National Post (National Edition)
Companies see cyber threat, but security spending tight
that the risks are continuously rising.”
Ryan Wilson, chief technology officer at cyber-security company Scalar Decisions, agrees. Wilson expects a 30 per cent increase in cyber attacks this year and says trends point to attacks becoming more sophisticated and difficult to detect. But, he says, few are prepared.
The Ovum study comes shortly after the massive global WannaCrypt cyber attack took down thousands of computers around the world.
WannaCrypt was a cross between a fast-spreading virus and ransomware, which locks a computer until the user transfers money (in this case the bitcoin cryptocurrency) to the attackers.
The attack reportedly hit 100,000 organizations worldwide, though there were only a few known cases in Canada.
Ryerson University business professor Atefeh Mashatan estimates Canada had one compromised machine for every 13,138 people, which amounts to roughly 2,740 machines. Mashatan says it is unclear how many belonged to businesses and how many belonged to other organizations.
“The virus took advantage of vulnerabilities in unpatched and insecure networks,” Wilson says, problems that are generally the result of underfunding or neglect.
Stephen Cobb, security researcher for anti-virus company ESET, calls the attack “a wake-up call to business that’s been cutting corners.”
Cobb says a patch for the virus had been available months before the attack and that most current-generation security software had been updated to protect against it.
It was also spread largely by email, which means basic cyber-security training for staff could likely have limited its spread.
Wilson notes just staying up to date with patches to avoid attacks can require weekly modification.
“Microsoft designates every Tuesday ‘patch Tuesday,’ but most companies can’t afford an outage every Tuesday,” he says.
Likewise, creating a cyber-security protocol for all computers on a company network requires a lot of coordination.
Mashatan says training is needed regularly to teach staff what the newest Troubleshooting machines for malware takes a needed injection of funds, experts say. threats are and how to avoid them, how to use the latest anti-virus software and how to back up important files securely.
Adopting more secure software, Mashatan says, is also cumbersome: “IT can’t flip software overnight without an injection of funds.”
The difficulties of staying on top of cyber security were also acknowledged in a recent EY report, which found “creating a robust cybersecurity program is a long, focused process and many companies haven’t taken that step.”
Though it is largely acknowledged by IT experts that training, patching and updating measures are needed to remain secure, getting the resources to make it happen can be another thing.
“IT may want it, but you don’t always get the money you need from management,” Cobb says.
The EY study notes nearly three-quarters of Canadian companies require a 50 per cent increase in cyber-security funding to cover their needs. At present time, the report says, only 43 per cent of Canadian firms could detect a sophisticated attack.
Wilson notes that the best-prepared firms spend 11 to 14 per cent of their IT budget on cyber security, but that the Canadian average is below seven per cent.
That’s problematic because the damage caused by cyber attacks is getting worse. From 2015 to 2016, the average cost of a cyber attack for a Canadian firm rose from $6.8 to $7.2 million and Wilson expects it to increase again this year.
Though few Canadian firms were affected by WannaCrypt, Wilson says 35 per cent of companies surveyed anonymously by Scalar admitted to having been struck by other ransomware in the past year.
Mashatan says it can be hard to convince management to take cyber security seriously, but that the WannaCrypt attack “shows the view on management’s part that, ‘If something is not broken, why spend?’ isn’t working.”
Structural change within a company can be needed to ensure adequate oversight.
Wilson says addressing the threat “requires a chief security officer consulting with the board of directors of the company to brief them on security initiatives and what they provide the company, to keep it appropriately funded.”
With thousands of pieces of new malware coming out daily, Wilson says, “Canadian companies should treat cyber risk as seriously as they treat financial risk.”