This year, the number of reported security incidents dropped by 22 per cent among large businesses in Canada, compared to 2013. That might sound great, but Canadian businesses also saw a 15 per cent drop in its security incident detection rate – and that might mean they’re not being vigilant enough.
Last week, PricewaterhouseCoopers (PwC) and publications CIO.com and CSOonline.com released the results of their annual global survey on the state of cybersecurity. Their report combined research on attacks in 2014 alongside poll results from 9,700 C-suite executives in about 154 countries. About 241 of this year’s respondents were from Canada.
What this year’s report found was that there were 42.8 million attacks reported around the world in 2014 – a 48 per cent jump compared to 2013. And dating back to 2009, the survey showed there was a 66 per cent increase in attacks, year over year – and that doesn’t even account for the number of security breaches that might never be reported, or that are never even detected.
While most of the world has reported more attacks, rather than less, Canada seems to be an anomaly. However, a drop in the number of reported security incidents might actually be a bad sign for both large and medium-sized organizations alike, with mid-size organizations reporting a decrease in security incidents of 21 per cent, compared to the number of incidents in 2013.
It’s definitely possible there were simply less attacks, but it’s more likely that businesses failed to report or to catch security incidents as they happened. That spells bad news for organizations storing sensitive data, especially if it’s personally identifiable information or financial information, like customer credit card data.
However, there was a positive sign on the horizon – among small businesses in Canada, their detection rate soared by about 311 per cent during 2013. That’s good news, especially as hackers looking to breach systems for valuable data often target small businesses that are trying to protect themselves with less time, money, and staff than larger organizations.
“This improvement is critical for Canada overall, given the proportion of our economy served by this sector, and the fact that many of our large and medium sized organizations is serviced by smaller ones. This helps to address an increasing avenue of attack in the supply chain process, said Salim Hasham, partner and national cyber security leader at PwC, in a statement.
One reason for the improvement might be small businesses are investing more in their security technology, with PwC reporting they increased their spending by 21 per cent, compared to 2013.
Yet the same can’t be said for bigger Canadian organizations. Mid-sized organizations are spending 74 per cent more on their IT security, while large organizations are spending 26 per cent less. Yet both might feel they’ve been successfully warding off attacks.
That would be a dangerous assumption, researchers said. Most security incidents come from current employees, former employees, and then hackers, in that order – and then of course, there’s always the risk of information brokers causing incidents, as well as activists-come-hackers who target businesses as part of their crusades. There’s also always the potential for foreign hackers and organized crime rings to go after businesses, and they’d be more attracted to larger companies with bigger treasure troves of data.
“It’s important to understand that threats are never unidirectional. They’re becoming a blend of technology, people and processes – insiders and outsiders, direct and through supply chain. Simply having technology based defences to protection information will not provide adequate protection,” Hasham said.