Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber-threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country. This is blog four of five in the series for 2021.
In 2018, the Cybersecurity & Infrastructure Security Agency (CISA) issued a public alert, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.” This particular attack focused on exploiting what the cybersecurity industry often considers the weakest link in any company’s security – humans.
According to CISA, the attackers learned about their intended targets and the companies they did business with. They used that information to launch a spearphishing campaign – meaning they sent emails tailored to specifically trick their target – and if the target was duped, they downloaded an infected payload. From there, hackers were free to collect information about industrial control systems that would normally be restricted.
In its advice on how to protect against the hacking campaign, CISA focused on cybersecurity awareness training, amongst other measures. Their message was clear: it’s not just the IT department’s job to prevent cyber attacks, it’s the responsibility of all employees.
End users must be trained on the common indicators of phishing and be instructed to report suspicious emails, the agency says. Turning our attention to the cybersecurity landscape in Canada – what is the state of awareness training at Canadian organizations? Are employees equipped with the knowledge they need to spot and report malicious emails? Let’s find out.
2021 data shows that most Canadian organizations are now conducting some form of cybersecurity awareness training
Employee training is now considered a best practice and Canadian organizations seem to be taking it to heart. According to our 2021 Cybersecurity Survey, 93 per cent of organizations conduct cybersecurity awareness training for at least some employees.