Threat detection and response falling short, says expert sharing best practices for employers
Cyber criminals are becoming more cunning.
While the number of cyber attacks dropped to 344 in 2023 from 419 in 2022, they resulted in a greater number of breaches at organizations, jumping from a 12-month average of 13 in 2022 to 30 in 2023, reports tech solutions provider CDW Canada.
Overall, 7% to 10% of all cyberattack types were successful and observed a significantly greater “hit rate” of success (the number of attacks that result in a breach) than previous years.
“What we're seeing is a real shift from a widespread attack model to a more sophisticated attack model,” said Ivo Wiens, practice lead for cybersecurity at CDW Canada, in talking with HRD Canada.
“They're just getting better at getting at [valuable] data, spending less time on less valuable data to them and spending more time looking at critical data that they can have access to, and getting access to that.”
Recently, the records of about 55,000 records of past and present certified and permitted teachers in Nova Scotia — including name, address, date of birth, years of service and educational background — were stolen in the MOVEit cyber security breach that affected at least 100,000 workers.
It seems employers are not doing enough to protect themselves from breaches, finds CDW Canada’s survey of over 500 IT security, risk and compliance professionals.
For instance, 54% of organizations store internal data, 36% store sensitive (confidential) data and 28% store secret (highly restricted) data in the public cloud. Yet, organizations only spent on average 13% of their security budgets on securing cloud environments.
“Cloud infrastructure allows businesses of all sizes to scale and be agile in hybrid and remote work environments,” said Wiens. “However, rapid adoption without necessary security practices leaves an organization’s sensitive data easy for cyberattackers to access.”
Another issue is that threat detection and response are falling short, giving cyberattackers more time to access and steal personal, financial and intellectual data, or disrupt business processes with ransomware.
Only 2% of employees report possible email attacks, according to a previous report.
The average time to detect a cyberincident is 7.1 days, while responding to an attack takes 14.9 days. The average time to recover is 25.6 days, putting the average incident management time at approximately 48 days total.
Compounding the problem is the talent shortage in IT security. Nearly two-thirds (62%) of Canadian organizations say the skills gap has reduced their ability to prevent security incidents.
There will be 3.5 million unfilled jobs in the cybersecurity industry through 2025, according to Cybersecurity Ventures.
On average, a ransomware event costs employers $1.4 million across organizations of all sizes in Canada, said Wiens.
Also the cost of damages resulting from cybercrime is expected to reach $10.5 trillion by 2025, according to Cybersecurity Ventures.
But the problem is bigger than that, said Wiens.
“The real, intrinsic loss here is the loss of trust [in] organizations when a major event happens. When your services are unavailable, customers don't have the same patience they did and loyalty that they did many years ago.
“If your service is unavailable, for one reason or the other, they'll move on to the next thing. Or if your brand has been tarnished by a cyber attack, it takes a while for you to regain the trust of your customers to put their credit card numbers in your site.”
One in five large Canadian companies are "underprepared" for a cyberattack, according to a previous KPMG report.
“Organizations don't consider a breach as something that will happen; they say it's something that could happen, something that might happen,” says Wiens.
“Organizations need to shift the mindset to say, ‘When it happens, what are we going to do?’”
Here are some things employers can do to fight off cybersecurity breaches, according to Wiens:
Educate workers about data: “You can never underestimate cybersecurity awareness. End users need to be aware of the data that they have access to, that they're protecting. Not only [IT] personnel, but also [employees] as well. As good custodians of this data, how we share it, how we manage it, what we click on, and how we do what we do is super important.
Suppress emotional reaction to breachesa; “Typically, ransomware events or phishing attacks could come through… It causes an emotional reaction. When you have that emotional reaction, take a pause, and trust but verify. Always be ready to react when that happens.”
Use multi-factor authentication: [It] “is still super important, and deploying that within environments is key and it will soon be part of more and more regulation controls.”
Invest in great technologies to protect users.
“It's super important that organizations look at how they can protect data in the cloud. Be it by bolstering the native controls in the cloud, but on top of that, there's also a lot of good security you can do with third party vendors. Third party vendors that already protect your offline environment have solutions for protecting the cloud. It's just a matter of having that conversation.”