Despite shocking stories of Chinese computer espionage and U.S. Government data surveillance, Canada's top corporate executives remain relatively unconcerned that their businesses are vulnerable to cyber attacks.
The latest C-Suite survey of business leaders shows that cyber-security is not a serious worry for a majority of those sitting in the nation's corner offices.
Only 40 per cent say they are very or somewhat concerned about cyber-security threats to their companies. Even fewer say they think that businesses like theirs will likely be a target of an attack on the corporate computer system. And more than 90 per cent of those who responded are confident in their organization's efforts to protect their business from these threats.
For David MacDonald, CEO of Toronto technology service firm Softchoice Corp., this complacency reflects a mistaken belief among his fellow business leaders that their systems are not vulnerable.
"The attention that the C-suite is paying [to this issue] is not substantial enough, given the risks in the marketplace," he said. "There is example after example of companies that have been hurt electronically through denial-of-service attacks or through theft of confidential information."
Mr. MacDonald said his own firm is constantly looking for weaknesses in its firewalls or security environment. For one thing, he said, Softchoice makes sure no crucial data is moved to public storage environments such as Dropbox.
The survey showed that executives are most concerned with protecting employees' personal data, and making sure that their websites and electronic communications remain reliable. Surprisingly, concerns about customer information fall much lower down the list.
That too is a mistake, Mr. MacDonald said. Customer data, he suggests, is the most crucial kind of information to protect. "The potential damage to a brand by having customer information purloined, is very severe," he said. Customers "expect us, and rightfully so, to manage their information … in a very rigorous way."
The biggest threat to corporate cyber-security comes from individual criminals who want to commit fraud to break securities rules, the C-Suite respondents suggested. They also worry about politically motivated hackers, foreign and domestic competitors, and organized crime. Foreign governments and their own employees are further down the list of potential cyber-hackers.
Greg Hawkins, CEO of Yellowhead Mining Inc., agrees that companies should not be complacent about cyber threats. Firms that think they have the situation completely under control "are living in la la land," he said. "When you read about what is going on in the United States, you realize you don't have a clue about what is going on in cyberspace."
Still, Mr. Hawkins is not convinced that there is a lot his company can do to stop a determined hacker, and he doesn't think any system can be completely secure. "You just have to accept the fact that [electronic data] is virtually public," he said. The key, Mr. Hawkins said, is to use a common sense solution: "Just be careful what you post and distribute electronically. If you don't want people to know about it, don't put it there."
Michael Lambert, chief financial officer of Alberta-based fuel distributor Parkland Fuel Corp., said he thinks the apparent lack of concern among executives about cyber-attacks reflects the fact that many of them are indeed well-prepared for such threats.
"Most executives aren't concerned because they are very well-protected," Mr. Lambert said. "It is not that we are cavalier about it, it is that companies are well-protected." Parkland has made sure it has the budget to evaluate risks and mitigate them with the proper protection, he said.
When it comes to the role of government, only about a third of survey respondents said they are confident that federal institutions and law enforcement organizations will protect business from cyber threats.
It makes sense not to expect government to lead on this issue, said Kevvie Fowler, a partner in forensic technology at KPMG, because almost 90 per cent of Canada's critical computer infrastructure is in private hands.
What Canada needs is far more sharing of cyber-threat information between companies, Mr. Fowler said. "Talking about security threats and breaches has been taboo," he said, but now it is crucial that firms talk to each other about "lessons learned, what they have done, what has worked and what hasn't worked." Financial services firms have begun to do this, but others need to catch up, he said.
Over all, Mr. Fowler said, the dramatic news stories about computer hacking have been valuable in raising awareness among corporations, right up to the most senior positions. "It is now a board-level issue," he said.