Sixty-four per cent of organizations failed to report cyber breaches this year, over fears of reputational damage at a time when more customers are seeking service online, a cybersecurity expert explains.
According to a recent Canadian Internet Registration Authority (CIRA) survey on cybersecurity measures within companies, only 36 per cent of organizations that experienced a data breach reported it, a decline from the 58 per cent in 2019.
Spencer Callaghan, a spokesperson at CIRA, said in an interview that some organizations don’t have to report breaches because of how the rules are framed in the Personal Information Protection and Electronic Documents Act (PIPEDA).
“Some rules don’t apply evenly to all organizations, therefore there could be some variance in the data based on certain organizations that aren’t required to report,” he said.
Sumit Bhatia, director of communications and knowledge mobilization with Ryerson's Cybersecure Catalyst, said in an interview that these numbers were a “reflection of how COVID-19 is truly impacting organizations.”
Bhatia said a lot of businesses, especially right now, rely on digital technologies as their primary way of communicating and connecting with their customers, so when a cybersecurity breach occurs it can have a “reputational impact” with customers.
“For example, if Hudson’s Bay is now depending largely on selling products through their online e-commerce channels, if they were to report a [cyber] breach, there would be a direct impact on people’s ability to trust them to buy from them online,” Bhatia said.
Bhatia added that because of economic pressures coming from the global pandemic, many businesses are not reporting cyber breaches and are instead trying to deal with it on their own.
“It’s also economic in nature when you experience a cyber breach, you go through a process by which you have to invest money in fixing your problem and addressing your customer needs,” he said.
Companies don’t want to face regulatory penalties
CIRA, a member-based not-for-profit organization, known for managing the .CA domain, noted that if fewer organizations are willing to report breaches to a regulatory body it will strain the future of privacy legislation in Canada.
“If companies are already wary of the tougher data breach reporting, and willing to risk penalties associated with the abdication of their responsibilities to file a report rather than face the certain regulatory hammer of making a report, future modernization of the privacy act could be difficult to enforce,” the report said.
Daniel Therrien, Canada’s Privacy Commissioner, recently stated that the country’s privacy laws are not robust enough to protect Canadians against data breaches as more people work from home due to COVID-19. He called on the government to take action in amending privacy act, which hasn’t been done since 2015.
According to a July VMware survey, 99 per cent of organizations said they suffered a security breach in the last 12 months, and that 98 per cent planned to increase cyber defence spending in the coming year.
However, according to the CIRA report, which surveyed 500 IT security professionals, only one-third of workers are expecting an increase in human resources devoted to cybersecurity. That is down 45 per cent from those anticipating more resources in 2019.
Bhatia said he was surprised to see that companies were spending less on increasing resources to fight cyber breaches, especially during a time when companies are likely to face more.
“Companies are starting to believe that if they buy the right platforms, the right technology, then the automated portions built within these technologies can somehow replace the work of humans,” he said.
“But that is not the case. Time and time again what we are seeing is that there’s a certain level of involvement, especially at level one threat that is very important for human beings to be involved in identifying issues that AI or technology by themselves cannot. It seems that companies are investing in architecture, infrastructure, but not necessarily in cybersecurity people.”