CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the final blog post in a series of four for 2023.
According to the 2023 CIRA Cybersecurity Survey, many Canadian organizations in the private, public and MUSH (municipalities, universities, schools and hospitals) sectors are proactively putting measures in place to protect their systems from cyber threats. This, as cybercriminals exploit generative AI and other emerging technologies to steal their data and their money, disrupt their operations and damage their reputations.
Just over half (52 per cent) of cybersecurity professionals say they are monitoring their employees’ computer and internet use (52 per cent), while 57 per cent use firewalls for advanced detection of cyber threats. In addition, 46 per cent report that they have conducted a formal risk assessment of their cybersecurity practices, and almost three-quarters (73 per cent) indicate that the financial resources allocated to IT system management and cybersecurity in their organizations have increased in the past year.
And yet despite these efforts, there is abundant evidence that many Canadian organizations are still ill-equipped to fend off and recover from a major cyber incident. Four-in-ten (41 per cent) report experiencing a cyber attack, attempted or successful, in the last 12 months and independent research indicates that dozens of Canadian organizations, from federal government departments and schoolboards to insurance companies and non-profits, have been hit with costly and disruptive attacks over the last several months.
Humans are the weakest link in the cybersecurity chain
Why do our defenses keep coming up short? As any cybersecurity expert can attest, when it comes to protecting our data from a skilled and determined attacker armed with the latest technology, our cybersecurity infrastructure is only as strong as the weakest link. And, unfortunately, the weakest link is us, the people behind the screens and keyboards. This explains why phishing attacks, in all their many guises, are one of the top threats organizations face, regardless of size or sector. The research consistently demonstrates that human error is responsible for the vast majority of successful cyber breaches.
Often a single successful spear phishing email is enough to compromise the data of an entire large organization. When an employee is duped into clicking a bad link in what seems to be a legitimate email, the hacker can install malware on the victim’s device, which then quickly replicates and spreads throughout the organization, eventually giving the hacker access to critical IT systems and data stores. With the rise of ChatGPT and other generative AI tools, hackers are better equipped than ever before to quickly generate highly persuasive phishing emails, a fact that 58 per cent of organizations say they are increasingly concerned about.
The good news is that people can be trained to sniff out and steer clear of suspicious communications and other threats. Investing in cybersecurity awareness training and making it mandatory for all employees can go a long way towards reducing risks and creating a strong culture of cyber awareness in the organization. Increasing the frequency of awareness training is particularly important for helping employees keep pace with the rapidly evolving cybersecurity threat landscape.
Look to low-friction solutions for hardening cybersecurity defences
Aging technology is another factor that can significantly raise the cyber threat level for Canadian organizations. Over one-third of cybersecurity professionals (37 per cent) say their organization relies on technology released prior to 2010, while another 20 per cent report using systems released between 2000 and 2009.
In some cases, these risks can be mitigated by upgrading or replacing aging systems. However, in certain IT environments, such as those found in the power distribution industry, critical operational systems and infrastructure, often can’t be altered, updated, or even rebooted because the costs of downtime are too great. For these systems in particular, the introduction of low-friction cybersecurity solutions can strengthen an organization’s defences. For example, a network or DNS firewall that monitors incoming and outgoing traffic for known malicious threats adds an important outer layer of security to even the most aged IT environments, one that will prevent outdated systems from malfunctioning when the setup is changed.
Finally, many large organizations rely on their domain names to anchor their online presence. Ensuring that all services that depend on this domain name stay safe and strong is paramount, especially amid the uptick in distributed denial of service (DDoS) attacks that have been launched against high-profile Canadian organizations in recent months. Investing in anycast services is one proven method for protecting against these types of attacks.
Learn how CIRA Anycast DNS can help protect your organization from DDoS attacks.
