The state of cybersecurity in advanced Canadian manufacturing and critical infrastructure firms leaves a lot to be desired if a survey conducted earlier this year is representative.
Although Canada has a national cybersecurity strategy and has been encouraging organizations to improve readiness since 2010, the recently-released survey of 208 firms had a number of concerning results:
- only 60 per cent of respondents said their firm had a written cyber security program;
- only 57 per cent had appointed a cybersecurity official (for example a chief information security officer to lead their efforts. The rest were led by someone with an IT background;
- only 30 per cent of respondents had a CISO, a written program and regular security audits, three elements report authors think defines a cyber secure mature firm;
- 23 per cent of respondents feel somewhat or very dissatisfied with their cyber preparedness;
- 65 per cent said their firm spends less than $100,000 a year on cybersecurity.
Study leader Jean-Guy Rens, vice-president of the Canadian Advanced Technology Alliance (CATA), which commissioned the report, said the results are “worrisome.”
“[Companies] are aware of the problem, but they are very limited in what they deploy,” he said in an interview. “They don’t receive a lot of help from the government, and we end up with this result.”
There isn’t a sense of mobilization in the sector, he added.
Rens called on Ottawa as well as the manufacturing industry to do more, including finding ways for firms to share more threat intelligence and best practices.
Rens, who is senior partner at marking firm Sciencetech Communications, which wrote the report, acknowledged that the small survey sample — only 208 of 2,421 invited firms responded — is a concern. However, he explained it away by noting many companies refuse to talk publicly about cybersecurity.
The report comes after the federal privacy commissioner’s office said it received 680 reports of violations of security controls in Canadian firms covering over 28 million people in the first 12 months of mandatory data breach reporting.
The CATA report was largely paid for by Siemens Canada and CyberNB, an arm of the New Brunswick government. It studied physical cybersecurity in so-called Industry 4.0 manufacturing and critical infrastructure firms. These are companies with production automation and network integration. Critical infrastructure organizations include government, banking, energy, transportation, hospital and other sectors identified by the federal government.
Fifty-five per cent of participating firms were in the manufacturing sector, and 45 per cent were in critical infrastructure. Generally, Rens said, the critical infrastructure firms were in better shape than the manufacturing companies. That’s probably because they have bigger cyber budgets, he said, are often regulated and are more used to working with each other.
In addition to the survey, report authors interviewed 27 experts to learn about best practices. The report also includes 27 brief case studies of Canadian organizations, the cybersecurity problems they face and how some of them are being addressed.
According to the report, from looking at the responding firms “cybersecurity has difficulty distinguishing itself from IT and when it is separated from it, it is in some cases still entrusted to the finance department … Linking cybersecurity directly to senior management is still exceptional outside the banking sector and government. Only one respondent reported making presentations to his company’s board of directors.”
“Too often,” the report concludes, “cybersecurity is buried in the administrative hierarchy.”
“IT and cybersecurity should be treated equally, and that means giving more value to the cybersecurity department,” said Rens.
The fact that only 60 per cent of respondents have a written cybersecurity plan is a problem, he added.
“If you don’t have a formal cyber security program that means it [cybersecurity] can be interpreted in many ways, and that means it’s not taken seriously.”
A mature firm, he added, has a CISO, a written cyber security plan and regularly conducts penetration tests. Only 30 per cent of respondents had all three.
“That is a very bad result,” said Rens.
The report also identified eight major issues.
- lack of cyber information sharing between companies and with Ottawa;
- a shortage of IT pros. To meet that the report suggests firms urge computer scientists and even non-IT specialists to become cyber security experts;
- a need to enhance the CISO function in organizations;
- a lack of employee awareness. To boost this, the report suggests putting cyber security in every employees’ job description, and link it to performance reviews and salary;
- a lack of awareness about cyber security among small and medium-sized businesses. The report suggests an unspecified form of financial incentives for SMEs to improve their maturity;
- low adoption cyber insurance;
- and a need to address data sovereignty problems. The report suggests creating a public or quasi-public sector co-location facility to house Canadian providers of cloud and cybersecurity solutions.