Every year CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber-threats. This year’s survey was conducted by The Strategic Counsel in July and August, and collected over 500 responses from IT professionals across the country. This is blog five of five in the series for 2021.
How do you know cybersecurity is a big deal? Even in a year that saw a historic vaccination campaign, a new U.S. President inaugurated, the United Nations alert about the climate emergency, and a Canadian federal election, cybersecurity themes still made headlines.
Here are some stories you might remember:
A rash of sophisticated state-sponsored attacks targeting software supply chains caused unparalleled negative impacts. One such ransomware attack targeting software vendor Kaseya affected thousands of its customers.
An insurance company paid $40 million the highest ransom on record to recover its own network and data, according to a report from Business Insider.
An attack on Colonial Pipeline caused it to shut down its infrastructure while the threat was investigated.
The situation is dire enough to receive attention from governments. In the U.S., the White House recently received recommendations from a Ransomware Task Force on how to combat sophisticated cybercrime. In Canada, the discussion has been more muted. In the recent election, the parties offered few cybersecurity promises, and our National Cyber Security Action Plan doesn’t even mention the words ‘ransomware’ or ‘malware.’
Despite this, the CIRA 2021 Cybersecurity Survey shows that the public sector is taking its own security seriously. But despite record ransoms and countless data breaches, the private sector isn’t doing as much to combat hackers. You have to wonder if they are reading the news.
First, consider that private companies are getting hit by hackers more often than public sector firms. Private firms are much more likely to report being a victim of a successful ransomware attack in the last 12 months than their public sector counterparts. Twenty-one per cent said they had been a victim, compared to just 14 per cent of public organizations.
Organizations hit with ransomware
69% paid the ransom on average
It’s also interesting that private sector firms are most likely to report that they faced no attacks last year. Slightly more than one-quarter say they were not attacked, while only 11 per cent of public sector organizations say the same. On one hand, you could read this as a good sign for the private sector: they didn’t face any attacks! On the other, it may indicate some blind spots in their cybersecurity posture and monitoring.
Blind spots in your defences are created when you underinvest in security, and the private sector is the least likely to say they’re dedicating more resources to cybersecurity in the future. Private firms are falling short on security when compared to the public sector in several ways.
First, they indicate they are less likely to devote additional financial resources, with only 45 per cent of private firms planning to increase support for cybersecurity over the next 12 months (compared with 51 per cent of public organizations doing so). Data shows that private firms are more often committing the same amount (40 per cent) or even decreasing their commitment (12 per cent) more often than the public sector as well.
Nearly half of all public organizations (47 per cent) anticipate increasing human resources devoted to cybersecurity, compared to only four in 10 (42 per cent) private organizations.
Next, we see that—without exception—the private sector is less likely than the public sector to take any number of possible measures to prevent future cyber attacks. Consider this list for this year’s Cybersecurity Survey:
Employee training is the most popular measure to take against cyber attacks for both sectors. But 67 per cent of public organizations are taking this measure compared to just 63 per cent of private firms.
Fifty-nine per cent of public organizations plan a security audit, compared to only 51 per cent of private firms.
Forty-five per cent of public organizations plan to install new hardware, compared to only 30 per cent of private firms.
Installing new software and hiring new staff are also not in the plans for as many private sector firms.
Across the board, public organizations are more likely than private ones to take up new measures to prevent future cyberattacks.
Finally, private sector firms are lagging even in the adoption of cloud DNS firewalls. Overall, the method is being adopted quickly, with 73 per cent of organizations saying they have one, compared to 62 per cent one year ago, and only 42 per cent in 2018. And again, the private sector is the laggard in this area with 71 per cent using a cloud DNS firewall compared to 78 per cent of the public sector.
It’s clear that despite reporting being the victim of hackers more often, the private sector is not as willing to invest in cybersecurity as the public sector.
But why is that? Here we can look at the reasons that public and private sector organizations give for investing in cybersecurity. Once again, private firms lag the public sector and just may feel less motivation to invest against the prospect of a hack:
Sixty-two per cent of public sector organizations say they devote resources to cybersecurity to secure continuity of operations, while only 52 per cent of private sector firms say the same.
Sixty-four per cent of the public sector say their investments are to protect employees, suppliers, or partners' personal information while only 49 per cent of private sector firms say the same.
Sixty-one per cent of public sector organizations say they invest to protect the reputation of the organization. Only 47% of private firms say the same.
It’s important to remember that, overall, this year’s survey shows that private sector firms are doing more for cybersecurity preparedness. They’re more concerned than they were last year and to some degree, many private firms are planning more investment or to take new actions to improve cyber security. They are just not doing so to the same degree as public sector organizations.
Hopefully, those private sector firms don’t find themselves in next year’s news headlines. Because cybersecurity is one big issue that’s not going away any time soon.
***Private sector (i.e., for-profit business) • Public sector (all) • MUSH (public sector, including only municipal government or agency, hospital or other health care organization, primary or secondary school, college or university, or school board)