Beware the threat of cyber attacks
Survey reveals companies concerned, but hesitant to hike security spending
More than three-quarters of Canadian companies surveyed expect cyber attacks to increase in the next year, but fewer than half are willing to step up their security spending to keep pace, according to a new poll of executives by the consulting firm Ovum.
Of the Canadian security executives surveyed from April to March, 76 per cent expected an increase in data breach attempts over the next twelve months. Yet only 46 per cent expect their organizations’ level of investment in cyber-security to rise and only 36 per cent believe their organizations’ cyber-security will be stronger a year from now.
Kevin Deveau, vice-president of Fair, Isaac and Company, the data analytics company that commissioned the poll, says “it is surprising to hear that few firms plan to make additional investments in cyber-security when there seems to be a clear understanding that the risks are continuously rising.”
Ryan Wilson, chief technology officer at cyber-security company Scalar Decisions agrees. Wilson expects a 30 per cent increase in cyber attacks this year and says trends point to attacks becoming more sophisticated and difficult to detect. But, he says, few are prepared.
The Ovum study comes shortly after the massive global WannaCrypt cyber attack took down thousands of computers around the world.
Wanna Cry pt was across between a fast-spreading virus and ransomware, which locks a computer until the user transfers money (in this case the bitcoin cryptocurrency) to the attackers.
The attack reportedly hit 100,000 organizations worldwide, though there were only a few known cases in Canada.
Ryerson University business professor Atefeh Mashatan estimates Canada had one compromised machine for every 13,138 people, which amounts to roughly 2,740 machines. Mashatan says it is unclear how many belonged to businesses and how many belonged to other organizations.
“The virus took advantage of vulnerabilities in unpatched and insecure networks,” Wilson says, problems that are generally the result of underfunding or neglect.
Stephen Cobb, security researcher for anti-virus company ESET, calls the attack “a wake-up call to business that’s been cutting corners.”
Cobb says a patch for the virus had been available months before the attack and that most currentgeneration security software had been updated to protect against it.
It was also spread largely by email, which means basic cybersecurity training for staff could likely have limited its spread.
Wilson notes just staying up to date with patches to avoid attacks can require weekly modification.
“Microsoft designates every Tuesday ‘patch Tuesday,’ but most companies can’t afford an outage every Tuesday,” he says.
Likewise, creating a cyber-security protocol for all computers on a company network requires a lot of co-ordination.
Mashatan says training is needed regularly to teach staff what the newest threats are and how to avoid them, how to use the latest anti-virus software and how to back up important files securely.
Adopting more secure software, Mashatan says, is also cumbersome: “IT can’t flip software overnight without an injection of funds.”
The difficulties of staying on top of cyber-security were also acknowledged in a recent EY report, which found “creating a robust cybersecurity program is a long, focused process and many companies haven’t taken that step.”
Though it is largely acknowledged by IT experts that training, patching and updating measures are needed to remain secure, getting the resources to make it happen can be another thing.
“IT may want it but you don’t always get the money you need from management,” Cobb says.
The EY study notes nearly threequarters of Canadian companies require a 50 per cent increase in cyber-security funding to cover their needs. At present, the report says, only 43 per cent of Canadian firms could detect a sophisticated attack.
Wilson notes that the best-prepared firms spend 11 to 14 per cent of their IT budget on cyber-security, but that the Canadian average is below 7 per cent.
That’s problematic because the damage caused by cyber attacks is getting worse. From 2015 to 2016, the average cost of a cyber attack for a Canadian firm rose from $6.8 to $7.2 million and Wilson expects it to increase again this year.
Though few Canadian firms were affected by WannaCrypt, Wilson says 35 per cent of companies surveyed anonymously by Scalar admitted to having been struck by other ransomware in the past year.
Structural change within a company can be needed to ensure adequate oversight.
Wilson says addressing the threat “requires a chief security officer consulting with the board of directors of the company.