How secure Canadian companies feel about their IT security is a source of constant debate: Surveys range from confident to apprehensive, and it often depends on whether thereโs been a recent large scale network intrusion.
The latest is a global survey of IT security practitioners from security vendor Websense that included 5,000 respondents from 14 countries including Canada, the U.S., France, the U.K., China and India. It has some sobering results.
Just over one-third of the Canadian companies that participated said they had experienced one or more โsubstantialโ cyber attacks in the previous 12 months that infiltrated networks or enterprise systems. By comparison 44 per cent of all respondents said they had suffered a substantial attack.
More than half of the 236 Canadian respondents (56 per cent) believe cybersecurity threats sometimes fall through the cracks of their companiesโ existing security systems.
Only 29 percent of Canadian respondents could say with certainty that their organization lost sensitive or confidential information as a result of a cyber attack. Twenty-seven per cent of those who had lost sensitive or confidential information did not know exactly what data had been stolen.
Among the other findings:
โFifty-six per cent of Canadian respondents didnโt think their organization was protected from advanced cyber attacks; 59 per cent doubted they could stop the exit of confidential information;
โForty-seven per cent of respondents said their companies donโt have adequate intelligence or are unsure about attempted attacks and their impact;
โLess than half (43 per cent) believe they have a good understanding about the cyber threats facing their organization;
โ 39 per cent said their security solutions do not inform them or they are unsure if their solution can inform them about the root causes of an attack;
โSeventy-seven per cent of Canadian respondents say their companyโs leaders do not equate losing confidential data with a potential loss of revenue.
Jeff Debrosse,Websenseโs director of security research, said in an interview the survey suggests IT professionals in 14 countries believe they donโt have the resources to fight cyber attacks. Overall, 66 per cent of respondents feel threats can fall through the cracks in their organizationsโ defences. That means, he said that the 44 per cent who apparently think things are fine could represent a false sense of security.
โEveryoneโs got security challenges,โ he said, and eventually an attacker will get through. Thatโs why layered defences are important.
The problem with surveys like this is sometimes they have conflicting answers. For example, 47 per cent of Canadian respondents said their companies donโt have adequate ITsecurity intelligence or are unsure about attempted attacks and their impact. Yet 43 per cent believe they have a good understanding about the cyber threats facing their organization.
Debrosse said that could mean respondents have doubts about their companyโs security platform, but are confident about their own security knowledge level.
Given the regularity of attack disclosures, itโs logical that many IT pros are insecure. Debrosse agreed, saying some think that because weโve been struggling with hackers for over a decade IT should be really good at defense. But itโs a fluid situation, he said, with attackers moving โincredibly swiftly.โ
Among Websenseโs recommendations
โorganizations should deploy an all-encompassing defense strategy that incorporates web, email and mobile channels โ and donโt focus on just one;
โassess security solution capabilities and deployments against a comprehensive kill-chain model to eliminate gaps and minimize excessive overlap;
โeducate staff on the seriousness of cyber attacks to reduce high risk behavior.
โSome people tell me itโs a losing war,โ Debrosse added. โI donโt subscribe to thatโ โ because if we do, he added, โthen the attackers have gained a foothold.โ