Cyber-threats are not new, but it is hard to excuse the attacks that dominated the headlines over the past year: distributed denial-of-service attacks launched against the financial industry or the advanced threats targeting government, corporate users and vulnerable technologies. Cyber attacks threaten every industry in every country around the world – and Canada is not immune.
The C-Suite survey, however, finds only 40 per cent of Canadian executives are concerned about cyber security threats and only 38 per cent believe their companies could be targets.
Canadian executives are also confident that their organizations are well-prepared to protect themselves from cyber crime. One of the reasons may be that almost half of Canadian companies continue to increase their annual cyber-security investments and 27 per cent of those have done so by more than 30 per cent.
The top areas of spending? IT equipment, security devices and software. This, despite the fact that 88 per cent of respondents agree cyber crime extends beyond technology.
Today, leading organizations around the world view cyber security as a "whole business" issue, focusing their efforts on three key areas above and beyond IT:
- Awareness training. Many organizations ensure employees are aware of the cyber threats they are likely to face, so they can remain vigilant and avoid falling prey to end-user attacks such as spear-phishing or clicking on malicious links embedded in e-mails. What many companies often overlook is targeted training for high-risk user groups and third parties, which can significantly enhance an organization’s ability to resist cyber threats.
- Response procedures. Organizations no longer assume they won’t be victims of cyber-crime. Instead, many are tracking how long it takes them to identify an attack after it occurs and how well they respond to it. This includes documenting and rehearsing response processes so that employees and third parties understand what they need to do to qualify, contain and recover from an incident. This is something that should be done from an organizational standpoint, but also at an industry and country level to address cyber threats that have broader implications.
- Making sense of security data. Most organizations generate large volumes of security data every hour, and struggle to identify which are the real threats they should focus on. Companies are further challenged by having to make sense of external information about upcoming cyber attacks targeting the organization, industry, country or the globe. Many are now turning to cyber intelligence to provide external context to their security data, early warning on emerging threats and analytics to ensure they focus on the material threats and truly protect their organizations.
While many companies are looking to gain more intelligence on their own, the latest survey shows Canadian organizations see a role for the government to assist in this area. If industry identifies cyber threats, that can benefit the government. This underlines the opportunity for government and business to collaborate and improve cyber security in Canada.
Kevvie Fowler is a partner in KPMG's forensic technology practice and an expert on cyber-security and data analytics. The 31st quarterly C-Suite survey was conducted by Gandalf Group, sponsored by KPMG, and published by Report on Business and BNN.