By Yves Paquette
At a time when data breaches are the matter of the moment, our fourth annual NOVIPRO/Léger Portrait of IT Trends could not be more relevant. But while the data gathered in the study reveals a shift in some trends, the pace at which companies are changing their approach to cybersecurity clearly needs to gather speed.
The most significant revelation is not a comforting one. For despite the current landscape, Canadian financial services companies don’t seem to feel the urgency to protect themselves and ensure the security of their data.
The survey, a status report on IT in Canadian businesses, was conducted over a one-month period in the fall of 2019 and involved 496 respondents from medium and large Canadian companies, 300 of whom were IT decision-makers with the balance from other fields. The data gathered offered a strong picture of current attitudes towards cybersecurity, particularly in the banking sector, where breaches have repeatedly made headlines.
With finance being a conservative, tightly regulated field with rigorously enforced standards, this may explain why the IT infrastructure of so many financial sector companies were described as merely functional. I’m referring here to statistics that show a laxness on the part of such companies. For example, only 25 percent of financial industry respondents described their company’s infrastructure as “state of the art.”
Awareness not enough
Overall, the survey shows that organizations have a better and better understanding of the risks associated with cybersecurity.
But it’s not enough to be simply aware. There need to be concrete actions to defend oneself against all kinds of attacks. And this responsibility doesn’t just concern IT teams; it needs to be a priority for all decision-makers.
That said, even in the context of widely publicized leaks, not all companies in the financial services sector have made proactive changes. A full 38 percent maintained their existing practices. This wasn’t the worst of the lot; 39 percent of health care organizations kept the status quo.
In contrast, agriculture businesses showed definitive prudence, with 60 percent having revised their cybersecurity practices. And that’s a good thing—and worth emulating by other especially financial businesses—because attacks are on the rise.
More than one in three companies (37 percent) claimed they’d been victim to a cyberattack in the last year: a significant increase over the 28 percent cited in last year’s survey. But out of the 40 percent of companies in the financial services sector that were targeted, 57 percent confirmed that the threat came from inside the organization.
Our director of technology solutions, Éric Cothenet, recommended that organizations bring in sound processes and methods of governance to make employees aware of IT threats.
“Threats from inside an organization are very real,” he said. “Problems often occur unintentionally, with too few employees trained to identify risk.”
Companies making halting steps
Companies are taking baby steps to avoid data breaches. While the general public surely wants them to be giant steps, this is better than nothing.
In 2018, nearly one in four companies (74 percent) trained their employees on cybersecurity in 2018 and more than half want to do so again next year. And although one in two companies did not review their practices after the news of high-profile breaches and data theft, almost all of them took at least one action to prevent further breaches. These included malware protection, data encryption, network intrusion monitoring and other preventive solutions.
Despite these moves toward process improvement in cybersecurity, it was disturbing to learn that companies are generally not all that transparent.
Just over a third (38 percent) of respondents would notify their customers in the event of a cyberattack, whereas less than half (49 percent) would have done so in 2018. Organizations in Quebec (39 percent) and Ontario (40 percent) were the most likely to reach out to their customers.
These low figures are worrisome. Particularly given that 61 percent of these organizations were holding critical and confidential customer data such as credit card numbers and Social Insurance Numbers.
It’s certainly not all doom and gloom. In addition to the cybersecurity training that most companies are putting in place with employees, the perception of IT is changing. In 2016, it was considered a strategic partner by only 21 percent: a figure which rose dramatically to 41 percent in 2019. In 2016, 47 percent of respondents threw IT into the “investments” category: less so in 2019 with only 28 percent seeing it as such. Indeed, IT has become so much more strategic in the minds of many.
An expert who commented on our report, Alina Dulipovici, who is associate professor of Information Technologies at HEC Montréal, said that companies need to quit thinking of information assets as a sunk cost.
“It’s actually a strategic investment that helps achieve business objectives,” she said. “Not only that, companies would benefit from doing more to make their employees—and even their business partners—stronger links in the information asset protection chain by raising their awareness of security risks.”
Fortunately for consumers, whose precious data is constantly hanging in the balance, indicators suggest that change is underway.
Yves Paquette is co-founder and president, NOVIPRO.