How many organizations in Canada have their defences breached in a year? Almost all of them, if a survey by a security vendor is representative.
According to a report released by Carbon Black on Tuesday, 83 per cent of the 250 Canadian CIOs, CTOs and CISOs questioned as part of a global survey said their organizations had suffered a cyber security breach in the previous 12 months.
Of those, 22 per cent said their firm had been breached five or more times.
By comparison, last fall after surveying 10,000 Canadian businesses Statistics Canada found that 21 per cent of respondents said they were impacted by a cyber security incident that affected operations in 2017.
However, a Carbon Black official defended the accuracy of its survey results.
“A lot of organizations don’t want to acknowledge or even understand if they have been breached, so the senior leadership that respond to other surveys — the CEOs, CFOs or even general counsel — it’s better for them to say it hasn’t happened,” said Tom Kellermann, Carbon Black’s chief cybersecurity officer. “The 250 folks we reached out to, we vetted them in terms of their bonna fides in terms of their understanding of technology and the security posture of their organizations.”
He said he’s confident the 83 per cent number is valid for the respondents surveyed.
“If I was the CEO or a general counsel of a Canadian company and I was asked to respond to a survey, ‘Have I been breached last year,’ of course I’d say no. But then again if I’m a security professional or a CIO who understands the importance of eliminating plausable deniability and lifting all boats through collective action, then I’d say yes.”
He didn’t know Statistics Canada is a government agency. StatsCan’s survey base was much bigger than Carbon Black’s he acknowledged.
“The [Carbon Black] stat is pretty damning, but then again more organizations get breached every year,” said Kellermann. “Cyberspace has become a free-fire zone and a lot of that’s due to traditional architectures of security that were espoused by the standards bodies and regulatory bodies … are failing because they’re based on a kill-chain that is no longer the mainstream form of hacking.”
Most experts call for defence in depth, he said, but that fails because of cloud computing, mobility and application development. On top of that most attackers use fileless malware, Kellermann, spread malware by infecting web sites, distribute it through IoT devices or through supply chains.
He noted 50 per cent of Canadian respondents to the Carbon Black survey believed they were being targeted through their supply chains. Of those 30 per cent thought their firms’ web sites had been used for so-called “watering-hole” attacks, where unsuspecting visitors to sites get infected.
“That shows the hacker community is using your trust relationships, but also willing to use your brand to target your constituency.”
This so-called “island-hopping” — using one victim to spread an attack to others — has many variants, Kellermann said. One of the more recent is what he called “reverse business email compromise,” where an attacker takes over a company email server to push out fileless malware.
“The most important finding in this study aside from professional services being the most targeted industry and the increase in sophistication of attacks is that island-hopping is becoming very mainstream. The goal of hackers is no longer smash-and-grab burglary it’s ‘home invasion’ — they want to occupy space [in the enterprise] and use that network to target those who trust it.”
The Canadian respondents to the Carbon Black survey said the primary causes of successful breaches were phishing attacks (20 per cent), ransomware and third-party application breaches (14 per cent) and process weaknesses (12 per cent).
To protect themselves organizations should be doing threat hunting to see if they have already been compromised, increase privilege access management and ensure all defensive security systems are integrated.
The full Carbon Black report is available here. Registration required.