State of Canadian cyber awareness training ‘very concerning,’ survey results show


Published: February 9th, 2018

Cyber security experts agree awareness training of employees is vital for organizations to secure personal and corporate data, but a new survey suggests Canadian firms aren’t doing enough.

Only 26 per cent of the 421 IT security and risk and compliance professionals questioned said their organization has formal training showing staff how to identify attacks such as phishing.

Only 29 per cent said their organization offers training on updating PCs and smartphones. For some organizations that update company-owned devices, that number may be explainable. However, in an era of BYOD it may not.

The numbers are “very concerning,” said Theo Van Wyk, chief architect of Toronto’ solution provider Scalar Decisions, which paid for the survey.

He was at a loss to explain why some of the numbers on the training questions were so low in some categories. “I would have expected corporations would have complete training plans across each of those branches,” he said.

Asked what will change the attitude of organizations on training, he replied, “my first reaction is more breaches to occur.”

“You need to train your employees,” he said. “They’re an integral part of your security plan. You have to give them a sense of ownership in securing the assets.”

The survey was conducted between November and December of last year.

Think Canadian organizations are relatively immune from data breaches? Think again:

–87 per cent of respondents said their organization had suffered at least one data breach in the previous 12 months;

–on average, responding organizations were attacked more than 450 times per year, resulting in an average of 9.33 breaches per organization per year ;

–of those breaches, more than 20 per cent were high impact incidents, such as a major breach where highly sensitive data has been exposed;

–the average cost per organization of a breach was just under $3.7 million. The overwhelming amount of that $3.3 million was lost revenue.

In an attempt to make those number more palatable, the survey converted them to cost per employee. On average that would work out to $1,733, depending on the size of the company. For smaller firms responding to this survey, the cost of the average breach was just over $1 million, which worked out to on average just over $12,000 per employee. For enterprises, the average $3.7 million breach worked out to $755 an employee.

“There’s a number of companies in Canada that in their minds ($3.7 million) is a very tall number for them to digest,” Van Wyk explained, so the numbers were broken down to cost per employee. The goal was to “make the number something they can associate with.”

Respondents figured on average their organization spent 90 hours of downtime after a breach, and lost 16 work days on recovery.

There are also other troubling numbers:

–only 32 per cent of respondents said their organization has a fully documented security incident plan which is regularly updated.

–another 48 per cent said they have an IR plan, but it isn’t updated often

–18 per cent said their organization has only an informal IR plan.

To prepare for cyber attacks organizations need to know what they have to protect. A commendable 93 per cent of respondents said their organization inventories applications, devices and systems. However, only 43 per cent said such an inventory is done across the entire organization.

Other related numbers:

–98 per cent said their organization assesses security weaknesses across apps, devices and systems, but only 69 per cent did it across their entire organization;

–87 per cent assessed the business impact of possible data loss/corruption, but only 31 per cent did it across their entire organization;

–and while 85 per cent said their organization prioritized the deployment of specific security solutions to address vulnerabilities, only 29 per cent said it was done across the entire organization.

The possibility that suppliers and third parties could be a path to a breach is on the minds of respondents, but only 26 per cent said they looked at this group comprehensively. 60 per cent agreed “we should look at this in more detail.” Another 11 per cent said their organization doesn’t look at third parties in terms of security.

When rating different threats, on average 63 per cent of respondents said insiders, cloud security and public exposure of customer data were their organization’s biggest concerns. Interestingly, at the bottom of the list was ransomware (15 per cent).

Asked what their greatest concerns are, 71 per cent respondents across the small, medium and large organizations chose on average “exposure to insider threats from employees or contractors”; the same number chose “getting the organization to conduct regular cyber risk assessments and audits.” Sixty-seven per cent chose “not being able to identify threats that could jeopardize infrastructure and data.”

An average of half chose “business executives and managers taking responsibility for cyber security,” as well as “obtaining co-operation between business and IT on security planning.

“The cost of simply treading water in cyber security is no longer acceptable,” the survey’s authors say. “Every organization, whether small or large, needs to take action.”

The full study can be downloaded at https://www.scalar.ca/en/landing/2018-scalar-security-study/