page contents
Wednesday , 22 February 2017
Canadian companies losing cyber security battle, but opportunity knocks

Canadian companies losing cyber security battle, but opportunity knocks

Listening to the experts on the subject of cyber security, one could come away with the impression that Canada’s businesses and institutions are rather like besieged cities of ancient times, Troy, for example, surrounded, outsmarted and out-armed by their enemies, growing ever weaker and more desperate as they await the inevitable breakthrough and annihilation. It isn’t a coincidence that the ancient world’s Trojan Horse is now synonymous with innocuous-looking but deadly malware.

As if to illustrate how vulnerable companies are, Canadian Tire, one of Canada’s largest retailers, came under cyber attack this week, leaving customers unable to sign in to access various services, including credit card information and transaction history. A company statement referred a little vaguely to “unusual traffic” on the website before suspending the sign-in service. A cyber security expert told Global News that most criminals who attack companies like Canadian Tire are looking for money.

There have been many studies and reports on the problem of IT security, and the latest one, from Scalar Decisions and the Ponemon Institute, says attacks are becoming more frequent. The number of attacks on Canadian organizations has risen by about 30 per cent since 2014. What’s worse, those under attack believe that they are losing the fight. They indicate that the attacks are becoming more sophisticated, more severe, more costly, and more frequent. The average cost of remediation after an attack was $7.2 million, including “clean up,” lost productivity, disruption of normal operations, damage or theft of IT assets, and damage to reputation and image.

Mobile devices provide serious threats to organizations’ IT security.

The most serious threats to an organization’s IT security come from mobile devices and third-party applications, according to the Scalar report. This can hardly be good news to businesses, especially retailers and financial services, that are being compelled by their customers to become more mobile accessible and to offer more services via third-party apps. Consumers of financial services today demand service 24/7, from any device connected to the Internet.

This accessibility can leave them very exposed, as the man who became famous for shutting down Amazon, eBay and Yahoo when he was fifteen years old illustrated dramatically. Michael Calce (Mafiaboy) is now a consultant on IT security. He spoke at a conference in Toronto two years ago where he told his audience that he was able to gain access to a certain company’s network through an employee’s laptop as the employee passed by on a train. Calce explained succinctly why the bad guys have the upper hand; IT departments follow rules, while hackers are dangerous and win because they think outside the box. As he would know.

Another big threat to organizations’ security comes from insiders, the employees. Yet, according to the Deloitte report, 44 per cent of organizations do not even monitor individuals who have access to “sensitive” files and information.

Responses to the survey question, Where are you seeing the greatest rise of potential IT security risk within your IT environment? Source: Scalar Decisions

Whether intentionally or unintentionally, employees often provide hackers and attackers with entry into the network, usually by opening an email attachment, and even when they have been warned not to do so, as happened at the Bank of Canada when 25,000 email messages arrived containing an “invoice” from Microsoft. Five recipients opened the attachment, though the bank’s security systems prevented most targets from receiving the messages. The bank says that unless the perpetrator can activate or control the malware delivered this way, it is not considered a breach. Nevertheless, according to the Financial Post, the Bank of Canada had to fend off 15 million unwanted emails in one month in 2016, clearly illustrating how staggering the volume of attacks really is.

Employees opening email attachments remains a common way for hackers to access organizations’ networks.

 

Experts agree that reacting to cybersecurity attacks is not the answer. Prevention is. Where hacking is done for intelligence-gathering purposes, according to Deloitte security expert Robert Masse, the target usually never even finds out. Unfortunately, the majority of organizations surveyed reported experiencing cyber attacks that got past their intrusion detection and anti-virus systems, with an average of nine advanced persistent threat (APT) incidents reported. In an APT attack, an unauthorized person gains access to a network and stays there undetected for a long time with the intention of stealing data rather than causing damage to the network. The usual targets for APT attacks are organizations with high-value information, such as national defense, manufacturing and the financial industry.

Ontario has all the ingredients to become a global hub for cybersecurity innovation but has not yet reached the scale and gravity necessary to compete at the highest levels. Despite these ingredients and historically strong performance, Ontario risks losing its competitive position through failing to match the concerted efforts of governments and industries around the world that are ramping up investment and coordination in fostering cybersecurity innovation.

An opportunity for Ontario?

If there is a bright side to this crisis, it is opportunity. The federal government has recognized the need for greater cyber security. It launched a public consultation on the subject last summer. The minister responsible, Ralph Goodale, said that Canada needed to “take our cyber game to a whole new level.” He also noted that the global market for cyber professionals is expected to rise by six million in the next five years, and the market for services and products by $170 billion. At present there are few cyber-security companies in Canada: according to IT World Canada, just thirty. Israel, on the other hand, has 400. Israel has made itself the largest and most successful cybersecurity innovation hub outside the United States.

Now it is time for Canada to become a leader in cybersecurity, and Southern Ontario, home to Canada’s financial services sector and many technology companies, is the perfect place to develop into a global hub, according to a report from Deloitte. Ontario has the “world-class talent,” as well as the facilities for R&D, incubation and acceleration. Ontario “must” seize the opportunity, the report urges, for the long-term security and prosperity of the financial services industry and the economy at large may depend on it.

All the ingredients are in place in Ontario to become a global hub, the Deloitte report says, but it has not yet reached the “scale and gravity” needed to compete at the highest levels. A cybersecurity talent shortage is one challenge the province faces. Limited collaboration in applying Ontario’s R&D strengths to cybersecurity problems is another. To remedy these and other shortcomings, a cybersecurity innovation hub—a “physical centre of gravity”—should be set up to connect existing SMEs with markets and capital and to attract talent and innovators to start new IT security businesses in Ontario, the report recommends.

About Josephine Nolan

Josephine Nolan is the chief editor of Condo.ca—Canada's Condominium Magazine. You can reach Josephine via our contact form. She reads all her mail.

Leave a Reply

Scroll To Top