Canadian organizations are getting tougher in fighting online attackers but not tough enough, if a new report from a security vendor is representative.
In its annual security study Scalar Decisions said that over the past year Canadian organizations have increased their focus on identifying assets on the network, prioritizing deployment of cyber security solutions, and patching on-premise infrastructure. However, it found there are still key cyber resilience weaknesses including
—an inability to prevent cyber security breaches;
–lack of comprehensive cyber resilience strategies including people, processes, and technology;
–slow detection and response times and adoption of monitoring solutions;
–and lack of documented incident response.
Of the firms surveyed, 58.48 per cent reported having data exfiltrated in 2018. Of those, just over 24.5 per cent had what they described as sensitive but non-personally identifiable information (PII) taken. Just over 25 per cent of organizations victimized lost PII customer or employee information.
The report calculated an attack success rate. While the average number of attacks were down in 2018 compared to the year before, nearly three per cent of all types of attacks resulted in a successful exfiltration, versus 2.1 per cent of attacks resulting in a breach reported the year before — a jump of one-third.
On average, responding organizations were attacked more than 440 times last year, resulting in an average of 12.47 exfiltration incidents, 9.83 infiltration incidents, and 7.82 denial of service
incidents per organization per year (versus an average of 9.33 breaches per organization in 2017).
Firms also have organizational blind spots to risk areas, the report found, including understanding the data-flows between an organization and its third-party partners, suppliers, and vendors; knowledge of government privacy legislation; cyber security responsibilities in cloud environments including patching and updating software; and exposure to insider threats from employees or contractors.
The survey part of the report was conducted by IDC Canada of 407 IT security and risk and compliance professionals with at least 15 employees. Eighty-seven per cent of the IT security respondents were at a supervisor level or higher.
To gauge security readiness and cyber resilience respondents were asked questions around aspects of the NIST cyber security framework.
Among the findings
–average number of attacks per organization per year declined to 440 per organization, down from 455 in 2018;
–average number of breaches per organization per year increased to 12.5 per organization, up from 9.3 in 2018;
–a higher percentage of attacks are resulting in major impacts: three per cent of attacks resulted in a breach versus two per cent in 2018;
–the average cost per organization of responding to and recovering from cyber security incidents increased significantly from $3.7 million last year, to between $4.8 million – $5.8 million this year.
One of the more alarming findings: Time to recovery is increasing.
Here’s another: Of the survey respondents, 8.4 per cent indicated that it took them longer than a month to patch an aspect of their IT environment. Over 90 per cent of these respondents understood the risks associated with unpatched IT environments, with 59 per cent unable to update/patch faster due to IT and business reasons. “Of greater concern, one third of these respondents indicated that they were aware of the risks they were exposing their organization to but were willing to take these risks or had no particular reason why they didn’t patch or update sooner,” said the report.
One of the more revealing findings: Organizations that follow fundamental cyber resilience practices spend an average of 16.1 staff work days recovering from cyber security breaches per year versus 20.5 days for organizations that do not.
Who is being realistic? Year over year, says the report, there’s been a very large increase (22 per cent) in the confidence of smaller organizations of their ability to prevent cyber security breaches from happening. Perhaps that’s because small organizations are putting more resources into cyber security.
On the other hand, the report found the confidence of medium/large, and enterprise-sized organizations dropped significantly compared to last year.
Note this warning in the repor: Many organizations that have moved in various ways to the cloud haven’t done so in a secure way. “An organization’s cloud strategy needs to be integrated into its cyber security strategy, but for many, securing the cloud comes as an afterthought … Organizations need to understand that securing public cloud environments is a shared responsibility between customer and provider, and customers’ responsibilities vary between SaaS, PaaS, and IaaS.”
Organizations have to do regular threat assessments, create a cyber resilience plan and keep it up to date and practice cyber security fundamentals, the report concludes.
Scalar Decisions was recently bought by CDW Canada.
Click here to read the full report. Registration required.