UNDERESTIMATING CYBER THREATS.
Canadian companies tend to be overconfident or unprepared to protect sensitive information from data breaches — mostly because they have an incomplete or inadequate picture about the evolving challenges they face, according to cybersecurity experts.
A study conducted by Ovum for FICO — a California-based data analytics company that operates a global fraud detection system for banks, credit card companies and others — found 84 per cent of Canadian executives surveyed felt their organization was “better than average” or a “top performer.”
The report asserted this is an “unrealistic” scenario and Canadian organizations “should look at their ability to prove how good they are.”
“If you can’t measure whether you’re vulnerable or not, can you really say you’re covered?” FICO Canada vicepresident Kevin Deveau asked in an interview after the study was released.
While the report is based on a small sample — Ovum conducted telephone interviews with 500 senior IT executives in several countries including Canada — its findings about “cyber readiness” are consistent with what’s been experienced by two other security experts who reviewed the report.
Last week, the owner of Swiss Chalet, Harvey’s, East Side Mario’s and other restaurants was the latest business to report its operations had been disrupted by a malware virus.
Recipes Unlimited Corp. learned of the outbreak Friday and said as of Wednesday a “small percentage” of restaurants were still affected.
Spokeswoman Maureen Hart said there was no evidence data was compromised or the company was being held for ransom by hackers.
Cybersecurity strategist Eldon Sprickerhoff, founder of Toronto-based eSentire, said before the Recipe Unlimited crisis research has shown humans have a universal tendency to be too optimistic.
But Canadian companies also have a mistaken belief they’re too small or insignificant to be a target — and therefore they may be overconfident they’re prepared, he said.
“If you’re not actively watching for attacks that are going on, it’s very difficult to be able to say you’re in a good space,” Sprickerhoff said.
The good news, from his perspective, is more Canadian boards have begun to make cybersecurity a regular agenda item.
That’s at least partly because private-sector organizations will be required to report all personal information leaks to the federal privacy commissioner starting Nov. 1 under updated PIPEDA regulations, Sprickerhoff said.
David Masson, Canadian manager for Darktrace, a cybersecurity company headquartered in San Francisco and Cambridge, England, agreed businesses are paying more attention because of increased regulation in various jurisdictions and general awareness of the risks.
Nevertheless, he said most have inadequate knowledge of what they’re facing because “they’re missing proper visibility of their networks, they can’t really see what’s going on.”
Of the large Fortune 500 companies that have done trials of Darktrace software, Masson said 85 per cent of the time “we find malware and malicious behaviour they had no idea was on their network. And when you’re outside the Fortune 500, that figure goes up to 95 per cent of the time.”
He predicts the situation will only get more challenging because the number of potential vulnerable openings will grow exponentially as more sensors, consumer electronics and communications devices are connected.
“There’s going to be an explosion, for want of a better word, of unsecured devices into networks throughout the world,” Masson said.
FICO’s Deveau and eSentire’s Sprickerhoff also see third-party service providers as a growing weak spot.
“We’re trying to get the customers or the clients out there to really see how vulnerable they are,” Deveau said.
FICO developed a tool that an organization can use free of charge to detect its own vulnerabilities. For a fee, they can purchase addon modules to assess their external suppliers.
Sprickerhoff said it’s not unusual for a company to have “dozens and dozens of service providers,” but doesn’t think their cyber readiness can be adequately measured from outside.
“Your external-facing infrastructure is such a small percentage of what your security stance is,” Sprickerhoff said. “You can have a good external-facing infrastructure and have terrible internal-facing infrastructure.”
Masson said Darktrace installs software on a client’s system that uses machine learning to recognize the normal activities of a system and respond when something abnormal happens.
“This is what most companies are missing,” said Masson.