Many Canadian businesses have “wrapped themselves in a false sense of security” when it comes to resisting cyber attacks, according to a new survey by Deloitte.
A false feeling of preparedness, often because there has been no attack to date, leaves the door open “even wider for the would-be attackers,” according to Thursday’s report, which was based on responses from more than 100 major organizations across all major sectors.
On Wednesday, Target Corp., the U.S. retailer at the heart of a massive headline-grabbing cyber data breach in 2013, agreed to pay nearly US$40 million to resolve claims by banks and other financial institutions.
Dell Inc’s digital root certificate vulnerability leads to unintended consequences
Deloitte found that 60 per cent of 103 Canadian organizations surveyed across a range of sectors reported they had not experienced a cyber attack in the past 24 months, and 90 per cent said they felt protected.
Yet, of those surveyed, only nine achieved the highest score on three key measurements: how secure they were, how vigilant they were in monitoring potential threats, and how resilient they were in terms of effective preparation for and recovery from attacks.
Deloitte concluded that Canadian organizations are “lagging when it comes to proactive threat management,” and noted that only half the organizations surveyed even have a defined cyber recovery process.
Canadian businesses “remain largely in reactive mode when it comes to responding to cyber incidents,” the report said, adding that the failure “to develop strong cyber threat intelligence capabilities continues to put businesses and their critical data assets at risk.”
Overall, Deloitte says Canadian businesses are less prepared for cyber crime than their counterparts in the United States, registering just 2.2 on five-point “maturity” scale. The readiness of U.S. firms is closer to three on the scale.
Last month, Canada’s investment industry association urged broker-dealers to make cyber attack preparation a priority at the most senior levels.
“The cyber threat is far too sophisticated and serious to relegate it simply to the firm’s IT department,” Ian Russell, chief executive of the Investment Industry Association of Canada, said in a letter to members.
Russell said directors and senior executives including the chief executive must be involved, and urged investment dealers to scrutinize their internal defences and technical controls, as well as any third-party vendors with access to their systems.
Deloitte suggested companies should look beyond the immediate advantages of preparing for and responding to cyber attacks, and consider the broad potential longer term costs if they don’t.
Businesses that “fail to develop a stronger cyber security posture may experience fresh challenges as they struggle to keep up with peers,” the report said.
Nick Galletto, a partner at Deloitte and cyber risk services leader for the Americas and Canada, said the findings in the survey were concerning.“Despite the fact that the majority of Canadian companies we surveyed consider themselves prepared for a cyber attack, barely one-third have tested procedures or resources to effectively respond in the face of a threat,” he said.“The effects of a breach can do serious harm to a company’s brand and their bottom line.”