Are Canadian Companies and Organizations Taking Cybersecurity Seriously?
Written by: Marla Ovenden-Cooper
In 2018, Canada held its second annual Urban Security and Resilience conference in Toronto, Ontario. Richard Fadden, Canada’s former national security advisor raised red flags about Canada’s relaxed attitudes regarding cybersecurity. He noted that “getting Ottawa – or companies – to act isn’t easy because Canadians don’t see themselves under threat”. Since then there have been an increasing amount of high profile attacks including:
- In August 2020, both the CRA and Gkey websites experienced cyberattacks
- In March 2021, Sierra IoT vendor was attacked, impacting production, the website, and internal operations
- In May 2021, Canada post experienced a malware attack that resulted in the leaking of information for 95,000 mail recipients
The Current Situation
Almost three years later and after an increase in cyber attacks in Canada, are Canadian companies and organizations seeing themselves as targets? Are they concerned about threats? What are they doing about it? CIRA’s most recent cybersecurity report tells the story of how Canadian companies are reacting and their greatest concerns. Their research found that 3 or 10 survey respondence reported an increased volume of cyber attacks over the pandemic period. There is a concern about the ability to keep up with these threats. Companies are experiencing limited budgets. Even with the increasing number of cyber-attacks and greater threats, about 10% of respondents expect fewer resources, and only 30% expect to have more resources over the next year. However, the report did show many companies investing in training, from foundational A+ certification training all the way to provide their top-level cyber professionals with CySA+ certification training. 94% of Canadian companies utilize cybersecurity training, with 48% saying cybersecurity awareness training courses are mandatory.
At first glance, these numbers seem optimistic. Do the numbers certainly show that cybersecurity is starting to get the attention of the c-suite, but is it enough? Most of those who were surveyed indicated that only about half of the respondents said they were doing cybersecurity training quarterly, and forty percent were doing it annually or less. Annual training of any kind is better than none but far from effective. Individuals need repetition, they need to learn new behaviours, and that takes time and practice. In an industry such as cyber, new threats constantly emerge, resulting in a greater need for ongoing training and using multiple formats. There are many different types of training available for companies, from live online training courses, on-demand e-learning to webinar awareness training. Companies can use a cross-section of these training offerings or choose the best fit for them, a CompTIA Network+ training course or a CompTIA Security+ training course. Still, they should absolutely put cybersecurity training at the top of mind when considering spending their training dollars.
Are companies taking cybersecurity more seriously than they did in 2018? The answer is a definite yes. The evolution of cybersecurity is important to know when looking into what to invest in. Perhaps a more important question should be asked, “Are they taking cybersecurity seriously enough to combat the rising threats?”. Corporate strategy for 2021 will most certainly include cybersecurity for most organizations, but how each organization reviews vulnerabilities, threats and risks to establish an effective strategy going forward will most certainly be tested in 2021.
Read our other blog: Upskilling in Cybersecurity: A Necessary Skill for the C-Suite Professional in 2021