Fall 2018 Cybersecurity survey

Report | sponsored by Akamai

Key findings Canadians are confident but there are cybersecurity risks

  • 40 per cent of respondents experienced a cyber-attack in the last 12 months. Among large businesses, 250-499 employees, this number increases to 66 per cent. Overall, one in ten experienced 20 or more attacks.

  • 67 per cent of respondents outsource at least part of the cybersecurity footprint to external vendors.

  • One-third of respondents indicated that the most significant impact of a cyber-attack is the time and resources required to respond to the incident.

  • 88 per cent of respondents were concerned with the prospect of future cyber-attacks, which resulted in 28 per cent suggesting they would add cybersecurity staff in the next year.

  • Although 78 per cent were confident in their level of cyber-threat preparedness, 37 per cent didn't have anti-malware protection installed and a shocking 71 per cent did not have a formal patching policy – exposing these organizations to massive security holes.

  • Only 54 per cent of small businesses provide cybersecurity training for their employees even though the most common form of malware seen by our respondents, phishing attacks (42 per cent), directly exploit employees as a point of weakness.

  • While 59 per cent of respondents said they stored personal information from customers, only 38 per cent said they were familiar with PIPEDA.

Introduction Canadian cybersecurity, Canadian report

Cybersecurity data is more plentiful than ever. Whether this is because more organizations are supplying it or whether more hackers are creating it is up for debate. Regardless of who or why the data is being published, the conclusion is stark: cyber crime is rising and shows no sign of slowing down.

According to the Trustwave Global Security Report the global cost of cybercrime was estimated to be $600 billion USD in 2017. This included the cost to protect organizations and the global internet from the massive upswing in DDoS attacks, the blight of ransomware, (or the new bad guy on the block) bitcoin mining malware. The problem is big and it is global.

Where does Canada fit in all this?

Most of the big cybersecurity research focuses on global organizations, while locally the big security spending is in our larger organizations. However, according to Statistics Canada, about half of Canada’s 16 million workers are in smaller businesses with up to 499 employees. With the help of our partners at Akamai, CIRA set out to understand how the global threats impact these businesses in Canada, how worried they are, and how they are responding to it.

For this research, we looked at organizations with up to 500 employees. That said, we do understand that in the Canadian context an organization with more than 250 employees is actually pretty large. Importantly, these companies also serve, supply and partner with individuals and larger organizations. They may not have the resources to deploy complex security stacks and this makes them easier targets. As we saw way back in 2014 with the attack on Target that leveraged the HVAC system to get millions of credit card numbers, any sized business can be a conduit into hacking a larger one.

The attention around cybersecurity breaches is only going to grow thanks to the upcoming changes to privacy regulations in Canada. It is estimated that 70 per cent of data breaches happen against companies with fewer than 100 employees which means that a problem that once only kept IT managers of large corporations up at night, will now be causing insomnia for many more.

Try D-Zone Firewall today

And why do hackers want the information that you are in control of? Simply put, personal data is valuable. Personal information is being sold on the dark web for as little as $5 for a credit card number, $30 for an entire identity, or up to $1,000 for medical records. Do you still trust those older computers with the open USB ports that sit unattended in the little waiting rooms at your doctor’s office? There are hundreds of examples of low hanging fruit for hackers in everyday interactions Canadians have with small businesses every day. All these situations are potential breaches and many businesses don’t even know the risks.

Our goal with this survey is to provide insight into the Canadian cybersecurity landscape and understand just how Canadian businesses are preparing and coping with the new IT security reality.

A key element of building a better online Canada is ensuring Canadians have safe, secure internet access. Through our experience in managing the .CA domain for Canadians, we hope to help lend our expertise in safeguarding Canada’s internet so that Canadian businesses can thrive online.

Byron Holland president and CEO, CIRA

Methodology

CIRA contracted the research firm, The Strategic Council, to interview 500 individuals with responsibility over IT security decisions. The sample included both business owners and employees who manage information technology. All the respondents had budgetary authority over cybersecurity decisions.

In our sample, 92 per cent indicated that they were at least somewhat familiar with the organizations computer and IT functions while 8 per cent held budgetary control but were less familiar with the systems in place.

Respondents all have responsibility for IT decisions

Among those surveyed, 58 per cent were employees while 42 per cent identified as self-employed or owners of businesses that employ others. For-profit businesses represented 92 per cent of the sample, while 8 per cent were non-profit organizations.

Finally, among those employed inside an organization and responsible for IT decisions, there was a relatively even distribution of the organizations sizes, from those with only 10-19 employees (18 per cent) to those with 250-499 employees (17 per cent). In short, this survey presents a wide range of viewpoints that allows us to draw some interesting conclusions about the cybersecurity landscape in Canada.

General IT areas included within job

General IT areas included within job
49% System administration
41% Cybersecurity
40% Desktop IT
39% Networking
30% Other technical
40% Non-technical decision making

Familiarity with organizations's computer systems / IT functions

Familiarity with organizations's computer systems / IT functions
92% Total Familiar
44% Very familiar
48% Somewhat familiar
8% Total NOT Familiar (but budget holders)

About the organizations

While our survey included a variety of businesses, the majority had been in operation for quite some time with 52 per cent indicating they have been in business for more than 20 years. While Canada is known as a country of exporters, 67 per cent of businesses in our sample indicated they do business in Canada only.

The top sectors represented in our sample were services, manufacturing, finance, retail and construction.

Cyber-threat Exposure and Readiness A growth for IT employment

While cybersecurity is no longer a mystery to most Canadian organizations, we wanted to know more about how businesses are preparing to meet these threats and gauge their level of exposure. We asked generally about the kinds of digital tools and platforms that organizations are using to provide insight into the level of sophistication of their IT infrastructure and also to see where data might be at risk.

Unsurprisingly, use of internet-connected devices topped the list at 61 per cent, while cloud computing and storage platforms were present in 57 per cent of respondents. While Canadians are often stereotyped as hewers of wood and diggers of dirt (i.e. forestry and mining), it was fascinating to learn that fully 30 per cent of respondents deploy an e-commerce platform in their business – meaning they likely collect and store some personal data.

30% of organizations deploy an e-commerce platform

Reliance on vendors

Cybersecurity expertise is in high demand, and the industry moves quickly. A recent report by Deloitte indicated that 5,000 cybersecurity jobs will need to be filled in Canada between 2018 and 2021. The same report also uncovered a global workforce gap of 1.8 million cybersecurity experts. This creates a significant amount of competition for good people, and leads to many organizations outsourcing their cybersecurity needs. Among our sample, 34 per cent mostly relied on vendors, 33 per cent felt they had an equal mix of insourced and outsourced resources, while 27 per cent reported internal resources only. This underscores the importance of understanding the security footprint of your managed service provider and ensuring they have a complete suite of cybersecurity solutions.

How do you resource your cybersecurity?

How do you resource your cybersecurity
34% External suppliers/vendors - all or mostly outsourced
27% Internal resources - all or mostly insourced
33% Both equally
3% Neither - no resources devoted to cybersecurity
3% Don't know

How many IT resources were primarily responsible for cybersecurity?

To get a better understanding of how committed organizations were to cybersecurity, we first asked how many people worked in information technology, and subsequently, how many have cybersecurity as their primary responsibility.

While the report focuses on organiations with more than 10 employees, we did note that among businesses with up to 10 employees, 41 per cent have no internal resources for IT. When you look at responses from IT employees in larger organizations we see that the most common response was for having two to five people responsible for IT.

Number of employees with primary responsibility over IT

Number of employees with primary responsibility over IT
24% None
18% 1
33% 2 to 5
10% 6 to 10
7% 11 to 20
2% 21 to 29
3% 30 to 50
1% More than 50
3 Don't know

When we focused in on cybersecurity, the numbers suggest somewhere between 25-50 per cent of IT staff are assigned responsibility for cybersecurity.

The weighted average number of IT staff as reported by IT employee respondents was seven while the weighted average number of those responsible for cybersecurity was four. This suggests that more than 50 per cent of technical resources have at least some responsibility for cybersecurity. This demonstrates just how much time, effort and resources are now being diverted to fighting off bad guys rather than delivering value to customers.

Number of employees who have a primary job responsibility for cybersecurity

Number of employees who have a primary job responsibility for cybersecurity
34% None
26% 1
27% 2 to 5
8% 6 to 10
4% 11 to 20
1% 21 to 29
1% 30 to 50
1% More than 50
2% Don't know

Canadian companies are coping with cyber-threats by outsourcing a lot of work

As Canadian small and medium-sized businesses struggle to cope with the onslaught of cybersecurity threats, many are turning to external experts for help. Fully 51 per cent of respondents reported outsourcing to cybersecurity consultants or contractors. Interestingly, organizations with internal IT teams indicate that they are more likely to be outsourcing cybersecurity services than owners of smaller businesses (62 per cent vs 45 per cent). This highlights a significant vulnerability; smaller Canadian businesses often lack the resources to outsource their cybersecurity needs, but also face a lack of support in-house. It may also reflect the desire of larger IT teams to keep their internal resources focused on their users and outsourcing cybersecurity to experts.

Most concerning was the fact that 27 per cent of respondents said they lacked the resources to employ a cybersecurity professional, while 23 per cent didn’t employ a resource as they deemed the risk too low. Of course, as we know, businesses of all sizes and types are now at risk of a cyber attack. There are no longer businesses that are “too small” to be a target. In fact, it is often these smaller businesses that provide hackers with a way into the larger ones.

Canadian businesses are not islands; they are connected as vendors, suppliers, contractors and customers. We must do everything we can to ensure even the smallest businesses have the resources they need to protect themselves and the Canadian SME ecosystem.

Dave Chiswell vice president of product, CIRA

Main reasons for having no employees primarily responsible for cybersecurity

Main resons for having no employees primarily responsible for cybersecurity
51% We use external consultants
27% We don't have the resources to employ a cybersecurity professional
24% All employees are responsible to a degree
23% Cybersecurity is not a high enough risk to this organization
4% We have cyber liability insurance
1% We are currently in the process of recruiting a cybersecurity professional
0% We can't find an adequate cybersecurity professional
2% Other
5% Don't know

For organizations that use external providers, respondents estimated that they are spending on average 19 per cent of their budget on cybersecurity.

Percentage of overall IT budget devoted to external cybersecurity service providers

Percentage of overall IT budget devoted to external cybersecurity service providers
14% Less than 5%
12% 5 to 9%
40% 10 to 14%
4% 15 to 19%
8% 20 to 24%
4% 25 to 29%
8% 20 to 49%
10% 50% or more
26% Don't know

Similarly, we found that 48 per cent of respondents outsourced at least some of their network infrastructure or other IT related needs. This makes sense as many organizations lack the expertise to run today’s complex IT stacks.

However, it is important to note that outsourcing labour does not offload cybersecurity responsibility to someone else. Managers should be asking smart questions of their suppliers that go beyond the functions of the software and hardware to understand how seriously they treat cybersecurity.

Businesses confidence in their cybersecurity investment

Overall, the Canadians SMEs we surveyed are a pretty confident group; 78 per cent feel somewhat or very confident in the resources they have devoted to cybersecurity. This doesn’t mean we surveyed a bunch of IT managers with their heads in the proverbial snow, but rather they feel they have done their best to balance risk vs. investment. A smart IT manager knows that the only way to be 100 per cent cyber-secure is to unplug everything.

How confident are you with your cybersecurity stance?

How confident are you with your cybersecurity stance
22% Very confident
56% Somewhat confident
16% Not very confident
3% Not confident at all
< 1% Prefer not to answer
7% Don't know

66 per cent felt they had, “about the right number” of employees responsible for cybersecurity. Conversely, 24 per cent felt they had too few, which tells us that some of those confident managers from the previous question may not be as confident as they’d like to be. To use a sports analogy, no matter how much you trust your team, you wouldn’t want to take the ice with one less player than your opponent.

Perception of the number of employees responsible for cybersecurity

Perception of the number of employees responsible for cybersecurity
2% Too many
66% About the right number
24% Too few
2% Prefer not to answer
7% Don't know

Cybersecurity training for non-technical employees

Every IT manager knows that their department is rarely the weakest link in their cybersecurity footprint—it’s all the other departments that are the problem (sorry marketing).

Phishing and social engineering attacks look for weaknesses throughout an organization, not just the technical systems. This makes training and awareness critical for protecting your network. Among our respondents, only 53 per cent offer cybersecurity training to at least some employees. However, when we peel back the layers, the problem is even more acute. When you look at organizations with formal IT teams, 65 per cent offer cybersecurity training while sole proprietors businesses only offered training 35 per cent of the time. Additionally, when you compare organizational size there is a huge difference in who is able to provide broad training programs. Among organizations with 250-499 employees, 82 per cent offered training while only 54 per cent of those with 10-49 employees did the same.

Organizations that provide at least some cybersecurity training by size

Organizations that provide at least some cybersecurity training by size
54% 10 to 49
69% 50 to 249
82% 250 to 499

Logically, these numbers make sense as larger organizations have larger IT departments to deliver training, bigger budgets, and more employees who are potential breach points. Additionally, in larger organizations, the IT staff likely interact less frequently and personally with their users so more formal processes are necessary.

However, it is difficult to see this lack of training among smaller businesses as anything less than a significant risk to Canada’s economy. No matter how small the organization, or what their business entails, Canadian businesses interact with each other. That small supplier who services your photocopier could be the very window into which a hacker will look to climb.

Training and awareness are critical to ensuring your business is cyber-secure. No matter how great your IT team is, anyone with a network-connected device can be the weak point that brings your business down.

Jacques Latour CSO, CIRA

Cyber-attack Reality Is the glass half full?

Having spent the first half of this report on issues such as exposure, readiness, and satisfaction with existing security, now it’s time to get real—impact. How are Canadian SMEs being impacted by cyber-threats, what are the costs, and how are they coping? For this portion of the analysis, we will focus more on IT managers within organizations rather than on owners of smaller organizations because the latter have more formal protections, measurement tools, and policies in place.

Of the respondents, four in 10 are aware that they have experienced cyber-attacks in the last 12 months. What was particularly striking is how this response differs between IT professionals and budget holding business owners. When business owners with budget control over IT security were asked the same question, almost seven in 10 said they had not experienced an attack. It seems likely, though we can’t prove it with certainty, that many of these business owners are experiencing breaches that they are unaware of. Given often the automated nature of many of today’s cyber-attacks, it often requires a trained eye to even know you have been a target. And finally, we are actually surprised that the number is not 100% and believe that respondents only considered it an attack if there was at least some noticible result.

As organizations increase in size so does the awareness of cyber-attacks with fully 66 per cent of those with 250-499 employees indicating that they had been a victim. Are larger organizations experiencing more attacks because they are bigger targets or because they have more sophisticated systems to detect a breach?

Incidence of experiencing cyber-attacks in the last 12 months - IT managers answers

Perception of the number of employees responsible for cybersecurity
14% Yes, successful attacks
36% Yes, unsucessful attempts
40% No
5% Prefer not to answer
6% Don't know

Incidence of experiencing cyber-attacks in the last 12 months - Business Owner Answers

Incidence of experiencing cyber-attacks in the last 12 months - Business Owner Answers
6% Yes, successful attacks
18% Yes, unsucessful attempts
67% No
4% Prefer not to answer
7% Don't know

YES, we have experienced a cyber attack - IT Managers Answers based on size of organization

YES, we have experienced a cyber attack - IT Managers Answers based on size of organization
42% 10 - 49 employees
50% 50 - 249 employees
66% 250 - 499 employees

Of those organizations that experienced an attack, most report fewer than five in a year. Again, when you talk to IT managers they report a significantly higher number of attacks on average. 7% of IT managers reported 50 or more attacks.

7% of IT managers reported 50 or more attacks per year

A snapshot on Canadian internet traffic to malware sites

From a security standpoint, CIRA lives in the DNS world full time. In addition to keeping the top-level DNS of over 2.8 million .CA domains running we also deliver a secondary DNS service and cloud DNS firewall service.

The cloud firewall service is a malware and phishing blocking service named D-Zone DNS Firewall. When a user tries to click on a malware-infected link or an infected device attempts to reach its command and control server through the DNS, the communication is refused. The refusal happens in the cloud and a message sent to the user via a block page alert in the browser.

This block is logged against the threat category for over 600,000 Canadian users to give an unprecedented view of the Canadian landscape. Our user-base in includes businesses, but we do have a heavy weighting of users in the public sector at municipalities, universities, school boards and hospitals. These types of organizations tend to run different networks (in terms of public and private network profiles) than commercial companies, but the lessons are the similar.

In addition to threat blocking we see organizations using the DNS for content filtering. The types of content being filtered varies a lot across organizations in Canada and even within individual sectors. For example, different school boards have very different policies for what types of content they are blocking for K-12 students. For the purposes of this report, this is an interesting observation. We will delve further into this observation in a future analysis.

Try D-Zone Firewall today

How often user devices attempt to access phishing and malware-infected URLs

We looked at all infected page and phishing page blocks in the month of August 2018. This excludes significant botnet activity to focus on the users that IT people need to deal with and includes malware applications inside the organization network that uses HTTP traffic. In either case, user or machine generated, this is highly undesirable traffic.

Across our the network in Canada we say that average number of phishing blocks per user in Canada in a month equaled 3.1 blocks to infected pages per month per user and 0.6 blocks to phishing pages per month per user. (Number of users is estimated based on number of network users provided by the organizations using the D-Zone DNS Firewall and includes estimates for public networks they have deployed.)

Remember that these organizations deploy other forms of cybersecurity in addition to the DNS layer but the data we see suggest the benefits of a DNS layer and the type of problems that IT managers can stop from getting into their network by using a DNS firewall.

At this time we can’t point to any significant trends up or down in Canada in terms of overall threat profile changes but we continue to monitor it and look forward to some DNS-science based reports in the future (so make sure you register for updates!)

Sign up for cybersecurity news – made in Canada

Most common attacks seen by Canadian SMEs

The variety of cyber threats in the wild these days is enough to confuse a Pokemon fan—some even have logos and support teams now—so what should we be on the lookout for?

Among those identified in our survey, phishing and viruses were the top two reported attack types with about four in 10 reporting each attack type. Trojans and spyware were the next two most reported at 32 per cent and 30 per cent respectively. Rounding out the top five was ransomware with 27 per cent reporting having experienced this attack (successful or unsuccessful).

It is worth recognizing that for those who don’t work full time in cybersecurity, familiarity with all the forms of malware (and their differences) is not likely to be high. Therefore, while this data points to a trend, precision is not likely high for the business owner respondents.

When asked to rank the types of attacks that could do the most damage, the top five is identical but in a slightly different order.

Types of malware that could have the greatest negative impact

Types of Malware that could have the greatest negative impact
43% Virus
36% Ransomware
34% Trojan
29% Spyware
32% Phishing/Spear phishing
25% Worm
16% Backdoor
16% Keylogger
16% Unwanted applications
12% Adware
11% Bots or botnets
10% Cyber-currency miner
1% Other
3% Prefer not to answer
16% Don't know

A set of simple definitions for common malware types

Adware
Displays ads on your computer. Often installed along with free tools installed by undesirable sources.
Spyware
Tracks internet activities.
Virus
Contagious program or code that attaches itself to another piece of software, and then reproduces itself on the PC, network or to other computers via file transfers.
Worm
Self-replicating threat that destroys data and files on the computer.
Trojan
Trojans seek to discover information, like financial details. They can bring in other malicious code. Also used to take over resources to launch attacks against other devices.
Rootkit
Typically permits other information gathering malware in via back door.
Backdoors
Open a link onto a computer, providing a network connection for hackers or other malware.
Keyloggers
Records everything you type on your PC.
Ransomware
Locks out of computer or data on drives until user pays, generally via cyber-currency, to get a key. Even once you pay, you may never get a working key.
Browser hijacker
Redirects normal search activity to give results the hacker want you to see. Its intention is to make money off your web surfing. This can be as simple as sending ad-based content to being used to phish for your banking, or other, data.

Source: Modified from malwaretruth.com

Impact of cyber attacks

There comes a time in the evolution of any phenomenon when the thing that was once remarkable is now just a part of everyday life. At CIRA we are still coping with the idea that the word internet is no longer capitalized, and for Canadian SMEs cybercrime is now just another cost of doing business.

Much like putting a lock on your doors or hiring a security guard, cybersecurity should now be just another line item in the budget of any Canadian business. This makes the need for reasonably priced cybersecurity solutions even more acute, and highlights the value of having layers of protection to reduce the risk of a breach.

While ransoms paid to cyber thieves to retrieve lost data often make great headlines, one third of respondents indicated that the primary cost of cyber-attack is the additional time required by employees to respond to the incident. One in four indicated it prevented the use of needed resources and/or prevented employees from completing day-to-day work. On the positive side, relatively few indicated a loss of revenue or customers (6 per cent each).

Ways in which organization was impacted by cyber-attacks in the last 12 months

Ways in which organization was impacted by cyber-attacks in the last 12 months
33% Additional time responding to incident
29% Minor incident
26% Prevented the use of resources of services
8% Loss of revenue
6% Loss of customers
6% Damage to reputation of organization
6% Discouraged us from carrying out a future planned activity
5% Loss of suppliers or partners
4% Paid ransom
4% Fines from regulators or authorities
19% No impact at all
5% Don't know the extent of the impact

In our survey, only four per cent indicated that they paid ransom to hacker. While this sounds small, Statistics Canada data from 2016 indicates there are 1.17 million businesses in Canada. If we exclude companies with less than 10 people that’s 309,000 businesses. While we’re pretty happy with our survey, if we a variance of +/-30 per cent it would indicate that between 3,000 – 5,500 businesses in Canada paid a ransomware demand.

According to Sophos, 75 per cent of organizations infected with ransomware were running up-to-date endpoint protection.

Symantec reported that the average ransomware demand dropped to only about $650 (converted to Canadian dollars) which means that the hackers are now able to target smaller and smaller businesses with ransoms that are just large enough to be profitable yet small enough to be paid without much effort. Cybercrime is now big business.

Of course, large ransoms are still being extracted from larger organizations, and we have a few recent, high-profile cases in Canada. Attacks on Wasaga Beach, ON and Midland, ON , both came with initial ransom demands in the six-figure range (subsequently negotiated down) but the full cost of recovery was estimated by both municipalities to be approximately $250,000.

No matter how big or small a business is, cyber-thieves have a payment plan ready for you. It is no longer exclusively the worry of large corporate IT departments because the payment models for small business are clear and effective.

Prevention of future attacks

So if you’ve been hacked, what’s next? Among survey respondents who reported experiencing a cyber-attack, just under half took at least some additional action to help prevent reoccurrence. The most common investment is in additional technology at 45 per cent, followed by training at 40 per cent.

Actions taken to prevent future cyber-attacks

Actions taken to prevent future cyber-attacks
45% Installation of new software
40% Employee training
30% Security audit
27% Installation of new hardware
21% Addition of new cloud-based security
16% Hiring of new IT contractor or service providers
12% Hiring of new IT staff
2% Other
9% No actions taken
3% No answer

Level of concern

The first law of IT states that eventually everything will fail. Apparently some guy named Murphy created the original version of this law and cybersecurity professionals manage it with terms like "risk mitigation" - not risk elimination. So with this in mind, how concerned are IT professionals about future cyber-attacks?

Among those who have experienced a cyber-attack in the last year, 88 per cent were at least somewhat concerned about the prospect of future attacks. For those who had not experienced an attack only 62 per cent said the same, while 25 per cent were not concerned.

72% are report being concerned about future damage from cyber-attacks

On the preparedness front, fully 82 percent of IT managers felt they were prepared to defend against future cyber-attacks; the number falls to 68 per cent when we ask business owners. In either case, we Canadians are a confident lot.

77% report being prepared to defend against a future cyber-attack

Protection of data – one of the important why’s of cybersecurity

Customers are increasingly aware of the risks of storing their personal data with businesses. Thanks Facebook. In fact, a recent report by Help Net Security showed that 85 per cent of customers felt businesses should do more to protect their data and 75 per cent said they wouldn’t buy from a company who they felt couldn’t protect their data.

With this in mind, it was satisfying to see that the top reason our respondents devote resources to cybersecurity is to protect the information of customers.

The top five reasons were quite closely grouped between 44 per cent and 55 per cent indicating that there are several reasons that organizations felt protection was important. This included data protection of customers, fraud or theft, data protection of employees and suppliers, operations and e-commerce.

Top five reasons for devoting resources to cybersecurity measures

Top 5 reasons for devoting resources to cybersecurity measures
55% To protect the information of customers
53% To prevent fraud and theft
53% To protect personal information about employees, suppliers or partners
49% To secure continuity of operations
44% To prevent downtime and outages of website or e-commerce

Cybersecurity Resourcing

Earlier we referenced a Deloitte report that indicated a growing need for cybersecurity professionals in Canada. In our survey, fully 28 per cent of organizations anticipate increasing the human resources they apply to cybersecurity in the next 12 months. Among larger organizations with 250 – 499 employees, this number grew to 38 per cent. Only three per cent planned to decrease resources.

Anticipated change in human resources devoted to cybersecurity in the next 12 months

Anticipated change in human resources devoted to cybersecurity in the next 12 months
3% Decrease
66% Stay the same
29% Increase
4% Don't know

We saw similar results when we asked about investment levels. For organizations that aren’t planning to increase spending the most common reason was that they felt their current systems, staffing and processes are the right amount of investment.

How are the resources being used?

So we know how businesses are allocating people and resources to cybersecurity concerns, the next question is: what are these resources focused on?

The most used tactic for identifying security risks by IT managers is monitoring of network and firewall at 61 per cent followed by monitoring individual computer use at 41 per cent. These figures scale up as the organization size scales. Auditing and penetration testing only happens in just under 25 per cent of smaller organizations and just under 50 per cent of the larger ones. We are not sure if that means the focus of most IT people is on using and deploying tools versus planning and processes. This data does suggest an opportunity for IT services vendors to help smaller business to approach security differently.

Activities undertaken to identify cybersecurity risks

Activities undertaken to identify cybersecurity risks
61% Monitoring network and firewall
41% Monitor employees' use of computers and the internet
29% Formal risk assessment
24% Complete external audit
23% Penetration testing
8% None
14% Don't know or no answer

Free vs. paid tools

Cybersecurity is like every other digital industry—free tools are plentiful. We asked repsondents about the prevalence of free and commercial tools within their organizations. Most organizations leverage both free (or open source) tools in addition to commercial tools. However, as they grow in size they tend to put more reliance on commercial tools for cybersecurity. Among organizations with 10-49 employees only 27 per cent relied solely on commercial tools while among those with 250-499 employees 56 per cent used only commercial tools.

Is there a problem or risk associated with these results?

We have seen already that Canadian businesses are both concerned with the threat of cyber-attacks yet also relatively confident in their ability to keep their networks safe. Both these findings aren’t all that interesting on their own, but if we dig deeper we see some problems emerging.

Problem #1: Patching. What patching?

Zero-day vulnerabilities are among the most feared across the industry. They are the stuff of big headlines—especially when day zero is accompanied by a major hack. If you think your IT department is the only one paying attention to zero-day vulnerabilities, I can assure you scary folk in hoodies and sunglasses are too.

So, with zero-day vulnerabilities being such a security risk, only 29 per cent of respondents reported having a formal patching policy in place. Wait, what? Even among organizations with 250-499 employees the number only rose to 54 per cent.

This stat flies in the face of the earlier answers that organizations feel generally satisfied with their cybersecurity investments and risk and represents a major hole in any organization’s cyber-preparedness.

Incidence of having a formal patching policy

Incidence of having a formal patching policy
29% Yes
36% No
8% Prefer not to answer
27% Don't know

Problem #2: Shadow IT

Things were easier when computers weighed as much as a refrigerator. Now we all have network connected devices in our pockets and IT managers can never reliably know just what exactly is on their network. Shadow IT describes technology that users are using within your network that aren’t formally tested, approved and supported by the IT department.

In reality, there are two kinds of organizations: those that don’t know how many unknown/unapproved applications are in use by their employees and those that are lying. It is estimated that 30 to 50 per cent of IT spending in large organizations can be tied to shadow IT according to separate research reports released by Gartner and Everest Group.

In our survey, 50 per cent of organizations report unmanaged installed applications on end user machines. Another 26 per cent report unmanaged cloud services, and 17 per cent report use of shadow IT on either internal or cloud systems.

We tried to get an idea of the scope of the problem by asking approximately how many instances of shadow IT respondents estimated within their networks. The majority, 53 per cent, felt the number was less than 10. The fact is, shadow IT is one of the most significant vulnerabilities of any network and if your cybersecurity setup consists exclusively of on-device solutions it may only be seeing part of the problem.

Number of unique instances of shadow IT that exist within an organization (respondent estimates)

Number of unique instances of shadow IT that exist within an organiation (respondent estimates)
6% 0
47% 1 to 10
18% 11 to 50
5% 51 to 100
4% 101 to 250
1% More than 250
16% Don't know

Problem #3: Regulation

If you’ve visited a website in the last six months you are probably sick of getting that cookie/tracking pop-up as companies respond to requirements in the European Union's General Data Protection Regulation (GDPR). Sorry to say, there’s more to come.

The recent high-profile changes to the European Union’s General Data Protection Regulation (GDPR), raised the profile of consumer privacy and now Canada has some changes of its own that will alter the landscape in this country.

The Canadian equivalent, the Personal Information Protection of Electronic Documents Act (PIPEDA) will be undergoing some changes in November 2018 that will significantly impact the risk profile and compliance requirements for Canadian businesses.

Starting with the GDPR. It is no surprise that 66 percent were unfamiliar with the regulations since most in our sample indicated they do business only in Canada. Moreover, a follow-up question revealed that only 13 per cent made changes in how they manage data in response to GDPR.

Level of familiarity with European GDPR regulations

Level of familiarity with European GDPR regulations
8% Very familiar
22% Somewhat familiar
23% Not very familiar
43% No knowledge
4% Don't know

On the positive side, 58 per cent were familiar with PIPEDA. Conversely, 38 per cent of respondents indicated they are unfamiliar with PIPEDA. This is a surprisingly high number given that nearly 60 per cent reported collecting personal data of customers, suppliers, vendors or partners. The changes to PIPEDA will require all Canadian commercial organizations to publicly disclose breaches in their security and demonstrate that they are deploying the appropriate technology and processes to protect the personal information they are collecting.

These changes completely transform the risk profile for Canadian businesses, and given the number of respondent that expressed confidence in their cybersecurity preparedness, we wonder if they might now change their minds.

Level of familiarity with Canada's PIPEDA regulations

Level of familiarity with Canada's PIPEDA regulations
17% Very familiar
41% Somewhat familiar
22% Not very familiar
16% No knowledge
4% Don't know

How large is this risk to personal data? In our sample 59 per cent indicated that they store personal information.

Cybersecurity: Made in Canada

As part of our mandate, CIRA believes that the Canadian internet must be fast, accessible, safe and secure. For Canadian businesses to fully take advantage of the power of the digital economy, they can’t have networks filled with malware.

We asked survey respondents a few questions about the importance of Canada and Canadian solutions in their cybersecurity plans.

Data sovereignty

Data sovereignty refers to the idea that data created by Canadians for the exclusive use of Canadian organizations, businesses and governments should not have to leave Canada in order to move around the country.

Many Canadians are unaware that a portion of Canada’s network infrastructure moves data through the United States while en route to another destination in Canada. That email you send your cousin in Ottawa from your condo in Toronto may very well pass through Chicago before reaching its destination.

With this in mind, half of our survey respondents were concerned about the prospect of their data being routed or stored outside Canada. When we asked them about the purchasing decisions around network and security services, 84 per cent said they choose Canadian companies when outsourcing their IT needs. A full 73 per cent make an effort to identify a Canadian firm first when making IT or cybersecurity purchases.

Most importantly, 58 per cent of respondents felt that keeping Canadian internet traffic in Canada can help with cybersecurity. With legislation like PIPEDA in mind, it is important to remember that any time your data crosses an international border it is subject to the laws and regulations of that country—and not every country shares Canada’s values.

Having made-in-Canada infrastructure means you know where your data flows within Canada and that increases your security posture.

Jacques Latour chief technology officer, CIRA

Summary: Canadian businesses are confident but the landscape is changing

The good news is that Canadian small and medium-sized businesses are aware of the risks associated with cyber-attacks, worried about their impacts, and largely satisfied with their current level of preparedness. The bad news is the world of cybersecurity does not stand still. Changes in legislation, shadow IT, and new attack vectors are constantly popping up that require ongoing vigilance and adjustments.

We see on average, that Canadian small and medium-sized business are investing more in cybersecurity by hiring more staff and implementing more security technology. The analysis does suggest some good reasons why maybe they should not feel quite as confident as they do. Not nearly enough Canadian businesses have implemented a formal patching policy to protect from zero-day exploits. Many are unaware of the pending changes to PIPEDA–and the risks associated with them. And while shadow IT isn’t an unknown entity to most of our respondents, it is impossible to know the full scope of the problem.

If you have read any of our riveting marketing material in the past, you will know we’re a big fan of layers. Cybersecurity requires not one solution but a variety of products that protect different layers of the cybersecurity stack and reinforce each other. So how many of these layers are Canadian businesses deploying? What policies and products are they putting in place to protect themselves?

We believe in building products and solutions for the Canadian market, to solve uniquely Canadian problems. Our suite of cybersecurity solutions are specifically built with Canada in mind. Our more than 20 years of managing the .CA has allowed us to deploy our expertise in managing and protecting the DNS to create products like D-Zone DNS Firewall, a critical layer of your cybersecurity footprint.

By reporting on cybersecurity trends and data we hope to continue to build up Canada’s cybersecurity capacity—in knowledge, people and solutions—to ensure our internet remains strong and free.