Companies see cyber threat, but security spending tight
Attacks expected to become more sophisticated
More than three quarters of Canadian companies surveyed expect cyber attacks to increase in the next year, but fewer than half are willing to step up their security spending to keep pace, according to a new poll of executives by the consulting firm Ovum.
Of the Canadian security executives surveyed from April to March, 76 per cent expected an increase in data breach attempts over the next 12 months. Yet only 46 per cent expect their organizations’ level of investment in cyber security to rise and only 36 per cent believe their organizations’ cyber security will be stronger a year from now.
Kevin Deveau, vice- president of Fair, Isaac and Company, the data analytics company that commissioned the poll, says “it is surprising to hear that few firms plan to make additional investments in cyber security when there seems to be a clear under- standing that the risks are continuously rising.”
Ryan Wilson, chief technology officer at cyber- security company Scalar Decisions, agrees. Wilson expects a 30 per cent increase in cyber attacks this year and says trends point to attacks becoming more sophisticated and difficult to detect. But, he says, few are prepared.
The Ovum study comes shortly after the massive global WannaCrypt cyber attack took down thousands of computers around the world.
WannaCrypt was a cross between a fast- spreading vi r us and r ansomware, which locks a computer until the user transfers money (in this case the bitcoin cryptocurrency) to the attackers.
The attack reportedly hit 100,000 organizations worldwide, though there were only a few known cases in Canada.
Ryerson University business professor Atefeh Mashatan estimates Canada had one compromised machine f or every 13,138 people, which amounts to roughly 2,740 machines. Mashatan says it is unclear how many belonged to businesses and how many belonged to other organizations.
“The virus took advantage of vulnerabilities in unpatched and insecure networks,” Wilson says, problems that are generally the result of underfunding or neglect.
Stephen Cobb, security researcher for anti- virus company ESET, calls the attack “a wake- up call to business that’s been cutting corners.”
Cobb says a patch for the virus had been available months before the attack and that most current- generation security software had been updated to protect against it.
It was also spread largely by email, which means basic cyber- security training for staff could likely have limited its spread.
Wilson notes just staying up to date with patches to avoid attacks can require weekly modification.
“Microsoft designates every Tuesday ‘ patch Tuesday,’ but most companies can’t afford an outage every Tuesday,” he says.
Likewise, creating a cyber- security protocol for all computers on a company network requires a lot of coordination.
Masha tan says training is needed regularly to teach staff what the newest threats are and how to avoid them, how to use the latest anti- virus software and how to back up important files securely.
Adopting more secure software, Mashatan says, is also cumbersome: “IT can’t flip software overnight without an injection of funds.”
The difficulties of staying on top of cyber security were also acknowledged in a recent EY report, which found “creating a robust cybersecurity program is a long, focused process and many companies haven’t taken that step.”
Though it is largely acknowledged by IT experts that training, patching and updating measures are needed to remain secure, getting the resources to make it happen can be another thing.
“IT may want it, but you don’t always get the money you need f rom management,” Cobb says.
The EY study notes nearly three- quarters of Canadian companies require a 50 per cent increase in cyber- security funding to cover their needs. At present time, the report says, only 43 per cent of Canadian firms could detect a sophisticated attack.
Wilson notes that the best- prepared firms spend 11 to 14 per cent of their IT budget on cyber security, but that the Canadian average is below seven per cent.
That’s problematic because the damage caused by cyber attacks is getting worse. From 2015 to 2016, the average cost of a cyber attack for a Canadian firm rose from $6.8 to $7.2 million and Wilson expects it to increase again this year.
Though few Canadian firms were affected by WannaCrypt, Wilson says 35 per cent of companies surveyed anonymously by Scalar admitted to having been struck by other ransomware in the past year.
Mashatan says it can be hard to convince management to take cyber security seriously, but that the WannaCrypt attack “shows the view on management’s part that, ‘ If something is not broken, why spend?’ isn’t working.”
Structural change within a company can be needed to ensure adequate oversight.
Wilson says addressing the threat “requires a chief security officer consulting with the board of directors of the company to brief them on security initiatives and what they provide the company, to keep it appropriately funded.”
With thousands of pieces of new malware coming out daily, Wilson says, “Canadian companies should t reat cyber risk as seriously as they treat financial risk.”
MICROSOFT DESIGNATES EVERY TUESDAY ‘PATCH TUESDAY,’ BUT MOST COMPANIES CAN’T AFFORD AN OUTAGE EVERY TUESDAY. — RYAN WILSON, CHIEF TECHNOLOGY OFFICER AT CYBER- SECURITY COMPANY SCALAR DECISIONS, WHO EXPECTS A 30% RISE IN CYBER ATTACKS THIS YEAR