Com­pa­nies see cy­ber threat, but se­cu­rity spend­ing tight

At­tacks ex­pected to be­come more so­phis­ti­cated

National Post (Latest Edition) - - FINANCIAL POST - Mitchell Thomp­son Fi­nan­cial Post

More than three quar­ters of Cana­dian com­pa­nies sur­veyed ex­pect cy­ber at­tacks to in­crease in the next year, but fewer than half are will­ing to step up their se­cu­rity spend­ing to keep pace, ac­cord­ing to a new poll of ex­ec­u­tives by the con­sult­ing firm Ovum.

Of the Cana­dian se­cu­rity ex­ec­u­tives sur­veyed from April to March, 76 per cent ex­pected an in­crease in data breach at­tempts over the next 12 months. Yet only 46 per cent ex­pect their or­ga­ni­za­tions’ level of in­vest­ment in cy­ber se­cu­rity to rise and only 36 per cent be­lieve their or­ga­ni­za­tions’ cy­ber se­cu­rity will be stronger a year from now.

Kevin Deveau, vice- pres­i­dent of Fair, Isaac and Com­pany, the data analytics com­pany that com­mis­sioned the poll, says “it is sur­pris­ing to hear that few firms plan to make ad­di­tional in­vest­ments in cy­ber se­cu­rity when there seems to be a clear un­der- stand­ing that the risks are con­tin­u­ously ris­ing.”

Ryan Wil­son, chief tech­nol­ogy of­fi­cer at cy­ber- se­cu­rity com­pany Scalar De­ci­sions, agrees. Wil­son ex­pects a 30 per cent in­crease in cy­ber at­tacks this year and says trends point to at­tacks be­com­ing more so­phis­ti­cated and dif­fi­cult to de­tect. But, he says, few are pre­pared.

The Ovum study comes shortly af­ter the mas­sive global Wan­naCrypt cy­ber at­tack took down thou­sands of com­put­ers around the world.

Wan­naCrypt was a cross be­tween a fast- spread­ing vi r us and r an­somware, which locks a com­puter un­til the user trans­fers money (in this case the bit­coin cryp­tocur­rency) to the at­tack­ers.

The at­tack re­port­edly hit 100,000 or­ga­ni­za­tions world­wide, though there were only a few known cases in Canada.

Ry­er­son Univer­sity busi­ness pro­fes­sor Ate­feh Mashatan es­ti­mates Canada had one com­pro­mised ma­chine f or ev­ery 13,138 peo­ple, which amounts to roughly 2,740 ma­chines. Mashatan says it is un­clear how many be­longed to busi­nesses and how many be­longed to other or­ga­ni­za­tions.

“The virus took ad­van­tage of vul­ner­a­bil­i­ties in un­patched and in­se­cure net­works,” Wil­son says, prob­lems that are gen­er­ally the re­sult of un­der­fund­ing or ne­glect.

Stephen Cobb, se­cu­rity re­searcher for anti- virus com­pany ESET, calls the at­tack “a wake- up call to busi­ness that’s been cut­ting cor­ners.”

Cobb says a patch for the virus had been avail­able months be­fore the at­tack and that most cur­rent- gen­er­a­tion se­cu­rity soft­ware had been up­dated to pro­tect against it.

It was also spread largely by email, which means ba­sic cy­ber- se­cu­rity train­ing for staff could likely have lim­ited its spread.

Wil­son notes just stay­ing up to date with patches to avoid at­tacks can re­quire weekly mod­i­fi­ca­tion.

“Mi­crosoft des­ig­nates ev­ery Tues­day ‘ patch Tues­day,’ but most com­pa­nies can’t af­ford an out­age ev­ery Tues­day,” he says.

Like­wise, cre­at­ing a cy­ber- se­cu­rity pro­to­col for all com­put­ers on a com­pany net­work re­quires a lot of co­or­di­na­tion.

Masha tan says train­ing is needed reg­u­larly to teach staff what the new­est threats are and how to avoid them, how to use the lat­est anti- virus soft­ware and how to back up im­por­tant files se­curely.

Adopt­ing more se­cure soft­ware, Mashatan says, is also cum­ber­some: “IT can’t flip soft­ware overnight with­out an in­jec­tion of funds.”

The dif­fi­cul­ties of stay­ing on top of cy­ber se­cu­rity were also ac­knowl­edged in a re­cent EY re­port, which found “cre­at­ing a ro­bust cy­ber­se­cu­rity pro­gram is a long, fo­cused process and many com­pa­nies haven’t taken that step.”

Though it is largely ac­knowl­edged by IT ex­perts that train­ing, patch­ing and up­dat­ing mea­sures are needed to re­main se­cure, get­ting the re­sources to make it hap­pen can be an­other thing.

“IT may want it, but you don’t al­ways get the money you need f rom man­age­ment,” Cobb says.

The EY study notes nearly three- quar­ters of Cana­dian com­pa­nies re­quire a 50 per cent in­crease in cy­ber- se­cu­rity fund­ing to cover their needs. At present time, the re­port says, only 43 per cent of Cana­dian firms could de­tect a so­phis­ti­cated at­tack.

Wil­son notes that the best- pre­pared firms spend 11 to 14 per cent of their IT bud­get on cy­ber se­cu­rity, but that the Cana­dian av­er­age is be­low seven per cent.

That’s prob­lem­atic be­cause the dam­age caused by cy­ber at­tacks is get­ting worse. From 2015 to 2016, the av­er­age cost of a cy­ber at­tack for a Cana­dian firm rose from $6.8 to $7.2 mil­lion and Wil­son ex­pects it to in­crease again this year.

Though few Cana­dian firms were af­fected by Wan­naCrypt, Wil­son says 35 per cent of com­pa­nies sur­veyed anony­mously by Scalar ad­mit­ted to hav­ing been struck by other ran­somware in the past year.

Mashatan says it can be hard to con­vince man­age­ment to take cy­ber se­cu­rity se­ri­ously, but that the Wan­naCrypt at­tack “shows the view on man­age­ment’s part that, ‘ If some­thing is not bro­ken, why spend?’ isn’t work­ing.”

Struc­tural change within a com­pany can be needed to en­sure ad­e­quate over­sight.

Wil­son says ad­dress­ing the threat “re­quires a chief se­cu­rity of­fi­cer con­sult­ing with the board of di­rec­tors of the com­pany to brief them on se­cu­rity ini­tia­tives and what they pro­vide the com­pany, to keep it ap­pro­pri­ately funded.”

With thou­sands of pieces of new mal­ware com­ing out daily, Wil­son says, “Cana­dian com­pa­nies should t reat cy­ber risk as se­ri­ously as they treat fi­nan­cial risk.”



Trou­bleshoot­ing ma­chines for mal­ware takes a needed in­jec­tion of funds, ex­perts say.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.