In 2018, 40% of small to medium businesses surveyed experienced a cyber-attack in the last 12 months according to a recent publishing by the Canadian Internet Registration Authority (CIRA). The CIRA is responsible for managing the “.CA” domain registry as well as policies supporting Canada’s internet. As part of their initiative, they conducted a survey of 500 individuals at small and medium businesses who are responsible for IT security decisions at their place of work. Across Canada, small to medium businesses make up the majority of employers. Around 98% of businesses have fewer than 100 employees, and just over 50% have four or fewer, highlighting the relevance of this report to any persons in an IT and cybersecurity decision making position across the country. The full report can be found here.
As expected with small to medium businesses, a large amount of non-essential services are outsourced to vendors who provide specialized services. 67 percent of respondents outsource at least some part of their cybersecurity footprint to external vendors who can help save costs and increase quality of work as you only pay for the services rendered by an experienced expert. Not surprising, one-third of respondents indicated that the most significant impact of a cyber-attack is the time and resources required to respond to the incident.
A trend that is likely to continue developing is the growing responsibility of IT staff to oversee cybersecurity operations; the survey results show that at least 50 percent of IT resources have some responsibility for cybersecurity. While two-thirds of organizations use external vendors, 34% relied almost entirely on outsourced vendors, 27% use mostly internal resources and 33% estimated they use roughly equal external and internal resources for cybersecurity. This is expected due to an industry wide shortage of security professionals, and many small businesses do not require in-house expertise due to the size, maturity and aspects specific to their business.
One common service is to hire external cybersecurity experts for conducting a penetration test, in which ethical hackers are hired to find vulnerabilities in an organization’s online presence such as web and mobile applications, internet and internal facing servers to help an organization patch and remediate vulnerabilities that an attacker may exploit. Penetrating testing is a preventative security measure that can help protect your brand before an attack occurs.
A conflicting finding of the survey was that 78 percent were confident in their level of cyber-threat preparedness; however, 37 percent didn’t have anti-malware protection installed and a shocking 71 percent did not have a formal patching policy – exposing these organizations to massive security holes! Furthermore, of the IT managers surveyed, 40 percent claimed they did not experience a cyber attack and 14 percent said they suffered a successful cyber attack. Of the business owners surveyed, 67 percent said they did not experience a cyber attack, and only 6 percent claimed that they experienced a successful cyber attack. Comparing these results side by side paints a worrying picture. Business owners who have less knowledge regarding cybersecurity aren’t aware of attacks against their organization which highlights the need to either hire IT staff with cybersecurity knowledge and expertise or to outsource to external vendors.
Finishing off we will leave you with a few more interesting points:
While 59 percent of respondents said they stored personal information from customers, only 38 percent said they were familiar with PIPEDA. For more information on PIPEDA and its recent changes read more here.
40 percent of respondents experienced a cyber-attack in the last 12 months. Among large businesses (ranging in 250-499 employees), this number increases to 66 percent. Overall, one in ten suffered 20 or more attacks.
88 percent of respondents were concerned with the prospect of future cyber-attacks, which resulted in 28 percent suggesting they would add cybersecurity staff in the next year.
Only 54 percent of small businesses provide cybersecurity training for their employees even though the most common form of malware seen by our respondents are phishing attacks (42 percent) which directly exploit employees as a point of weakness.
Many businesses believe they are “too small” to be targeted. However, there is no such thing. Often small businesses have less to protect and feel they are not a target since they are small and do not have as large a budget. Unfortunately, this may make it easier for a hacker to breach a small company instead of a large one.
“Canadian businesses are not islands; they are connected as vendors, suppliers, contractors and customers. We must do everything we can to ensure even the smallest businesses have the resources they need to protect themselves and the Canadian SME ecosystem” – Dave Chiswell VP Product at CISA.
At Packetlabs we specialize in providing offensive security services with a mandate that separates us from our competitors. We are always going the extra mile, continually learning while improving and adapting our skills to overcome obstacles and challenges to find as many vulnerabilities as possible in our client’s environments.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
August 15 - Blog
It's official: Packetlabs is a partner and attendee of Info-Tech LIVE 2024 in Las Vegas. Learn more about event dates and registration today.