Canadian business leaders experience a dangerous disconnect as they navigate the evolving pandemic. They know that cyberattacks are rampant, and they recognize the need to safeguard IT environments, yet they struggle to invest in the people, processes, and technology to defend their critical business assets.
“CDW’s 2022 Security Study, conducted by IDC shows that half of Canadian organizations have budgets that do not have room for IT modernization and experimentation,” says Theo van Wyk, Head of Solutions Development and Cybersecurity at CDW Canada, a leading provider of technology solutions for business, government, education, and healthcare. “Money is being invested, but it’s not enough.”
The New Hot Target
Citing additional data from CDW’s study, van Wyk paints a dire picture of the state of IT security and potential consequences for Canadian organizations. In the past year, for example, 90 per cent of businesses surveyed indicated they had been attacked, with public cloud servers identified as the new hot target. In the same period, only 36 per cent of these businesses had implemented any security awareness training.
“One of the challenges for us, is that security is what we sometimes call an insurance play,” says van Wyk. “If you spend a lot of money securing your network, and nothing bad happens, nobody really knows about it, other than the people who signed off on the budget. It’s only when things go wrong that we see the benefit.”
A Failure to Allocate IT Spend
Another concern emerging from the CDW study is that about 25 per cent of respondents said their budgets do not have dedicated lines for core IT security operations. Not only does this lack of definition indicate a failure to promote security- conscious thinking, but it also makes it easy – especially for organizations with smaller budgets – to let security slide while focusing spend on innovation and driving ahead. “If there’s a competition for dollars, it will go towards buying new laptops, setting up a new service, and accelerating business,” says van Wyk.
The Road to Robust Security
Once funds are budgeted for IT, the first step on the road to more robust security is pausing to assess the cyber risks facing the organization and the ability of existing security programs to mitigate these risks. Taking stock of the situation is where CDW comes in, with a model for assessing an organization’s levels of IT security maturity along four dimensions: security approach, philosophy, investments, and processes. If this doesn’t sound useful, consider that, based on these four dimensions, only 12 per cent of Canadian companies boast a leading security posture.
The Importance of Backup
The next steps are rethinking security through a zero-trust approach, embracing cloud- enabled security solutions and services, and creating an organizational culture of security ownership. Last, but not least, is restoring trust in backups, which van Wyk perceives as essential to the cyber health of any organization. “With Ransomware as a Service emerging as a new industry, and 73% of Canadian companies reporting data infiltration attacks with ransom demands in the past year, we are imploring organizations to make sure they work on their backup strategy,” he says. “This is the number one way to keep a ransomware incident from becoming a catastrophic event that creates downtime, damages the organization’s reputation, and requires a payout.”
Four senior Ministers, including The Honourable Anita Anand, Minister of National Defence, made a similar appeal recently in an open letter to Canadian organizations. Citing a marked rise in the volume and range of cyber threats, and a surge in ransomware incidents, the signatories urged citizens to, “take stock of your organization’s online operations, protect your important information and technologies with the latest cyber security measures, build a response plan, and ensure that your designated IT security personnel are well-prepared to respond to incidents.”
The Return on Investment
Investments of any kind are daunting as organizations face what Gartner refers to as the triple squeeze: persistent high inflation, scarce and expensive talent, and global supply challenges. Business leaders quite rightly see the economic future as uncertain, but there is something they can count on: organizations that measure higher in IT security maturity report higher business outcomes, including revenue, profit, regulatory compliance, and number of new products and services.
“It’s easy for those of us in IT to look at the situation and say yes, of course you should allocate IT spend,” says van Wyk, “but we have to remember that most of our customers are not in the business of IT and security. Once they feel the pain, the budget gets carved out very quickly, so why not do it before a cyber incident threatens the organization?”