Canadian firms seeing fewer data breaches – why that could actually be bad

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itbusiness.ca/news/canadian-businesses-are-seeing-less-data-breaches-heres-why-that-could-actually-be-a-bad-thing/52536


This year, the number of reported security incidents dropped by 22 per cent
among large businesses in Canada, compared to 2013. That might sound great,
but Canadian businesses also saw a 15 per cent drop in its security
incident detection rate – and that might mean they’re not being vigilant
enough.

Last week, PricewaterhouseCoopers (PwC) and publications CIO.com and
CSOonline.com released the results of their annual global survey on the
state of cybersecurity. Their report combined research on attacks in 2014
alongside poll results from 9,700 C-suite executives in about 154
countries. About 241 of this year’s respondents were from Canada.

What this year’s report found was that there were 42.8 million attacks
reported around the world in 2014 – a 48 per cent jump compared to 2013.
And dating back to 2009, the survey showed there was a 66 per cent increase
in attacks, year over year – and that doesn’t even account for the number
of security breaches that might never be reported, or that are never even
detected.

While most of the world has reported more attacks, rather than less, Canada
seems to be an anomaly. However, a drop in the number of reported security
incidents might actually be a bad sign for both large and medium-sized
organizations alike, with mid-size organizations reporting a decrease in
security incidents of 21 per cent, compared to the number of incidents in
2013.

It’s definitely possible there were simply less attacks, but it’s more
likely that businesses failed to report or to catch security incidents as
they happened. That spells bad news for organizations storing sensitive
data, especially if it’s personally identifiable information or financial
information, like customer credit card data.

However, there was a positive sign on the horizon – among small businesses
in Canada, their detection rate soared by about 311 per cent during 2013.
That’s good news, especially as hackers looking to breach systems for
valuable data often target small businesses that are trying to protect
themselves with less time, money, and staff than larger organizations.

“This improvement is critical for Canada overall, given the proportion of
our economy served by this sector, and the fact that many of our large and
medium sized organizations is serviced by smaller ones. This helps to
address an increasing avenue of attack in the supply chain process, said
Salim Hasham, partner and national cyber security leader at PwC, in a
statement.

One reason for the improvement might be small businesses are investing more
in their security technology, with PwC reporting they increased their
spending by 21 per cent, compared to 2013.

Yet the same can’t be said for bigger Canadian organizations. Mid-sized
organizations are spending 74 per cent more on their IT security, while
large organizations are spending 26 per cent less. Yet both might feel
they’ve been successfully warding off attacks.

That would be a dangerous assumption, researchers said. Most security
incidents come from current employees, former employees, and then hackers,
in that order – and then of course, there’s always the risk of information
brokers causing incidents, as well as activists-come-hackers who target
businesses as part of their crusades. There’s also always the potential for
foreign hackers and organized crime rings to go after businesses, and
they’d be more attracted to larger companies with bigger treasure troves of
data.

“It’s important to understand that threats are never unidirectional.
They’re becoming a blend of technology, people and processes – insiders and
outsiders, direct and through supply chain. Simply having technology based
defences to protection information will not provide adequate protection,”
Hasham said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!