According to a study by Statistics Canada, more than a third of Canadian businesses surveyed claim to have suffered a significant data breach in the past year that could put their clients or organization at risk.
That figure could be even higher, as the same study found that 56 percent of the 236 Canadian respondents said they believed that threats sometimes went undetected.
“Even the best-protected networks have regular security incidents,” Jeff Debrosse, director of security research for Websense, told the Canadian Press. “It’s a 24-7 onslaught. It’s a barrage of attacks and attempts to penetrate the defenses.”
Debrosse said that it is a real challenge for organizations to understand their vulnerabilities, much less prevent breaches. Though technology is improving, he stresses the importance of sharing information regarding attacks within and among organizations.
“It’s not just about the vendors; it’s about creating this ecosystem of threat intelligence. And that’s a very important area of focus today,” Debrosse says.
Statistics Canada’s report, which was commissioned by Websense, said one quarter of those reporting a breach said that client or proprietary information had been corrupted, stolen or accessed without authorization. But again, the actual figure could be even higher, as some companies are reluctant to report cyberattacks out of fear of losing customers.
Two recent, highly publicized Canadian cyber breaches involved the federal government. At present, there is no federal law requiring private companies to disclose breaches to the government or those affected. But that could change with Bill S-4, the Digital Privacy Act, now before Parliament.
The act would make it mandatory for federally regulated businesses and federal government agencies to report significant breaches to the federal privacy commissioner and to customers and clients whose private information was leaked.
The report also found that 89 percent of the respondents said they personally know another security professional whose company had sensitive or confidential data stolen as a result of an inside threat.
How can a business prevent such breaches? It all begins with awareness. The survey found that 23 percent of the Canadian cyber security teams never speak with their executive teams. Of those who did, nearly half did so only annually or semi-annually, while a mere two percent spoke weekly with executives about security.
“If the conversation is happening less than monthly,” Debrosse says, “That’s a pretty significant problem.”
There needs to be an ongoing assessment of what personnel, software, hardware or outside security vendors are required to handle the risk. Management also needs to understand the potential costs of a breach so that they can be included in the company’s financial decisions regarding security.
“If they’re not calculating the probability of a cyber event (and) loss due to various incidents, when they're hit with one of them it is a major ordeal,” Debrosse says.