Cybercrime and Canadian Businesses

Slides:



Advertisements
Similar presentations
David A. Brown Chief Information Security Officer State of Ohio
Advertisements

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Network security policy: best practices
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Norman SecureSurf Protect your users when surfing the Internet.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
SEC835 Database and Web application security Information Security Architecture.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Copyright 2009 Trend Micro Inc. Classification 9/9/ Corporate End User Study Employee Online Behavior.
FRAUD, ONE OF THE FASTEST GROWING SEGMENTS OF OUR INDUSTRY Joseph Bajic, Chief Compliance Officer and Vice-President, Compliance.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
Dell Connected Security Solutions Simplify & unify.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Cyber Security & Fraud – The impact on small businesses.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
Friday, October 23, Jacqueline Harris, CPM®, CCIM® Director of Training & Administration Digital Realty Jacqueline Harris, CPM®, CCIM® Director.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Chapter 8 Auditing in an E-commerce Environment
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.
Information Security in Laurier Grant Li Wilfrid Laurier University.
TOTAL POLICING LDSC: Protecting London’s Business Community. Presentation to.
Nationwide’s Small Business Owners Survey -- Millennials August 2016 Conducted by Harris Poll.
Law Firm Data Security: What In-house Counsel Need to Know
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Performing Risk Analysis and Testing: Outsource or In-house
CYBERSECURITY INCIDENCE IN THE FINANCIAL SERVICES SECTOR March 28, 2017 Presented by Osato Omogiafo Head IT Audit.
Cyber Security Zafar Sadik
New A.M. Best Cyber Questionnaire
Cybersecurity - What’s Next? June 2017
E&O Risk Management: Meeting the Challenge of Change
SHRM Survey Findings: An Examination of How Social Media Is Embedded in Business Strategy and Operations January 2012.
Protection of CONSUMER information
Cyber Crime What’s all the fuss about?
Business At the Speed of Cyber
A Project on CYBER SECURITY
Data Compromises: A Tax Practitioners “Nightmare”
Year 10 ICT ECDL/ICDL IT Security.
DETAILED Global CYBERSECURITY SURVEY Summary RESULTS
Unit 7 – Organisational Systems Security
I have many checklists: how do I get started with cyber security?
“CYBER SPACE” - THE UNDERGROUND ECONOMY
Andy Hall – Cyber & Tech INSURANCE Specialist
Company Overview & Strategy
Cyber Issues Facing Medical Practice Managers
General Counsel and Chief Privacy Officer
Red Flags Rule An Introduction County College of Morris
Prepared By : Binay Tiwari
Contact Center Security Strategies
Cybercrime: protecting your firm
Business Compromise and Cyber Threat
Cybersecurity Threat Assessment
Policies and Procedures to Protect you, your Office and your Data
Cyber security and Computer Misuse
Strategic threat assessment
Cyber Security: What the Head & Board Need to Know
Test 3 review FTP & Cybersecurity
Thames Valley Chamber / Claire Logic
Presentation transcript:

Cybercrime and Canadian Businesses Mohammad Lari & Economist October 23, 2018 Mark Uhrbach Program Manager

Canadian policy makers had to rely on statistics and data from outside of government to inform decision-making. Insufficient data for decision-making Cross-economy enterprise-based survey Feasibility study 2015-2016

Over 12,000 firms in the sample The Canadian Survey of Cyber Security and Cybercrime is the first of its kind in Canada and one of the first in the world. Firms with employees Across all sectors Over 12,000 firms in the sample 86% response rate 10+ Focus on economic impact of cybercrime, not social issues such as cyberbullying or online harassment.

Anti-malware software Nearly all (95%) businesses employed some form of cyber security to protect themselves, their customers and their partners. However, usage was not universal. A number of businesses did not use: Anti-malware software Email security Network security 24% 26% 32% 66% of businesses allowed their employees to use personally owned devices to carry out business-related activities, but less than half (47%) of these businesses had security measures in place to manage these devices.

Almost 29% of businesses were required to implement cyber security measures by their suppliers, customers, partners or regulators. These requirements were more common among: Banking institutions Health & personal care stores Pipeline transportation 81% 79% 67%

74% of businesses had employees primarily responsible for cyber security 72% 83% 91% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) 67% of businesses, regardless of size, reported having one to five employees primarily responsible for cyber security. Among the 26% of businesses that reported not having any employees primarily responsible for cyber security: 56% 31% Indicated that the business used consultants or contracts to monitor their networks Indicated cyber security was not a high enough risk

% of businesses that provided formal training, by size of business Cyber security training 51% of businesses shared general cyber security practices through email, bulletin boards or information sessions with employees. 19% of businesses provided formal training for employees to develop or upgrade their cyber security-related skills. % of businesses that provided formal training, by size of business 16% 32% 59% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees)

13% of businesses had a written policy in place to manage or report cyber security incidents. Certain industries surpassed the average, including: Banking institutions Rail transportation Pipeline transportation 66% 55% 55% 28% of businesses reported having senior managers oversee cyber security risks and threats, and 89% of these businesses reported that they updated senior managers on actions taken regarding cyber security.

58% of businesses undertook activities to identify cyber security risks. Of these: 85% 38% Monitored their network and business systems Monitored their employees’ behaviours 25% 8% Complete audit of IT systems, undertaken by an external party Investment in threat intelligence 20% 11% A formal risk assessment, undertaken by an external party A formal risk assessment, undertaken by an employee 16% 7% Penetration testing, undertaken by an external party Penetration testing, undertaken by an employee

9% of businesses had cyber liability insurance to protect against cyber security risks and threats. 7% 14% 24% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) Cyber liability insurance was prevalent among certain industries: Natural gas distribution Data processing, hosting and related services Banking institutions 54% 50% 48%

$8 billion $4 billion $2 billion Canadian businesses reported spending $14 billion on cyber security in 2017. $8 billion on salaries for employees, consultants and contractors $4 billion on cyber security software and related hardware $2 billion on other prevention and recovery methods Annual average expenditures differed greatly based on size of business. Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) $46,000 $113,000 $948,000

% of businesses impacted, by size of business 21% of businesses reported that they were impacted by a cyber security incident, which affected their operations. % of businesses impacted, by size of business 19% 28% Small (10 to 49 employees) Medium (50 to 249 employees) 41% Large (250+ employees)

Pipeline transportation % of businesses impacted, by industry Top 3 industries impacted Banking institutions Pipeline transportation Oil and gas extraction Telecom (Including ISPs) Universities (Excluding colleges) 47% 46% 45% 44% 39% Air transportation Legal services Utilities Hospitals Retail trade 35% 32% 31% 20% 16%

38% 39% Of those businesses that were impacted: Experienced an attempt to steal money or demand a ransom payment Could not identify the attack’s motive Method Used 46% Malicious software (e.g., viruses, adware, ransomware) 29% Scams and fraud (e.g., financial fraud, phishing) 20% Exploiting software, hardware or network vulnerabilities Method Used 48% Scams and fraud (e.g., financial fraud, phishing) 42% Malicious software (e.g., viruses, adware, ransomware) 20% Exploiting software, hardware or network vulnerabilities

23% 26% Of those businesses that were impacted: Method Used Experienced an attempt to access unauthorized or privileged areas Experienced an attempt to steal personal or financial information Method Used 36% Hacking or password cracking 34% Exploiting software, hardware or network vulnerabilities 31% Malicious software (e.g., viruses, adware, ransomware) Method Used 51% Scams and fraud (e.g., financial fraud, phishing) 30% Malicious software (e.g., viruses, adware, ransomware) 25% Hacking or password cracking

Businesses impacted by cyber security incidents experienced the following major impacts: 54% 53% Prevented employees from carrying out day-to-day work Prevented the use of resources or services 32% 30% Additional time was required by employees to respond to incidents Resulted in additional repair or recovery costs

Over half (58%) of businesses experienced some downtime as a result of an incident. 23 hours Average total downtime for businesses Most businesses (65%) reported that they believed an external party to be responsible for the incidents that impacted them.

Businesses did not report for the following reasons: About 10% of businesses impacted by a cyber security incident reported the incident to a police service in 2017. 8% 12% 15% Small (10 to 49 employees) Medium (50 to 249 employees) Large (250+ employees) Businesses did not report for the following reasons: 53% Incidents were resolved internally 35% Incidents were resolved through IT consultants or contractors 29% Incidents were considered to be too minor and not important enough

So who did businesses report their cyber security incidents to? 42% 11% Software or service vendor IT consultant or contactor 38% 2% Did not report to any external party Government department or agency 15% 1% Suppliers, customers or partners Canadian Cyber Incident Response Centre (CCIRC) 12% <1% Bank or other financial institution Office of the Privacy Commissioner

Thank you For further information, please contact: Howard Bilodeau Economist howard.bilodeau@canada.ca Mohammad Lari Economist mohammad.lari@canada.ca Mark Uhrbach Program Manager mark.uhrbach@canada.ca Data can be accessed through Research Data Centres (RDCs) or the Canadian Centre for Data Development and Economic Research (CDER)

Annex

About 92% of businesses reported using one or more of the following for their business: 79% 40% Website Internet-connected smart devices 61% 37% Social media accounts Intranet 53% 33% Cloud computing and storage E-commerce platforms and solutions 41% 20% Web-based applications Voice Over Internet Protocol (VOIP)

Of the 47% of businesses that used cloud storage, businesses stored: 27% 31% Confidential business information (e.g., inventory, financial statements) Non-sensitive or public information 30% 16% Confidential information about customers, suppliers, partners Commercially sensitive information (e.g., market position, sales and marketing plans) 28% Confidential employee information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.