Majority of Canadian organizations unprepared for a cyber-attack
Deloitte reports that only one in five Canadian companies are prepared to effectively respond
Toronto, December 3, 2015 – According to a new report from Deloitte Canada, Navigating a harsh cybersecurity landscape, a majority of Canadian companies surveyed consider themselves prepared for a cyber-attack, yet barely one third (36 per cent) of businesses have effective procedures and technologies in place to protect critical assets. Additionally, only one in 10 companies have a high level of preparedness in the face of cyber threats--meaning they have secure, vigilant and resilient procedures in place.
“This lack of preparedness and awareness is very concerning,” said Nick Galletto, Partner, Deloitte Cyber Risk Services Leader for the Americas and Canada. “Companies that are not ready face numerous cyber risks including advanced persistent threats, where a system is secretly infiltrated by cyber entities that remain behind the company’s walls gathering information. This kind of attack can go on for months and years if a company is unsuspecting and result in significant, expensive, and brand-damaging data security and privacy breaches.
Cyber threats are becoming increasingly common as attackers fine-tune strategies and tactics to avoid detection. Yet many Canadian companies have not prepared for a cyber-attack—and they don’t even know it.”
While advanced persistent threats are difficult to discover they can be detected, yet only 43% of Canadian companies are performing even periodic vulnerability and compromise assessments to protect against these threats. If hit with an attack – only 22% would be able to rapidly recover.
Among companies that are better prepared, the majority work with a managed security service provider, or MSSP. The report found that MSSP clients were more likely to have defined cyber resiliency processes, test their preparedness through cyber drills, monitor cyber chatter about their brand, products, and what’s being said about their environment.
“Organizations that make the right investment in people, technology and processes are much better positioned to not only identify a cyber threat, but recover from an attack,” said Galletto. “These are the kinds of companies that show proactive threat management — they are vigilant, they learn from their experience, and the experience of others, so they can become more resilient.”
Businesses that want to improve their cyber preparedness need to:
Protect the things that matter — Adversaries have motives. Businesses need to understand the value of critical assets and interactions. Known as “crown jewels” businesses also need to understand the risks to these assets.
Recognize that traditional cyber defenses are not enough — Cyber Threat Intelligence (CTI) coupled with advanced security monitoring proactively expands your view into threats and response capabilities, yet only one-third of organizations have a formal process to gather and share CTI. Where appropriate sharing information within an industry can help organizations in that industry collectively limit their exposure of an attack.
Prepare for the inevitable — Your organization is a target. Businesses must proactively test their incident response processes and procedures through cyber-attack simulations to truly understand their capabilities.
Develop a holistic cybersecurity strategy, recognizing that securing their business alone is not enough — Organizations need to do more than fortify their business to protect critical assets; they need to have in place the right resources (people, processes and technology) and cybersecurity ecosystem to remain vigilant in the face of cyber threats.
Understand they can’t go it alone — As threats become more sophisticated, businesses need to understand where they need help and engage a co-sourced or outsourced managed security services provider (MSSP). Fewer than half of Canadian companies surveyed have partnerships like this.
Deloitte Canada’s 2015 Cybersecurity survey polled information technology leaders from over 100 Canadian businesses representing all major sectors of the Canadian economy.
The full report and additional resources related to these findings are available at: Deloitte.ca/CybersecurityReport
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private companies limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.