National Post (Latest Edition)

Companies see cyber threat, but security spending tight

Attacks expected to become more sophistica­ted

- Mitchell Thompson Financial Post

More than three quarters of Canadian companies surveyed expect cyber attacks to increase in the next year, but fewer than half are willing to step up their security spending to keep pace, according to a new poll of executives by the consulting firm Ovum.

Of the Canadian security executives surveyed from April to March, 76 per cent expected an increase in data breach attempts over the next 12 months. Yet only 46 per cent expect their organizati­ons’ level of investment in cyber security to rise and only 36 per cent believe their organizati­ons’ cyber security will be stronger a year from now.

Kevin Deveau, vice- president of Fair, Isaac and Company, the data analytics company that commission­ed the poll, says “it is surprising to hear that few firms plan to make additional investment­s in cyber security when there seems to be a clear under- standing that the risks are continuous­ly rising.”

Ryan Wilson, chief technology officer at cyber- security company Scalar Decisions, agrees. Wilson expects a 30 per cent increase in cyber attacks this year and says trends point to attacks becoming more sophistica­ted and difficult to detect. But, he says, few are prepared.

The Ovum study comes shortly after the massive global WannaCrypt cyber attack took down thousands of computers around the world.

WannaCrypt was a cross between a fast- spreading vi r us and r ansomware, which locks a computer until the user transfers money (in this case the bitcoin cryptocurr­ency) to the attackers.

The attack reportedly hit 100,000 organizati­ons worldwide, though there were only a few known cases in Canada.

Ryerson University business professor Atefeh Mashatan estimates Canada had one compromise­d machine f or every 13,138 people, which amounts to roughly 2,740 machines. Mashatan says it is unclear how many belonged to businesses and how many belonged to other organizati­ons.

“The virus took advantage of vulnerabil­ities in unpatched and insecure networks,” Wilson says, problems that are generally the result of underfundi­ng or neglect.

Stephen Cobb, security researcher for anti- virus company ESET, calls the attack “a wake- up call to business that’s been cutting corners.”

Cobb says a patch for the virus had been available months before the attack and that most current- generation security software had been updated to protect against it.

It was also spread largely by email, which means basic cyber- security training for staff could likely have limited its spread.

Wilson notes just staying up to date with patches to avoid attacks can require weekly modificati­on.

“Microsoft designates every Tuesday ‘ patch Tuesday,’ but most companies can’t afford an outage every Tuesday,” he says.

Likewise, creating a cyber- security protocol for all computers on a company network requires a lot of coordinati­on.

Masha tan says training is needed regularly to teach staff what the newest threats are and how to avoid them, how to use the latest anti- virus software and how to back up important files securely.

Adopting more secure software, Mashatan says, is also cumbersome: “IT can’t flip software overnight without an injection of funds.”

The difficulti­es of staying on top of cyber security were also acknowledg­ed in a recent EY report, which found “creating a robust cybersecur­ity program is a long, focused process and many companies haven’t taken that step.”

Though it is largely acknowledg­ed by IT experts that training, patching and updating measures are needed to remain secure, getting the resources to make it happen can be another thing.

“IT may want it, but you don’t always get the money you need f rom management,” Cobb says.

The EY study notes nearly three- quarters of Canadian companies require a 50 per cent increase in cyber- security funding to cover their needs. At present time, the report says, only 43 per cent of Canadian firms could detect a sophistica­ted attack.

Wilson notes that the best- prepared firms spend 11 to 14 per cent of their IT budget on cyber security, but that the Canadian average is below seven per cent.

That’s problemati­c because the damage caused by cyber attacks is getting worse. From 2015 to 2016, the average cost of a cyber attack for a Canadian firm rose from $6.8 to $7.2 million and Wilson expects it to increase again this year.

Though few Canadian firms were affected by WannaCrypt, Wilson says 35 per cent of companies surveyed anonymousl­y by Scalar admitted to having been struck by other ransomware in the past year.

Mashatan says it can be hard to convince management to take cyber security seriously, but that the WannaCrypt attack “shows the view on management’s part that, ‘ If something is not broken, why spend?’ isn’t working.”

Structural change within a company can be needed to ensure adequate oversight.

Wilson says addressing the threat “requires a chief security officer consulting with the board of directors of the company to brief them on security initiative­s and what they provide the company, to keep it appropriat­ely funded.”

With thousands of pieces of new malware coming out daily, Wilson says, “Canadian companies should t reat cyber risk as seriously as they treat financial risk.”


 ?? CHRIS RATCLIFFE / BLOOMBERG NEWS ?? Troublesho­oting machines for malware takes a needed injection of funds, experts say.
CHRIS RATCLIFFE / BLOOMBERG NEWS Troublesho­oting machines for malware takes a needed injection of funds, experts say.

Newspapers in English

Newspapers from Canada