Canadian companies face almost constant cyber security threats, resulting in a rising number of incidents where sensitive data is stolen, according to the findings of a new study from Scalar Decisions Inc. of more than 420 Canadian IT and security workers.
The 2018 Scalar Security Study (commissioned by Scalar and conducted independently by IDC Canada) showed that Canadian organizations are attacked in varying degrees of severity more than 450 times per year, with 87% suffering at least one successful breach. Almost half (46%) are not confident in their ability to defend against attacks.
“As cyber security breaches become the new normal, organizations can’t be complacent. Many companies are still reporting gaps in their defences despite hiring full-time security staff, which may point to a deficit in the availability of highly skilled IT workers,” said Theo Van Wyk, Chief Security Architect, Scalar Decisions. “The rising number of high-impact breaches coincides with the increasing costs of recovery.”
The study, examining the cyber security readiness of Canadian organizations and year-over-year trends in handling and managing growing cyber threats, also found:
Of the companies that suffered a security breach, 47% had sensitive data stolen.
One-in-five breaches was classified as “high-impact”, where sensitive customer or employee information was exposed.
36 percent of respondents are not confident in their company’s ability to respond to security breaches.
The average company spends $3.7 million in direct and indirect costs to recover from security breaches.
One-fifth of smaller organizations believe they don’t have enough resources to effectively defend against attacks.
Firms dedicate about 10% of their IT budgets to security spending.
A majority of respondents do not train employees to identify attacks, such as phishing scams, or to update software with the latest security measures.
Almost three-quarters of respondents don’t comprehensively analyze how third-party relationships effect their overall cyber security planning.
“Canadian companies are getting better at prioritizing cyber security, but there is still a substantial lack of training and planning,” added Van Wyk. “Organizations need to look beyond their infrastructure and weigh the insider and third-party risks they face. If this can’t be tackled in-house, then external expertise is an efficient way to shore up their defences.”