A new study by the Toronto-based IT company Scalar Decisions has found that the number, sophistication, and severity of cyber-attacks on Canadian companies is on the rise.
The 2017 Scalar Security Study, which was commissioned by Scalar and Ponemon Institute, surveyed 658 Canadian IT and security workers to examine the cybersecurity readiness of Canadian organizations and recent trends in managing growing cybersecurity threats.
The Scalar study showed a declining confidence among Canadian organizations, as only 37 percent of respondents believed they are winning the cybersecurity war.
This contrasts with another recent global cybersecurity survey of 2,000 security executives (including 124 Canadians) by Accenture, which found that Canadian organizations are among the most confident in their ability to monitor for security breaches.
Scalar’s survey also revealed that the average number of reported cyber-attacks on Canadian organizations has risen to an average of 44 attacks per year, up nearly 30 percent since Scalar’s initial survey in 2014. Most respondents reported they believe that both the severity (81 percent) and the sophistication (72 percent) of cyberattacks has been increasing, which may help explain why organizations’ spending and investment on technologies to protect against cyberattacks is increasing.
“IT leaders are under pressure right now, feeling like there is a deficit of properly trained personnel available.”
“IT leaders are under pressure right now, feeling like there is a deficit of properly trained personnel available in the workforce. This has led to a distinct lack of in-house expertise, which is critical to a strong cyber security posture for Canadian companies,” said Ryan Wilson, chief technology officer of security at Scalar Decisions. “The increase in incidents and decreasing confidence we are seeing coincides with the growing sophistication, severity, and cost of attacks.”
These findings come at a time when cybersecurity is becoming a bigger issue for Canadian organizations and companies, especially with the emergence of quantum computing technologies. Cybersecurity was among the Borden Ladner Gervais’ annual list of top ten legal risks for businesses in 2017.
Examining the readiness of Canadian organizations to tackle cybersecurity threats, Scalar’s survey found that 41 percent of respondents felt their organizations had systems in place to deal with advanced persistent threats (APTs). But having preventative systems in place doesn’t mean organizations won’t see a jump in security threats in the coming year.
According to Scalar, 76 percent of respondents believed that web-borne attacks were the greatest threats in the last year, followed by rootkits enabling administrator-level access to a computer (67 percent).
Only 21% of respondents faced with ransomware said they report the incidents to law enforcement.
The report finds that in 2017, Canadian organizations will likely see more threats including spear phishing (sending emails from a known user to obtain confidential information); exploits of existing software vulnerability greater than three months old; and botnet attacks, which involve sending spam emails and transmitting viruses.
The study’s respondents identify mobile devices (75 percent) and third-party applications (70 percent) as the greatest potential risks threatening their companies’ IT environments, showing that negligent third-party risk has increased significantly since last year.
Even though ransomware, a malicious software that blocks access to computers until a sum of money is paid, is becoming an increasing issue, only 21 percent of respondents faced with ransomware said they report such incidents to law enforcement; instead, they simply agree to pay the ransom.
Scalar’s survey added that spending patterns among Canadian organizations have changed as a result of growing cyberattacks. On average, organizations represented in the study spent roughly $7.2 million on the following to handle and manage cybersecurity: clean up or remediation ($873,448), lost user productivity ($963,663), disruption to normal operations ($1.2 million), damage or theft of IT assets and infrastructure ($1.7 million), and damage to reputation and marketplace image ($2.5 million).
View the full report here.