Canadian business lacking security strategy: Cisco study

At a time when online security breaches such as the one that virtually paralyzed Sony Pictures last week are becoming increasingly frequent and damaging, just-released data confirms just how behind the curve Canadian businesses are.

According to Cisco, 60 per cent of Canadian businesses either haven’t bothered to create a security strategy, or have one but aren’t sure it’s keeping up with rapidly-evolving technologies that are changing how IT services are consumed.

Just over one in five - 22 per cent - of Canadian businesses said they had been threatened, attacked or breached within the past year. Perhaps more frightening is the 8 per cent of businesses that reported being uncertain whether they had been similarly victimized.

“What is troubling for Canadian businesses is that these results only represent known breaches and attacks,” Warren Shiau, Director, Buyer Behaviour Research Practice for IDC Canada, which conducted the survey, said in a statement. “So it brings up the possibility that small, mid-size and even public sector organizations are actually experiencing more breaches and attacks than enterprises, but they are less aware.”

A sudden escalation

The high-profile attack on Sony Pictures forced the company to shut its email and critical business systems down and send employees home for much of last week. While the incursion is still being investigated, the FBI on Monday took the extraordinary step of issuing a confidential “flash” warning to businesses to inform them of the particularly destructive malware suspected of being used against Sony.

Unlike recent breaches involving retailers Target and Home Depot - which involved stealing customer identification and financial information - and the police services in Ottawa and Winnipeg, and the Supreme Court of Canada, whose websites were redirected, the Sony Pictures attack was explicitly designed to cripple the business. Canadian businesses that fail to learn from Sony’s experience do so at their peril.

Smaller companies, larger risks

The Cisco survey suggests smaller Canadian businesses could be especially vulnerable. While 15 per cent of all businesses don’t have a security strategy at all, 26 per cent of companies with fewer than 100 employees lack such a framework. Large companies aren’t immune from security myopia, with 31 per cent of them reporting they don’t know if their existing security strategies are able to keep up with changing technologies and needs.

“It’s concerning to see such overall confusion about security today, especially given all the new connections between people, processes, data, and things,” Ahmed Etman, Cisco Canada’s General Manager of Cyber Security, said in a statement. “But the good news is Canadian businesses have the right knowledge to make changes to their current predicament, and realize the value of the Internet of Everything.”

From bad to worse

The Cisco report points to the emerging Internet of Everything - also referred to as the Internet of Things, or IoT - as a critical inflection point for businesses that have allowed themselves to fall behind on security. If they aren’t keeping up on the very basics of security, a bad situation risks becoming significantly worse as the number of connected devices skyrockets and hackers figure out ever more creative ways to break into the mega-distributed networks of the IoT era.

“It is not a case of ‘if’ a company will be attacked, it’s ‘when?’” Fred Patterson, channel director, security, Cisco Canada, told Yahoo Canada Finance.

“The more connected the world becomes, the greater the security risk. Canadian businesses need not only invest in technologies and processes that allow for broader, faster and more reliable connectivity with their business environment, they also need to ensure they can do so safely.”

The risks of BYOD

The Bring Your Own Device (BYOD) trend compounds the security equation even further, with Cisco data suggesting less than 60 per cent of Canadian businesses are using IT solutions to keep employee-owned devices safe. In companies that specifically disallow employees from using their own equipment at work, 24 per cent of staff are ignoring the rules and hooking up, anyway. An additional 11 per cent of employees use their own devices without even bothering to check whether or not their employers allow the practice. While 64 per cent of companies with more than 1,000 employees have BYOD-centric security plans in place, that drops to 44 per cent among companies with fewer than 100 employees.

“Without proper security and controls, the weakest link can jeopardize more than just themselves,” Patterson said. “If a company does not secure their network and doesn’t consider an evolved security model for today’s threats and tomorrow’s network, they jeopardize the company, its employees, its customers, and partners.”

The combination of an external technology environment that’s becoming ever more threatening and an internal one that’s becoming increasingly complex means the stakes have never been higher for Canadian businesses. Unfortunately, too many companies here seem either unable or unwilling to recognize the risk, or do anything tangible about it.