IDC Global Research – 90% of Canadian Companies Breached Last Year

IDC Canada Study reports high costs, rising frequency of security breaches for Canadian companies

IDC Canada, the largest global research firm in Canada, conducts an annual independent cross-industry research survey of IT security and risk and compliance professions annually. Their recent report found that the issue of security breaches is far more serious than most had anticipated. Scalar Decisions commissioned the study recently published the report, The Cyber Security Readiness of Canadian Organizations. It is the fourth annual 2018 Scalar Security Study conducted by IDC Canada and essentially provides the foundational data for security leaders and analysts to gauge year-over-year changes in cyber threat and defense.

The introduction of the report states plainly how serious IDC Canada now views the security issue: “The fourth annual study of the cyber security readiness of Canadian organizations has found IT departments at a tipping point. The consequences of being unprepared for a breach now greatly outweigh the costs of a well-managed security program.” Further, the study reveals several key findings, including rising costs of a security breach, persistent critical security weaknesses, and a shifting organizational approach to handling IT security responsibilities and tasks. However, the piece of data that jumps out of the report is that 87% of those surveyed suffered at least one successful breach, and almost half of companies are not confident in their ability to defend against attacks.

Rising Costs and Frequency of Cyber Breaches

IDC Canada reported that cyber-attacks are rising in both frequency and cost. They found that not only do many organizations face more than one attack per day and suffer multiple breaches per year, but also that the recovery cost of a breach averages $3.7 million per organization

in direct and indirect costs. Their findings match other industry estimates – the recent “Cost of Data Breach Study” released by the Ponemon Institute reported finding an average total cost of a data breach at $3.62 million.

Of the survey respondents, the average number of attacks per year was 454.75, resulting in an average of 9.33 breaches per organization per year. Respondents also reported that of those breaches, more than 20% were high impact incidents that resulted in a loss of sensitive data.

One potential solution that organizations are choosing to secure their environment in the face of this rising threat is encryption: data security methods like encryption were the top choice for protective technologies selected by respondents.  

Cost of Cyber Breach Continues to Rise

As suggested, the survey found that the average cost of a breach was $3.7 million, which was broken down into an average of $215,080 directly addressing the breach and $3.5 million in lost revenue and profitability, which was comprised of network/infrastructure/end-user downtime, time spent recovering from the breach, files and records compromised, and sensitive data compromised. These costs are likely to continue to rise, with some industry experts predicting costs as high as $150 million per breach by 2020.

One other tactic organizations are choosing as breaches continue is cyber insurance: while premiums for cyber insurance totaled $350 million in 2007, the market has grown tenfold and now totals $3.5 billion. According to a recent Morgan Stanley forecast, the market will be worth $8 billion -$10 billion by 2020.

Cyber Vulnerabilities Continue – High Frequency of Traditional Weaknesses

The IDC study also found that only 11% of organizations responded that they were highly confident in their ability to detect and respond to cyber security breaches once the attack is in progress. Based on survey responses, several traditional security weaknesses still challenge organizations today:

• Third Party Vendor Management – Only 26% of organizations responded that they comprehensively consider key suppliers and third-party relationships as part of security planning. Third parties have been and continue to be a top attack vector; from the HVAC company used to compromise Target credit cards in 2013 (110 million cards compromised, $450 million in costs) to the third party chat javascript that compromised Ticketmaster just this month (40,000 cards compromised).
• Training and Awareness – Only 26% of respondents conduct formal training for employees for phishing and other scams. Phishing has become the most common and most successful tactic used by attackers. Nearly 90% of data breaches seen by Verizon’s data breach investigation team have a phishing or social engineering component to them. Recent, notable attacks include the breach of Saks Fifth Avenue and Lord & Taylor, which resulted in 5 million cards compromised after attackers gained access to their network for over a year.
• Patching – Only 29% of organizations have established formal training and processes to frequently update PCs and smartphone OS and apps. In addition, a majority of organizations responded that they take a year or longer to patch known vulnerabilities in web applications. Effective patching processes are a top security measure to remediate known vulnerabilities, another leading cause of security breaches.
• Threat Management – Ransomware was a top threat in 2017, continually making front page news during the WannaCry and NotPetya outbreaks. Yet only 20% of organizations surveyed said they were concerned about Ransomware attacks. A formalized cyber threat management program can be a key element of any risk management program, to track the most prevalent and recent threats facing the organization.

Small Businesses Are Taking Cybersecurity More Seriously

The survey did reveal that most organizations are taking IT security more seriously. Over 50% of respondents reported that over 10% of their annual IT budget was devoted to security. Small organizations, those with an average headcount of 95 now report having at least one full time employee dedicated to security.

In addition to increasing in-house resource dedication to security, organizations responded that they are increasing their use of externally managed services. Security device management, managed threat intelligence, and managed data loss prevention were all adopted by nearly half of surveyed organizations.

Although small organizations are have made progress to dedicate at least one staff member full time to security, they still lag behind larger organizations in the effectiveness of their security resources. The survey found that while less than 5% of medium and large organizations rated their security staff as ineffective, 23% of small organizations rated their staff as ineffective. Based on this it is likely that smaller organizations may be open to attack as they continue to be a top target.

Less Than a Third of Organizations Conduct Penetration Tests

One surprising statistic from the survey was that only 32% of organizations reported using external penetration tests. Penetration testing can provide a risk reduction for organizations by revealing vulnerabilities, showing the real risk of vulnerabilities, testing cyber-defense capability, offering deep, diverse threat defense techniques and processes, and helping organizations comply with regulations and certifications. Benefits include:

• Uncovering critical vulnerabilities in your environment – Penetration testing helps organizations to discover where they are potentially vulnerable to cyberattacks and provides recommendations on how to improve security posture.
• Prioritizing and tackle asset risks based on their exploitability and impact – A penetration test identifies a detailed listing of exploitable vulnerabilities and includes a risk-based prioritization of recommendations to help organizations improve protection levels in the short, mid and long-term.
• Meeting compliance with industry standards and regulations – Annual penetration testing is a common compliance requirement. Common compliance frameworks include ISO 27001, NIST, FISMA, HIPAA, Sarbanes-Oxley or the Payment Card Industry Data Security Standard (PCI DSS), which requires annual as well as ongoing penetration testing.
• Keeping executive management informed about an organization’s risk level – Executive management and the board of the directors need to be informed about how well protected their organization really is against potential attacks.

 

Conclusion

The IDC Canada Study reveals important insights into the current state of cybersecurity defenses as well as year over year changes. While organizations have made important strides to take their defenses more seriously with more resources and staffing, they still struggle with traditional vulnerabilities like third party management and patching. With the costs of breaches continuing to rise, organizations would do well to continue to implement key defensive measures, including baselining their defense posture with a comprehensive penetration testing.