For millions of Canadians, the global pandemic shifted many of our daily activities online: work, school, leisure, entertainment, shopping, and accessing business and government services. This historic digital shift presented an incredible opportunity for cyber criminals. And it appears few Canadian companies were prepared for it.
A recent poll conducted by KPMG in Canada for Cyber Security Awareness Month revealed only 39 per cent of businesses are "very confident" in their ability to detect and respond to a cyberattack. While that number may seem low, I would venture to say that it's actually a lot lower in reality, based on what I see in the field. While some businesses might be able to respond to minor cyber incidents, there's generally a lack of strong cyber controls among Canadian companies, especially for major events like ransomware attacks.
A strong cyber security playbook is key
This lack of preparedness for major cyberattacks likely stems from the fact that only 56 per cent of companies in our survey admit to having comprehensive playbooks and running regular cyberattack simulations. That leaves 44 per cent of Canadian companies without strong cyber defenses. Of course, there are different types of playbooks for all sorts of situations—some companies might have strong playbooks for specific scenarios like phishing attacks, for example—but what they're not paying attention to is alternative attack vectors that can come out of nowhere. The unexpected, if you will.
Our cyber security team at KPMG in Canada does regular "war-gaming" with clients where we run through cyberattack simulations and test their cyber security playbooks. Often, what we find is that their playbooks are too narrowly focused and don't allow different types of situations. Sometimes, when we throw a company a curve ball during one of these simulations, they don't know how to react. If a company's cyber security playbook is too restrictive, it can be a problem.
[Related: Alexander Rau: Surviving first contact]
The benefits and risks of outsourcing
One common solution for companies is to outsource certain cyber security functions to a managed security service provider (MSSP). Our poll revealed just over half (51 per cent) of companies partially outsource or co-source their cyber security functions, and nearly one quarter fully outsource. We've seen more companies increasingly outsourcing to MSSPs, beginning first with their monitoring controls, then slowly adding more functions over time.
Outsourcing cyber security functions to an MSSP can be beneficial, as long as companies are selective about who their provider is, and what functions they're handing over to them. Too often, companies leave too many cyber security responsibilities to large MSSPs that serve numerous clients. The result is often poor-quality work. KPMG regularly stress tests third-party providers and what we often find is they are not meeting their objectives.
Build a strong cyber culture
Another reason Canadian businesses are not prepared to handle cyberattacks is their cyber culture—or lack thereof. Our survey revealed only 38 per cent of organizations say cyber security is "deeply embedded" into all aspects of their business. Again, that number might seem low, but when I see what's actually happening in the marketplace, it's clear to me that it's much lower than 38 per cent. I know only a handful of organizations that would be able to confidently say that cyber security is at the heart of everything they do.
[Related: Imraan Bashir: Right-sizing cyber security]
Perhaps the term "deeply embedded" is not well understood among business leaders who don't come from an IT or cyber security background. It means organizations instill cyber security into all aspects of their business, including new plans and projects through to the implementation and execution of those projects and ongoing operations. A strong cyber security culture also goes beyond the IT department—it is the responsibility of every single employee, from the most recent junior hire right up to the CEO. An organization is only as strong as its weakest link, and often that weak link is an employee, so educating staff through constant cyber awareness training is the first step in defending a company from attacks. Training, monitoring, assessing and measuring success against benchmarks are the most effective tools to help a company's workforce spot and prevent a cyber breach.
Closing the cyber security skills gap
Governments and educational institutions also have a role to play in helping companies improve their cyber defenses—namely, by addressing the cyber security skills shortage in Canada. According to another poll KPMG in Canada conducted in August, nearly one quarter of businesses ranked cyber security as the number one skill they need to hire for right now. According to the Information and Communications Technology Council (ICTC), Canada will need 40,000 to 53,000 more cyber security practitioners by 2023. While there are a number of initiatives underway to encourage careers in cyber security, government and educational institutions in particular need to do a better job of promoting cyber security as a high-impact, high-potential industry. The more cyber security specialists Canada produces and employs, the safer all of us will be.