Canadian infosec pros are still too cocky about their ability to spot and stop data breaches, says a consulting company.
Sixty-five per cent of the 124 cyber security and IT executives in Canada from large organizations – among 2,000 in 15 countries surveyed last summer by Accenture – agree their organization is confident their cybersecurity will demonstrate valuable results. That compares to 75 per cent globally.
Over three quarters of Canadian respondents are confident their top strategies are achieving desired business outcomes, including protecting customer information and the organization’s brand.
In fact, Canadian respondents were more confident than their peers in other countries on a range of capabilities.
At the same time the Canadian group admitted in the previous 12 months an average of one-third (32 of 96) attempted breaches they discovered were successful.
The results released Wednesday are a breakdown of the Canadian numbers in the global survey, which Accenture made public last November.
The overall results show “that (Canadian) companies have become and remain complacent,” Russell Thomas, Accenture’s Canadian cyber security lead, said in an interview. “There’s an over-confidence in the marketplace …We really need a wake-up call. Companies need to pay attention to security. Security is at the heart of systems today, supporting an enabling secure business and trusting business.”
Asked why infosec pros in companies this big who presumably have large cyber security budgets shouldn’t be confident in their abilities, Thomas admitted that “most organizations are doing a decent job.” But he also pointed out that in the survey just over half of Canadian respondents admitted it takes months to detect sophisticated breaches, and as many as a third of all successful breaches are not discovered at all by the security team but by employees or others.
That, Accenture suggests, is no reason to be confident on detection and remediation abilities.
Interestingly the survey also shows that compared to other countries large Canadian firms surveyed spend the least amount of their IT budget (7.3 per cent) on cyber security. Organizations in France spend the most (9.4 per cent) of their total IT budget on cyber security compared to the global average of 8.2 per cent.
“We are up against individuals who are very well funded, creative, don’t have to operate under the confines of any legal system,” Thomas said. “And while spending on info security is on the rise across all industries companies have to continue to leverage their deployments … Infosec pros “need to tune, to ensure you have security across the entire enterprise, and are not protecting one line of business and leaving another exposed and having data exfiltrated.”
The survey results show many Canadian companies invest ineffectively in cybersecurity. That’s because when asked if they got extra money for cyber security about half of respondents said they would spend on the same things they’re doing now. Only 20 per cent said they would put the extra money to mitigating financial loss, Accenture noted, while only 22 per cent said they would invest in cyber security training for staff.
The results suggest Canadian organizations see spending on perimeter-based controls as more important than on “high-impact internal threats,” says Accenture.
Among other survey findings:
- Overall, it takes longer to spot a breach in the U.S. and the U.K. with over a quarter of organizations taking a year or more to detect a successful attack. (30 per cent in the US; 26 per cent in the U.K.).
- Organizations in Canada (52 per cent), Germany (52 per cent) and the UK (50 per cent) are the most confident in monitoring for breaches compared to the global average (38 per cent).
- “Organizations need to establish a realistic assessment of their capabilities to protect against high-impact threats, whether internal or external,” says Accenture. “Pressure-testing company defenses can help leaders understand whether they can withstand a targeted, focused attack.”
- They also need to improve the alignment of their cyber security strategies with business imperatives, says the company.