being accessed from their network in, say, a waiting room.”
Zhang says every company is at risk no matter how big or small or sophisticated. “Even a company that has the best technology and end users, especially users with privileged access, can still intentionally or unintentionally bring the attacks in. Security awareness training is a necessity. Being a ‘security-savvy’ employee is as important as being a competent employee.”
Wilson could not agree more and says organizations need to ensure processes are in place to prevent accidental loss and disclosure of information, and invest in technology that is effective at stopping the advanced types of threats we see today.
Now more than ever, companies need to have the proper systems in place to effectively deal with the increasing number of cyberattacks. The good news is 41 per cent of respondents indicated their organization had systems in place to deal with APTs (advanced persistent threats), up from 38 per cent last year, confirms Wilson.