What Canadian businesses must learn after spending $14B on cybersecurity

Like the rest of the world, Canada is becoming more digital. According to a 2017 review by The Information and Communications Technology Council (ICTC), the real gross domestic product (GDP) produced by the country’s information and communications technology (ICT) sector reached $74.7 billion in 2017. That’s $2.43 billion more than the previous year, and the substantial growth seen over the past five years indicates that this trend will continue as ICT adoption deepens across all of Canada’s economic sectors.

However, this rise in economic opportunity also increased the scale and proliferation of cybercrime. To illustrate, a 2017 report from the Canadian Chamber of Commerce stated that among organizations who participated in the survey, those who reported losing over $1 million in cybercrime costs went from 1% in 2014 to 7% in 2016. Additionally, a 2018 report by PricewaterhouseCoopers noted that 55% of their Canadian respondents admitted to being victims of fraud or financial crime in the last two years. This is 18 percentage points higher compared to their 2016 report.

To address this growing challenge, Canadian firms spent over $14 billion on cybersecurity in 2017. While notable, this amount is actually less than 1% of their combined revenues. However, investment in cybersecurity may increase if they embrace these four critical lessons:

Ensuring cybersecurity is a continuously evolving endeavor
According to a FICO survey, ICT executives allocate their cybersecurity budgets mostly for point-in-time assessments, which are snapshots of their IT system's vulnerabilities. This led, in part, to 80% of surveyed Canadian firms claiming they are better prepared for security breaches than their industry rivals.

FICO Canada’s vice president and managing director Kevin Deveau did not share their positive outlook. He stated: “It’s alarming to learn that organizations are overly confident in their cybersecurity preparedness.” This is echoed by an Accenture survey that found that “most Canadian companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat.”

It's no surprise that security experts are saying this because point-in-time assessments are quickly outdated and don’t reflect what happens in between assessments. Moreover, organizations tend to become more stringent in their security measures and regulatory compliance only when preparing for a review. The point-in-time assessment thus tends to paint a false picture since that is not what they do during normal, day-to-day operations.

To truly have a strong security posture, Canadian firms must adopt comprehensive cybersecurity systems that continuously monitor the entire organization for threats. Many subpar cybersecurity service providers only offer knowledge-based intrusion detection systems (IDSs). They just look at signifiers of previous cyberattacks and can’t anticipate new ones.

By contrast, more reliable firms like XBASE complement knowledge-based IDSs with behavior- or anomaly-based ones. These systems refer to a baseline of normal activity to recognize aberrant behavior and identify intrusion attempts that a knowledge-based IDS alone can miss.

Being small can actually make you a bigger target
If you’re an owner of a small- to medium-sized business (SMB) in Canada, saying that “cybercrime will not happen to me” is merely wishful thinking. Ransomware attacks are on the rise as criminals increasingly target SMBs. This is because they do not have full-time ICT staff or use up-to-date software solutions.

Furthermore, losing revenue due to ransomware-induced downtime is more devastating to SMBs. According to a 2018 Scalar Security study, each small business that was breached last year suffered an average of 59 cumulative downtime hours and lost approximately $1.1 million in revenue.

Of course, preventing cybersecurity breaches before they happen is the best option of all. Also, large and small businesses alike must have cybersecurity insurance that covers all likely risks. Among many things, this type of insurance serves to protect against damage caused by hackers that still manage to get through despite the best of defenses.

Non-compliance to privacy regulations can mean costly litigation
Only 10% of StatCan respondents that were affected by a cyberattack reported it to law enforcement agencies. This number is expected to shoot up since the federal Personal Information Protection and Electronic Documents Act (PIPEDA) now requires firms to keep records of security breaches and report such instances to the Privacy Commissioner of Canada.

It is also mandatory for organizations to give prompt notice to individuals affected by the breach if it poses a danger to the latter. This is to help people make arrangements so that they can prevent having their identities stolen or their sensitive personal information leaked.

If a person suffers significant harm because they were not informed of the breach, they can file a complaint against the erring firm and even go so far as to bring it to Federal Court. A single civil lawsuit from one individual can bring a small business to its knees. And even if the firm survives, its damaged reputation may be irreparable.

Security breaches affect consumer trust
In 2017, Accenture’s Canada Cybercrime Survey found that more than half of its respondents curb their use of online services because they are afraid of cybercrime. This is not surprising, considering that 36% of them said they’ve been targets of at least one cybercrime attempt, and that 19% of the respondents claimed they’ve actually been victimized by cybercriminals.

This illustrates why Canadian businesses must demonstrate to customers that doing business with them is safe. $14 billion may sound like a huge number, but the return on cybersecurity investment is dramatically higher if this 50% of consumers become less fearful online and participate more actively in the digital economy.

For cybersecurity that you can rely on, turn to XBASE Technologies. Contact us to learn more about the comprehensive protection your organization needs.