Small and mid-sized Canadian companies still have a long way to go to beef up their defences against cyber attacks if a newly-released survey of people with responsibility over IT security decisions is representative.
Of the 500 business owners and employees who manage information technology questioned, 71 per cent said their firm did not have a formal patching policy. In addition, only 54 per cent of small businesses said their firm provides cybersecurity training for employees.
Meanwhile, 78 per cent of respondents were confident in their level of cyber threat preparedness.
The survey was conducted for the Canadian Internet Registry Authority (CIRA), which oversees the “.ca” domain, as part of Small Business Week.
CIRA called the small number of respondents saying they do have a patching policy “shocking.” “It should be 100 per cent,” Mark Gaudet, the authority’s domain name security program manager, said in an interview. “One of the biggest security risks from malware is exposure of older systems and not patching to protect from vulnerabilities. One of the things businesses do have control over is patching policy.
“The reason it might not be high is resourcing and expertise to set that up” in smaller firms, he said.
Gaudet said it’s the responsibility of many leading authorities — governments, business associations and vendors — to impress on SMBs the importance of a regular patching regime.
CIRA is looking at aligning itself with a program SMBs can take to be aware of cyber security basics, including patching. One possibility is CyberNB’s Cyber Essentials certification program.
When the federal government announced its latest national cyber security plan it promised a certification program, which would include some kind of certification of experts to offer a program to SMBs. That effort is still being worked on.
As for the fact that only 54 per cent of respondents said their firm offers security training, Gaudet said the number “highlights a huge vulnerability.”
“It’s another area where a certification program could highlight the requirement for that kind of requirement for training. But a lot of the challenge for small businesses is a lot of the cyber security products are targeted at large enterprises, over 500 (employees) with their own cyber security staff.”
CIRA staff noted that 82 per cent of respondents from mid-sized firms (over 250 employees) said their company has a training program.
Forty per cent of respondents said their firm experienced a cyber attack that staff had to respond to in the last 12 months. Ten per cent experienced 20 or more attacks.
The survey also showed 67 per cent of respondents outsource at least part of the cybersecurity footprint to external vendors. Almost 90 per cent (88 per cent) of respondents were concerned with the prospect of future cyber attacks, and 28 per cent suggested they will add cybersecurity staff in the next year.
Among respondents, 24 per cent said no one in their firm has primary responsibility over cyber security. Another 18 per cent said their firm has one person responsbile for those functions.
The overall survey results show the problem of cyber security among SMBs “is still very high — the number of attacks on small business is still very high, the rate of attacks,” said Guadet, “despite the fact that they’re taking measures to protect themselves it’s still not enough. There’s definately gaps as far as awareness of the issues … and there’s definately a lack of resources for small and medium business as far as protection, information.
“A lot of them don’t have staff, don’t have expertise, outsource portions of their cyber security. That’s also a gap.”
Asked if it’s a responsibility for management to ensure cyber security is a priority, Gaudet said it does in mid-sized firms. But, he addes, it’s challenging in small firms to dedicate resources specifically to cyber security.