Business sector blind to threat
Firms falsely confident of cyber security
Many Canadian businesses have “wrapped themselves in a false sense of security” when it comes to resisting cyber attacks, according to a new survey by Deloitte.
A false feeling of preparedness, often because there has been no attack to date, leaves the door open “even wider for the wouldbe attackers,” according to Thursday’s report, which was based on responses from more than 100 major organizations across all major sectors.
This week, Target Corp., the U.S. retailer at the heart of a massive headline-grabbing cyber data breach in 2013, agreed to pay nearly US$40 million to resolve claims by banks and other financial institutions.
Deloitte found that 60 per cent of 103 Canadian organizations surveyed across a range of sectors reported they had not experienced a cyber attack in the past 24 months, and 90 per cent said they felt protected.
Yet, of those surveyed, only nine achieved the highest score on three key measurements: how secure they were,; how vigilant they were in monitoring potential threats; and how resilient they were in terms of effective preparation for, and recovery from, attacks.
Deloitte concluded that Canadian organizations are “lagging when it comes to proactive threat management,” and noted that only half the organizations surveyed even have a defined cyber recovery process.
Canadian businesses “remain largely in reactive mode when it comes to responding to cyber incidents,” the report said, adding that the failure “to develop strong cyber threat intelligence capabilities continues to put businesses and their critical data assets at risk.”
Overall, Deloitte says Canadian businesses are less prepared for cyber crime than their counterparts in the United States, registering just 2.2 on a five-point “maturity” scale. The readiness of U.S. firms is closer to three on the scale.
Last month, Canada’s investment industry association urged broker-dealers to make cyber attack preparation a priority at the most senior levels.
“The cyber threat is far too sophisticated and serious to relegate it simply to the firm’s IT department,” Ian Russell, chief executive of the Investment Industry Association of Canada, said in a letter to members.
Russell said directors and senior executives including the chief executive must be involved, and urged investment dealers to scrutinize their internal defences and technical controls, as well as any third-party vendors with access to their systems.
Nick Galletto, a partner at Deloitte and cyber risk services leader for the Americas and Canada, said the findings in the survey were concerning.