Although 69 percent of Canadian companies surveyed have experienced some kind of cyber attack within a 12-month period, a national study on cyber crime has found that most businesses are not prepared to deal with online attacks.
The survey of 520 Canadian companies from finance, airline/shipping, telecommunications, utilities, aerospace and defence, and retail sectors revealed that a total of 5,866 attacks were reported, 16.5 attacks per affected business.
The study, conducted by International Cyber Security Protection Alliance (ICSPA), suggests that malware/virus attacks are the most common form of cyber crime, with 51% of business being affected while 18% of businesses report cyber attacks in the form of phishing and social engineering.
The total financial loss for companies as a result of cyber crime over a 12-month period is approximately $5,328,916, or an average of $14,844 per affected organization. Financial fraud accounts for 36% of this sum, costing companies an average of $6438 per attack.
The study finds “multiple gaps in cyber crime preparedness among Canadian businesses, from a lack of trained personnel to a lack of strategies and procedures that could mitigate such attacks.” Also of concern is the fact that many companies do not have any tools that would allow them to detect an attack, which suggests that cyber attacks may be even more widespread than the numbers suggest.
Of the companies surveyed, 69% do not have formal procedures in place in the event of a cyber attack. Only three out of ten companies surveyed have contingency plans in case of a cyber attack, and only three out of ten companies have personnel who are properly trained to handle cyber threats.
“Canadian companies are under attack and yet most companies do not conduct risk assessment processes from a cyber perspective. So they don’t know if they’re under attack because they do not even have the right tools to tell them what’s happening,” said Ken Taylor, ICSPA president for North America. “Ninety-four percent of the companies surveyed do not have a national or internationally recognized IT security standard in place…[s]o there’s a serious disconnect here from the Canadian perspective.”
The survey suggests that two factors may be contributing to the situation: the financial and reputational repercussions for cyber attacks have not been significant enough to change attitudes and behaviour; and organizations do not have the awareness of what strategies to implement to minimize their vulnerability to cyber threats.
The study found that most companies (39%) were more likely to engage private organizations in relation to cyber attacks, with only 11% ever involving the RCMP or other government agencies. However, a majority of the companies surveyed felt that Public Safety Canada and the RCMP need to play a more active role in providing awareness, education and support to businesses and individuals in order to combat the threat of cyber crime.
On a more positive note, cyber crime prevention in Canada is in its infancy, which presents the online community with an incredible opportunity “to come together, collaborate, and share information in order to create awareness,” Taylor said. “We have to be willing to share our experiences and what’s happening to our businesses in order for us to collaboratively approach this definition phase, because we have to define the cyber lexicon. We have to stand up and say ‘this is acceptable online behaviour…and this is not’.”
To this end, ICSPA are holding talks with partners like Lockheed Martin and McAfee, along with organizations like the Canadian Chamber of Commerce and the Canadian Council of Chief Executives in order to introduce workshops that will help raise awareness about cyber crime in Canada.
