Scalar Security Study 2019

The Cyber Resilience
of Canadian Organizations
Results of the 2019 Scalar Security Study
THE CYBER RESILIENCE OF CANADIAN ORGANIZATIONS
CONTENTS:
1. EXECUTIVE SUMMARY ............................................3
2. INTRODUCTION AND METHODOLOGY....................7
3. KEY FINDINGS.........................................................13
4. CONCLUSIONS........................................................43
5. CAVEATS.................................................................46
6. APPENDIX............................................................... 48
RESULTS OF THE 2019 SCAL AR SECURIT Y STUDY
PART 1:
EXECUTIVE SUMMARY
3
On average, organizations
experienced
440
attacks in the past year
PART 2: EXECUTIVE SUMMARY
Scalar's study of the cyber resilience of Canadian organizations finds there is a new normal across Using the National Institute of Standards and Technology (NIST) cyber security framework
the threat landscape. Cyber security incidents – whether they be exfiltration, infiltration, or denial of and statistical segmentation, the survey results were analyzed to produce the following key
service – are now occurring on a regular basis. To address this, the focus of cyber security efforts lessons:
is shifting from an emphasis on protection against attacks, to improving the detection of malicious P
racticing a fundamental level of cyber resilience reduces the number of security incidents
actors on the network, and responding to and recovering from incidents as quickly as possible. The an organization experiences by more than 50%, and in the case of breaches, reduces its file
findings of the 2019 Scalar Security Study reflect on these new trends and introduce cyber resilience
and data exposure, downtime, and recovery costs
as a security theme that emphasizes the importance of business continuity and the need for
organizations to return to normal operations and a trusted state after an incident has occurred. M
oving beyond a fundamental level of cyber resilience is difficult for Canadian
organizations due to deficiencies in security planning, training, documentation, and the
Over the past year, Canadian organizations have increased their focus on identifying assets ability to assess risks and prioritize updates, patches, and security solution investment
on the network, prioritizing deployment of cyber security solutions, and patching on-premise according to a comprehensive threat and risk assessment
infrastructure, but there are still key cyber resilience weaknesses including:
Inability to prevent cyber security breaches

Lack of comprehensive cyber resilience strategies including people, processes, and technology
Slow detection and response times and adoption of monitoring solutions
Lack of documented incident response
Firms also have organizational blind spots to risk areas, including:

U
nderstanding the data-flows between an organization and its third-party partners,
suppliers, and vendors
Knowledge of government privacy legislation
C
yber security responsibilities in cloud environments including patching and updating
software
Exposure to insider threats from employees or contractors
5
Less than
60%
of organizations are patching cloud
environments within a week of patch release
PART 2:
INTRODUCTION AND
METHODOLOGY
7
The average cost of cyber
compromise per organization
$4.8-$5.8
million
PART 2: INTRODUCTION AND METHODOLOGY
This report represents the findings of the 2019 Scalar Security Study, the Cyber Resilience of Canadian
Organizations. Independently conducted by IDC Canada, the data provided in this report was obtained through
a Canada-wide cross-industry survey of 407 IT security and risk & compliance professionals. All survey
participants were screened for direct involvement in improving or managing their organization’s IT security. PIE CHART 1: Employee Size Range assi-
Eighty-seven percent of the IT security respondents were at a supervisor level (Infosec Supervisor/IT fi based on Organization Size
Supervisor) or higher. Survey respondents were screened to represent organizations with a minimum of 15
full-time employees and at least 10% of their total employees located in Canada. Total:
S
maller: 15-249
The survey is meant to provide insight into the big questions facing IT security departments:
How serious is the threat of attack facing Canadian organizations? M
edium/Large: 250-4,999
How expensive are security breaches getting?
E
nterprise: 5,000+
What is the total cost of compromise across the different types of cyber security breaches?
What weaknesses still need to be addressed? Smaller: 15-249
How prepared are organizations to respond to and recover from security incidents? Medium/Large: 250-4,999
What technologies or processes can organizations implement to improve their cyber defences?
The survey was conducted over the course of September-October 2018 by IDC Canada on behalf of Scalar.
Appendix A shows a detailed description of the demographics and firmographics of the survey participants.
Organization Size Segmentation

20.4%
29.98%
In this report, Scalar classifies responding organizations as Smaller, Medium/Large, and Enterprise class.
The definition for each is based on its number of employees:
Smaller: 15-249 full-time employees located within Canada
Medium/Large: 250-4,999 full-time employees located within Canada
Enterprise: 5,000+ full-time employees located within Canada 49.63%
The NIST cyber security framework is widely used as a base for developing organizational information security
strategy. Survey respondents were asked several questions representing the core aspects of the NIST framework
in order to help analyze the security preparedness and cyber resilience of Canadian organizations.
9
Cyber Resilience Fundamentals Segmentation
A statistical segmentation was used to analyze the survey results based on responding organizations who are practicing cyber resilience fundamentals versus those who are not. To be included
in the "practices cyber resilience fundamentals" segment respondents were required to provide the following answers across survey questions 8, 11, 12, 24, and 26a as follows:
SEGMENT: PRACTICES CYBER RESILIENCE FUNDAMENTALS SEGMENT: DOES NOT PRACTICE CYBER
RESILIENCE FUNDAMENTALS
QUESTIONS QUALIFYING RESPONSES QUALIFYING RESPONSES
Q8. Which of the following best describes how your organization Conducted across select areas/departments of the organization Not conducted
approaches the following (multiple questions) Conducted across the entire organization
Q11. Which of the following best describes how your Formal training with reminders No training
organization trains employees on the following? (multiple Ad hoc training and reminders
questions)
Q12. How long does it take your organization to install security Immediately when released Within a year
updates/patches or upgrade? (multiple questions) Within a week A year or more
Within a month
Q24. Which of the following best describes your organization's Fully documented incident response plan and it is regularly updated No incident response plan
security incident response plan? Documented incident response plan, but it is not often updated
Incident response plan is informal
Q26a. Which of the following best describes your organization's Fully detailed and documented processes Processes are in place but documentation is not
plan for recovery back to trusted state after a data breach? Processes are in place but documentation is not complete complete
Ad hoc processes are in place
10
100%
of organizations surveyed report experiencing
cyber security attacks over the past 12 months
with 58% having
data exfiltrated
PART 3:
KEY FINDINGS
13
PART 3: KEY FINDINGS

Evolving threats create new opportunities for malicious actors
In this section, we analyze the key findings of the research. The complete audited findings are
A
ll organizations surveyed provide some sort of remote access to their corporate network
presented in the appendix of this report. A summary of key findings is as follows:
via the internet
Organizations attack surface grows exponentially with respect to employee count
Cost of compromise is at an all time high
F
ifty-five percent of organizations surveyed must comply with three or more government or
A
verage number of attacks per organization per year declined to 440 per organization, down
industry regulations relating to data or privacy
from 455 in 2018
O
rganizations that conduct cyber security fundamentals can reduce cyber attack success
A
verage number of breaches per organization per year increased to 12.5 per organization,
rates by over 50%
up from 9.3 in 2018
A
higher percentage of attacks are resulting in major impacts: 3% of attacks resulted in a
Cloud security strategy is not keeping up with adoption rates
breach versus 2% in 2018
C
loud environments are targeted and attacked by malicious actors just as often as
T
he average cost per organization of responding to and recovering from cyber security
on-premise
incidents increased significantly from $3.7 million last year, to between $4.8 million -
Over 12% of Canadian organizations have migrated all infrastructure to the cloud
$5.8 million this year
L
ess than 60% of organizations update their public cloud environments within a week of
patch release
Detection and response time are too slow, resulting in high costs
Detection and response can take weeks
Strategy focus is shifting from protection to detection and response
Time to recovery is increasing
T
raditional perimeter and endpoint security solutions will continue to be deployed, and will be
Deficiencies in planning for cyber security incident response and recovery back to trusted
complimented by AI, machine learning, and new detection techniques
state leaves organizations vulnerable when breached
C
anadian organizations see monitoring solutions as a key enabler for enhancing their
Planning deficiencies and unrealistic time to recovery expectations result in Canadian
security posture
organizations underestimating the cost of cyber security incidents
O
rganizations will be making investments in breach response and forensics tools in the
Organizations that follow fundamental cyber resilience practices spend an average of 16.1
coming years
staff work days recovering from cyber security breaches per year versus 20.5 days for
organizations that do not
14
FINDING 1: COST OF COMPROMISE IS AT AN ALL TIME HIGH
One concept we aim to understand with this study is the total cost of compromise across the different types of cyber security incidents for Canadian organizations. In order to provide a
comprehensive and in-depth data analysis on the nature and costs of cyber security incidents, this year’s study classifies incidents into three categories:
Exfiltration
Infiltration
Denial of Service (DoS)
Previous editions of this study consisted of a general classification of all incidents, defined as either high or low impact breaches.
Using the new categorization, we found the average number of attacks per responding organization is similar to that reported in 2018, but the cost of attacks has increased. Analysis of the
study results shows an average of 440 attacks per organization per year, down from 455 in 2018, with the direct dollars expended addressing cyber attacks rising significantly to $853,000 per
organization, up from $215,000 per organization last year.
Further detail on the number and costs of attacks is provided in the tables that follow:
TABLE 1. Number of attacks and breaches faced by Canadian organizations over the past twelve months
2018 2019
MEANS TOTAL MEANS TOTAL
Base: All Respondents (421) Base: All Respondents (407)
Total number of attacks per organization 454.75 Total number of attacks per organization 51.5%
439.97
Total number of breaches per organization 9.33 Total number of exfiltration, infiltration, and DoS 30.12
incidents per organization Exfiltration, infiltration,
and DoS
On average, responding organizations were attacked more than 440 times per year, resulting in an average of 12.47 exfiltration incidents, 9.83 infiltration incidents, and 7.82 denial of service
incidents per organization per year (versus an average of 9.33 breaches per organization in 2018).
15
The new categorization of attacks as exfiltration, infiltration, or denial of service, rather than high or low impact breaches as used last year, reduces ambiguity and allows improved detail and
granularity on the actual nature and costs affecting Canadian organizations.
Malicious actors are becoming more effective
Exfiltration versus breach is the closest to a direct comparison there is between the new 2019 attack categorization and the version used in 2018. The percentage of attacks resulting in
exfiltration versus breach shows that malicious actors are becoming more effective. Nearly 3% of attacks resulted in a successful exfiltration this year, versus the 2.1% of attacks resulting in
a breach reported in 2018. Due to the high number of attacks per organization, this results in a 33.7% jump in exfiltration versus breaches per organization per year.

TABLE 2. Year over year comparison of attack to breach or exfiltration success rate
MEANS TOTAL 2018 TOTAL 2019

Base: All Respondents (421) (407)
Total number of attacks per organization 454.75 439.97
Total number of breaches, exfiltrations per organization 9.33 12.47
(33.7% more than 2018)
% of attacks resulting in breach 2.1% 2.83%
While this increase is concerning enough, including the results on infiltration and DoS shows the impact malicious actors are having, and just how significant a percentage of attacks
consist of DoS and infiltration. This makes it extremely important for organizations to consider implementing security strategies and solutions that not only protect data, but offer
service availability and integrity.
TABLE 3. Impact of infiltration and DoS on overall incidents per organization
MEANS TOTAL 2019 19.5%

29.0%
Base: All Respondents (407)
Total number of attacks per organization 439.97
Exfiltration incidents per organization 12.47
Infiltration incidents per organization 9.83
DoS incidents per organization 7.82
Total number of incidents per organization 30.12 51.5%
(2.2x more than reported in 2018)
More than half the organizations who report being subject to an infiltration incident were subject to ransomware demands, encryption of data, and/or deletion of data.
16
TABLE 4. Percent of reported infiltration incidents where organizations were subject to a major impact
MEANS ORGANIZATIONS SUBJECT TO RANSOMWARE, ENCRYPTION, OR TOTAL 2019

DELETION OF DATA
Infiltration, incidents per organization 9.83
Percentage of infiltration incidents where organization was subject to: 88% (87.74) of organizations that reported infiltration incidents were 47.74%
• Ransomware demands subject to ransomware demands, encryption of data, or deletion of data
• Encryption of data 44.52%

• Deletion of data 31.61%
1
00% of organizations surveyed report experiencing cyber security attacks over the past 12 18.18% report having data subjected to ransomware demands
months 16.95% had their data encrypted
58.48% report having data exfiltrated 12.04% had data deleted
• 2
4.64% of organizations subject to exfiltration had sensitive but non-personally 8
7.74% of organizations that reported infiltration incidents were subject to ransomware
identifiable information (PII) exfiltrated demands, encryption of data or deletion of data
• 2
5.13% of organizations subject to exfiltration had PII customer or employee 34.15% experienced their network going down as a result of DoS attacks
information/data exfiltrated
38.08% report being infiltrated
• 2
7.81% of organizations subject to infiltration had sensitive but non-personally
identifiable information (PII) involved in their infiltration(s)
• 2
2.96% of organizations subject to infiltration had PII customer or employee
information/data involved in their infiltration(s)
Total cost of compromise has increased dramatically

The percentage of organizations suffering a major cyber security incident and the reported cost of addressing cyber attacks have risen dramatically. Ninety-three percent of responding
organizations suffered at least one major cyber security incident in the past 12-months (87% in 2018). Respondents provided feedback on the direct and indirect costs of a security breach,
including lost revenue.
The average cost per organization of responding to and recovering from major cyber security incidents ranged from $4.6 million to $5.8 million based on the attack categorization (compared to
last year’s average of $3.7 million per organization).
Exfiltration: $4.8 million
Infiltration: $4.6 million
Denial of Service: $5.8 million
17
TABLE 5. Cost of attacks for exfiltration, infiltration, and DoS for organizations subject to each attack category over the past twelve months
ATTACK CATEGORY
EXFILTRATION INFILTRATION DENIAL OF SERVICE
Base: Percent of Total Organizations subject to attack type Total survey base (238) = 58.5% (155) = 38.1% (139) = 34.2%
N=407
Hard and soft costs incurred to respond to and fully recover from all $6,033,380 $4,787,220 $4,629,280 $5,780,400
attacks experienced in the category*
Cost per employee $2,677 $2,124 $2,054 $2,565
Business days of downtime for organizations that suffered downtime 8.8 business days 15.7 business days 19.2 business days
Employee work days expended responding and recovering 19.4 work days 18.6 work days 23.7 work days 19.0 work days
Average number of files or records compromised for organizations where 134 117
files/records were affected
Percent of files that contained sensitive/proprietary but non-PII data 24.6% 27.8%
29.0%
Percent of files that contained customer or employee PII 25.1% 23.0%
Percent of infiltration attacks where data was subject to:
Ransomware demands 47.7%
Encryption 44.5%
Deletion 31.6%
*
NOTE: Hard and soft costs defined as lost revenue, lost profit, staff time, legal costs, customer outreach, software, services, brand image, competitive standing impacts, and employee morale impacts
Not all organizations will have experienced major cyber security incidents in all three attack categories so these costs should not be considered additive. What they show is the
average costs incurred by organizations subject to security compromises across exfiltration, infiltration, and DoS. Malicious actors adapt to an organization's defences and will attack
in varied ways, making it critical to adopt cyber security tools and practices that can help address different attacks.
18
Despite the data, Canadian organizations are still unprepared
When asked how confident they are in their organization’s ability to prevent cyber security breaches from happening, only 11% of survey respondents had a “high” degree of confidence. Forty-three
percent considered themselves to be confident, but not to the highest degree.
What we see year over year is a very large increase (22%) in the confidence of smaller organizations regarding their ability to prevent cyber security breaches from happening versus medium/large,
and enterprise-sized organizations whose confidence has dropped significantly compared to last year (64% and 64% respectively).
TABLE 6. How confident are you in your organization's overall ability to prevent cyber security breaches from happening?
ORGANIZATION SIZE
TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Base: All Respondents (407) (83) (202) (122)
Highly confident 11% 18% 9% 9%
Confident 43% 43% 43% 41%
Neutral 37% 30% 37% 42%
Not confident 9% 8% 10% 8%
Not at all confident 0% 0% 0% 0%
A similar change has occurred in the results for organizations’ confidence in their ability to effectively respond to cyber security breaches once they have happened:
Smaller organizations' overall confidence (highly confident and confident) in their ability to effectively respond (70%) has increased significantly versus 2018 (57%)
M
edium/large (63%) and enterprise (59%) organizations are less confident this year compared to 2018 (66% and 66% respectively) with less enterprise-level organizations
reporting high confidence in their ability to respond to cyber security breaches once they have occurred
TABLE 7. How confident are you in your organization’s overall ability to detect and respond to cyber security breaches once they have happened?
51.5%
ORGANIZATION SIZE
PERCENTAGE TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Highly confident 15% 20% 14% 12%
Confident 48% 49% 49% 47%
Neutral 28% 24% 29% 30%
Not confident 9% 6% 8% 11%
Not at all confident 0% 0% 0% 0%
Cost of responding to and fully recovering from $2,677 $42,435 $3,199 $2,831
attacks per employee (average across exfiltration,
infiltration and DoS)
19
Decrease in enterprise confidence coincides with significant increase in attacks on enterprise
The average number of attacks per organization per year for enterprise increased by 61% to 1,152 attacks per organization versus only 714 in 2018. One possible explanation could be that attackers
have significantly increased their attack activities against the enterprise in an attempt to increase their success rates to the same levels achieved against smaller-sized organizations.
TABLE 8. Attacks versus success rate for exfiltration, infiltration and denial of service incidents
ORGANIZATION SIZE
TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Number of times in the past 12 months that an organization has been subject to:
IT security-related attack or threat 440 60 166 1,152
Exfiltration 21 14 27 16
Infiltration 26 25 30 19
DoS 23 14 29 21
Success rate of attacks as % of total IT security related attacks or threats faced over
the past 12 months 29.0%
Exfiltration 4.8% 23.3% 16.3% 1.4%
Infiltration 5.9% 41.7% 18.1% 1.6%
DoS 5.2% 23.3% 17.5% 1.8%
Organizations that conduct NO employee training on identifying attacks such as 9.0% 14.5% 8.4 6.6
phishing and other scams
51.5%
The high success rate of attacks against smaller and medium/large organizations allows malicious actors to shift attack volume to enterprise. Corresponding with a relative deficiency in
employee training on identifying attacks such as phishing and other scams, smaller organizations were particularly vulnerable to infiltration.
20
FINDING 2: DE TECTION AND RESPONSE TIME IS TOO SLOW, RESULTING IN

HIGH COSTS
It is well known among security professionals that every organization is going to face the threat of a cyber security attack, however, how an organization is prepared to mitigate that attack is,
in large part, what determines if sensitive data is compromised or exfiltrated. Every second counts when a malicious actor is inside your network and it is essential to minimize detection and
response time in order to keep an attack from becoming an exfiltration, infiltration, or DoS incident.
Detection and response are taking weeks
The majority of respondents have reported that it takes days to weeks to detect and respond to cyber compromise (see Table 9). Detection times for exfiltration and infiltration attacks are similar:
Approximately 43% of responding organizations detect within a week (and 10.5% within a month), but the time to respond is longer for exfiltrations, leaving more time for attackers to steal data.
Cyber resilience is negatively impacted due to deficiencies in incident response and recovery planning, resulting in more downtime, which increases the cost of cyber security incidents.
TABLE 9. Detection and response times for infiltration and exfiltration by organization size
ORGANIZATION SIZE
PERSENT TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Detect an infiltration 19.5%
29.0%
Within hours 46.44% 49.40% 45.05% 46.72%
Within a week 42.75% 37.35% 44.55% 43.44%
Within a month 10.81% 13.25% 10.40% 9.84%
Detect a Breach
Within hours 46.19% 46.99% 48.02% 42.62%
51.5%
Within a week 43.49% 45.78% 38.61% 50.00%
Within a month 10.32% 7.23% 13.37% 7.38%
Respond to an infiltration
Within hours 47.17% 46.99% 48.51% 45.08%
Within a week 49.14% 51.81% 46.53% 51.64%
Within a month 3.69% 1.20% 4.95% 3.28%
Respond to a breach
Within hours 32.68% 33.73% 33.17% 31.15%
Within a week 56.27% 55.42% 54.46% 59.84%
Within a month 11.06% 10.84% 12.38% 9.02%
21
Recovery time is increasing
The average number of work days spent by an organization’s security/IT/legal and any other relevant staff recovering from cyber security breaches increased significantly to 19.4 days, from 16.1
days in 2018. Spending more time returning to a trusted state and normal operations increases the cost of breaches, so this is a key factor in the increased cost of cyber compromise this year.
FIGURE 1. How many work days do you estimate your organization's security/IT/legal and any other relevant staff spent recovering from breaches over the past year?
assificat
22.4%
17.4%
19.9%
19.4%
0% 5% 10% 15% 20%
Enterprise Medium/Large S
maller Total
Deficiencies in planning for incident response and recovery back to trusted state leaves organizations vulnerable in the wake of a breach
Survey respondents were asked how they would best describe their organization’s incident response plan. Four responses representing low maturity (no/informal plan), mid-level maturity
(documented but not often updated) and high maturity (fully documented and regularly updated) were included:
We do not have a security incident response plan
Our security incident response plan is informal
We have a documented security incident response plan, but it is not often updated
We have a fully documented security incident response plan and it is regularly updated
22
An organization's security incident response plan represents its blueprint for responding to exfiltration, infiltration, and DoS cyber security attacks and encompasses roles and responsibilities,
assessment of incidents, how the plan relates to other organizational policies and procedures and any applicable reporting requirements. Approximately one quarter of survey respondents
indicated that their organizations had a fully documented plan, down from 32% in 2018.
FIGURE 2. Which of the following best describes your organization’s incident response plan?
We do not have a security incident 6.6%

response plan 7.4%
9.6%
7.6%
18%
Our security incident response plan is
informal 28.2%
30.1%
25.6%
We have a documented incident 48.4%
response plan, but it is not often 37.6%

updated 37.4%
40.8%
27.1%
Fully documented security incident
response plan, and it is regularly 26.7%
updated 22.9%
26%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
maller Total
23
An out of date incident response plan can impair an organization’s response as the people, processes, and technologies it refers to may no longer be relevant. Plans need to be updated regularly,
and especially whenever a significant change to an organization occurs. Adoption of new technologies, changes in staff, new legislation, and mergers and acquisitions are all examples of
changes to an organization that need to be reflected in updates to its incident response plan. As more and more breaches are being reported, organizations need to be ready with an effective
response plan.
FIGURE 3. What triggers your organization to update your incident response plan?
4.9%
We do not have an incident response plan 6.9%
9.6%
6.9%
44.3%
Adoption of new technologies 27.2%
28.9%
32.7%
25.4%
26.7%
Internal changes to the organization 26.5%
26.3%
48.4%
Mergers or acquisitions 39.1%
26.5%
39.3%
24.6%
Security researchers reporting new 24.8%
26.5%
threats or discovery of breaches 25.1%
27.1%
Breaches being reported in the news 27.2%
26.5%
27.0%
41%
A security incident at my organization 39.6%
37.4%
39.6%
22.1%
20.8%
Changes to industry standards 31.3%
23.3%
36.9%
Changes to government legislation 28.2%
37.4%
32.7%
58.2%
Periodic reviews (updated every year) 43.6%
39.8%
47.2%
21.3%
20.8%
Outcomes from table top exercises 24.1%
21.6%
0% 10% 20% 30% 40% 50% 60%
maller Total
24
Survey respondents indicated that yearly reviews and security incidents were the top reasons for updating their incident response plans. Periodic reviews are a good starting point, but ideally
plans should be updated whenever any of the events in Figure 3 occur. It is critical for organizations to conduct proactive reviews and updates of their incident response plan. The midst of a
security incident is not the time to discover that your incident response plan is in urgent need of an update. If the plan is found to be out of date during an incident, of course those updates are not
any less important, however, ideally this should not be the second highest reason the incident response plan is reviewed. Proactive incident response posturing leads to minimized damages and
losses from a breach. For example, it may prevent an intrusion from becoming an exfiltration. Planning ahead allows for faster response.
Depending on the severity of a cyber security incident, an organization may have a long journey ahead before recovering to a trusted state and normal operations. A key objective of a proactive
cyber resilience posture is reducing the amount of time an organization spends recovering to a trusted state. Recovery and business continuity planning therefore make up crucial elements of any
cyber resilience plan.
Survey respondents were asked how they would best describe their organization's plans for recovery back to a trusted state and normal operations (Table 10). This included short term plans for
initial response to a data breach and long-term plans for returning to normal operation.
TABLE 10. Which of the following best describes your organization's plan for recovery back to trusted state after a data breach?
ORGANIZATION SIZE
PERCENT TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Provides a step-by-step process for the initial response to a data breach
Fully detailed and documented processes 27.03% 22.89% 26.24% 31.15%
Processes are in place but documentation is not complete 37.59% 46.99% 34.65% 36.07%
Processes are in place but there is no documentation as of yet 23.10% 15.66% 25.74% 23.77%
Ad hoc processes are in place 12.29% 14.46% 13.37% 9.02%
Provides a process for recovering to a trusted state and normal operation after a breach
Fully detailed and documented processes 36.36% 32.53% 36.14% 39.34%
Processes are in place but documentation is not complete 31.70% 33.73% 33.66% 27.05%
Processes are in place but there is no documentation as of yet 16.46% 19.28% 15.35% 16.39%
Ad hoc processes are in place 15.48% 14.46% 14.85% 17.21%
25
The percentage of survey respondents indicating their organization only has ad hoc plans for returning to a trusted state (15.5%) and normal operation is double the ad hoc percentage for
incident response plans (7.6%). This indicates organizations are better prepared to deal with the initial response to a data breach than they are with returning to normal operations after a breach
has occurred.
Having cyber resilience fundamentals in place significantly improves detection, response, and downtimes
Organizations that practice cyber resilience fundamentals experience reduced response and recovery times. When done, infiltration, breach detection, and response are more likely to occur within
hours-to-a-week as opposed to weeks-to-a-month for organizations that do not.
TABLE 11. Including basic incident response and recovery plans in security planning significantly reduces time to detect and respond
PERCENT TOTAL INCLUDES BASIC INCIDENT RESPONSE BASIC INCIDENT RESPONSE AND
AND RECOVERY PLANS IN RECOVERY PLANNING NOT INCLUDED
SECURITY PLANNING
Base: All Respondents (407) (110) (297)
Detect an infiltration
Within hours-to a week 89.19% 93.63% 87.54%
Within weeks-to a month 10.81% 6.36% 12.46%
Detect a Breach
Respond to an infiltration
Respond to a breach
26
The impact of practicing cyber resilience fundamentals is especially noticeable in reducing overall time spent recovering from breaches. The average number of work days spent by an
organization’s security/IT/legal and any other relevant staff recovering from cyber security breaches increases from 16.4 days for organizations that practice the fundamentals (i.e. at least a basic
level of overall security planning, training, patching/updating, and incident response and recovery planning) to 20.5 days for those that miss performing the fundamentals in any of these areas.
Organizations’ expectations for time-to-recovery back to a trusted state remains unrealistic
Despite only 36.4% of the organizations surveyed having fully detailed and documented recovery plans, 66.5% expect to fully recover back to a trusted state and normal operations in less than
2 hours. Many organizations, particularly smaller organizations, have high but unrealistic expectations for a rapid, full recovery after a data breach.
FIGURE 4. Organization's expectations for time-to-recovery back to trusted state after a data breach situation for mission critical processes
0.0%
Hot - immediate/instant recovery 2.5%
0.0%
1.2%
2.5%
5.0%
Within minutes, e.g. <5 minutes 8.4%
4.9%
16.4%
17.8%
5-15 minutes 18.1%
17.4%
15.6%
24.3%
15-60 minutes 32.5%
23.3%
26.2%
1-2 hours 17.3%
15.7%
19.7%
11.5%
14.4%
3-8 hours 15.7%
13.8%
20.5%
12.4%
Within 24 hours 6.0%
13.5%
7.4%
24 hours+ 6.4%
3.6%
6.1%
0% 5% 10% 15% 20% 25% 30% 35%
maller Total
27
Percentage of highly confidential data is on the rise
The increase in confidential data coincides with the increased awareness of regulatory requirements such as the Canadian Data Privacy Act and GDPR. The increase in data collection for the ever
expanding application of data analytics may also contribute to the increase in confidential data storage.
FIGURE 5. Organizations are storing more highly confidential data than ever
Large organizations have more data, but the percentage which is highly confidential is independent of business size.
37.7%
Top Secret/Highly Confidential
37.7%
41.5%
38.5%
33.8%
Proprietary/Internal Use
33.9%
31.4%
33.3%
28.6%
Public
28.5%
27.1%
28.2%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Has your organization identified
and classified all its data assets?
In the event of a cyber security
maller Total
attack do you have a plan to ensure
the confidentiality, integrity, and
continued availability of your data?
Does your organization train users on
the proper handling of data – whether
confidential, proprietary or public?
28
In terms of cyber resilience fundamentals, the end user is critical in dealing with risks to confidential and proprietary data.
Training end users on the proper handling procedures, policies, and practices for the different data classifications – confidential, proprietary, and public – is becoming more and more important as the
amount of confidential and proprietary data increases. Despite the increase in awareness about training, 48.4% of the organizations surveyed (half of them medium/large) reported they practice no, or
only ad hoc training on data handling. Furthermore, 14.5% of smaller organizations conduct no employee training at all on identifying attacks such as phishing and other scams. Correspondingly, the
success rate of exfiltration and infiltration attacks against medium/large and smaller organizations is dramatically higher than it is for enterprise (see Table 12).
TABLE 12. Success rate of cyber attacks by organization size and attack type
ORGANIZATION SIZE
PERCENTAGE TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Success rate of attacks as % of total IT security-related attacks or threats faced over the past
12 months
Exfiltration 4.8% 23.3% 16.3% 1.4%
Infiltration 5.9% 41.7% 18.1% 1.6%
Study participants’ top three organizational concerns all relate to end-user risk:
Insider/malicious employee threat or risk (for example untrained end-users)

Mobile threats (primarily target untrained end-users)
Data not being backed up (end users may contribute significantly to this problem in many organizations)
Does your organization train users

on the proper handling procedures
of different data classifications?
29
The average cost of a
breach per end user is
$2,677
*
*Average across all size organizations

FINDING 3: EVOLVING THREATS CREATE NEW OPPORTUNITIES FOR

MALICIOUS ACTORS
Security coverage requirements keep growing
In order to help assess the level of exposure of organizational networks have to external access, survey respondents were asked how their organizations provide remote access to their
networks via the internet. While these types of exposure are often necessary for business purposes, they create opportunities for malicious actors to circumvent organizational network
security controls by using “man in the middle” or phishing style attacks to exfiltrate user credentials to gain access to the organization’s network.
37.7%
FIGUREx.6.Average
Table Organizations
numberproviding remote
of attacks access to
and incidents their network
experienced by via the internet
Canadian organizations over the last 1241.5%
months.
37.7%
38.5%
33.8%
26.2%
Employee access to corporate network from outside the office
21.8%
33.9%
24.1%
31.4%
23.6%
33.3%
94.3%
Employee HR portal
28.6% 92.6%
28.5% 54.2%
85.3%
27.1%
28.2%
Customer portal 58.2%
61.4%
71.1%
62.4%
3rd party portal 49.2%

48.0%
26%
26.5%
44.0%
22.89%
Online payments 58.2%
58.9%
50.6%
57.0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
maller Total
*Man-in-the-middle (MITM) attack is a form of eavesdropping where communication between parties who believe they are directly communicating with each other is monitored and modified by an unauthorized party. This attack type
comprises a victimized party and the person they are communicating with, as well as "the man in the middle", who without any party's knowledge is intercepting the communications or data.
31
All survey respondents indicated their organization provides at least one type of remote access to their network through the internet. Employee HR portals are so widespread a majority of smaller
organizations have even adopted them (see Figure 6). Other forms of remote access including customer portals, third party portals, online payments, and mobile employee access to the corporate
network also have significant adoption. As organizations continue to adopt Software as a Service (SaaS) solutions, this will continue to increase.
Training employees to recognize attacks and to use proper password and identity management controls – especially for organizations with mobile and VPN access to the corporate network is a
crucial component of practicing cyber resilience fundamentals. Smaller and medium/large organizations in particular have been deficient in this area: 14.5% of smaller organizations conduct no
employee training at all on identifying attacks such as phishing and other scams, and 55.4% of medium/large organizations conduct only ad hoc or no training (Table 12 shows phishing attacks
are much more successful against smaller and medium/large organizations than they are against enterprise).
Enterprise and medium/large organizations can have dozens of third-party suppliers, partners, and vendors with access to their network and data. It is important that organizations realize they are
responsible for any personally identifiable information (PII) that they collect, including data that is stored and accessed by third parties. Any security strategy needs to have a holistic view of
data-flows between organizations and be planned accordingly.
You are responsible for properly securing your network and training your employees, as well as for ensuring that third parties are properly handling and
securing your data. Ensure you understand the data-flow between third-party suppliers, partners, and vendors and your organization.
Year over year Canadian organizations are taking partner security more seriously, with 38% indicating they have considered partner security in a comprehensive manner when creating a security
plan, up from 26% in 2018.
TABLE 13. Does your security plan consider your key suppliers and third-party relationships, and the data flows between them?
ORGANIZATION SIZE
MEANS TOTAL SMALLER MEDIUM/LARGE ENTERPRISE
Yes - in a comprehensive manner 38% 41% 37% 37%
Yes - but we should look at this in more detail 54% 57% 54% 51%
No 9% 2% 9% 12%
Not sure/don't know 0% 0% 0% 0%
Still, 54% of organizations admit they have not considered third-party relationships in a comprehensive manner, and 9% indicate they have not considered third-party relationships at all. This is
especially concerning for enterprise organizations with 12% admitting they have not considered third-party relationships when creating their security plan.
32
Canadian organizations are becoming more concerned about third-

party security but there is more work to be done. Only 38% of survey
respondents indicated that their organizations consider third-party
security in a comprehensive manner when creating a security plan.
Canadian organizations faced stringent government regulations in 2018
The majority of Canadian organizations report that their organizations are required to comply with a number of government or industry regulations, which indicates that they have fairly high
privacy/data security protocols. Fifty-five percent of respondents indicate their organization must comply with three or more of the government or industry regulations we asked them
about. While not all organizations handle personal information in the course of commercial activity as detailed in PIPEDA or the Digital Privacy Act, it would still be favourable to comply
with the general principles advocated by those legislations.
33
FIGURE 7. Which of the following government or industry regulations does your organization need to be compliant with?
14.8%
NERC/FERC 9.9%
15.7%
12.5%
4.1%
HIPAA, PHIPA 7.9%
4.8%
6.1%
67.2%
SOX, C-SOX 63.9%
51.8%
62.4%
14.8%
FFIEC, ITAR, OSFI, FedRAMP, FISMA 17.3%
14.5%
16%
67.2%
GDPR 63.9%
61.5%
64.4%
81.2%
Digital Privacy Act/PIPEDA 71.3%
56.6%
71.3%
47.5%
PCI 36.1%
47%
41.8%
0% 10% 20% 30% 40% 50% 60% 70% 80%
maller Total
On November 1st, 2018 Mandatory Breach notification was brought into effect under PIPEDA, bringing steep fines to organizations who fail
to disclose data breaches to the Privacy Commissioner and affected customers. This legislation applies to the vast majority of Canadian
organizations that handle personal information in the course of commercial activity. If one of your partner organizations is breached and
your data is exposed, your organization could be liable as well.
34
The Attack Surface Continues to Evolve
The attack surface for devices was estimated by asking respondents for their
networked device and hardware counts. The number of networked devices and
hardware increased exponentially with organization size, yet the larger attack surface
for enterprise organizations did not translate to a higher number of security incidents.
In general, enterprise organizations appear to be doing a better job of securing their
attack surface despite having much more devices and hardware.
FIGURE 8. Attack surface in terms of average number of networked devices/hardware increases exponentially as organization size increases
PCs/laptops 5,074
947
310
2,123
4.8%
3,103
Smartphones/tablets
529
217
1,277
180
Servers (virtual or physical) 43
13
80
2,016
TBs of storage capacity attached to/within servers
551
147
938
0 1,000 2,000 3,000 4,000 5,000 6,000
maller Total
35
In terms of device/hardware counts, market trends including “Bring Your Own Device” (BYOD), cloud adoption, and lower storage prices have affected what is connected to the
network. Within the organization sizes surveyed (minimum 15 employees for smaller organizations, enterprise is 5,000+ employees) laptop deployment decreased to 2,123 per
organization in 2019 versus 2,333 in 2018, smartphones decreased to 1,277 in 2019 versus 1,716 in 2018, and servers decreased to 80 in 2019 versus 187 in 2019, while storage
capacity increased by 344% to 938 TB from 273 TB in 2018.
FINDING 4: CLOUD SECURIT Y STRATEGY IS NOT KEEPING UP WITH THE

RATE OF ADOPTION
Canadian organizations have embraced cloud (see Figure 9), but many have not done so in a secure way. An organization’s cloud strategy needs to be integrated into its cyber
security strategy, but for many, securing the cloud comes as an afterthought. Recently the media has highlighted several large-scale breaches of IaaS and PaaS environments caused
by a lack of basic security controls and configuration errors. Organizations need to understand that securing public cloud environments is a shared responsibility between customer
and provider, and customers’ responsibilities vary between SaaS, PaaS, and IaaS. In reality, malicious actors are not concerned with where an organization’s data is stored and will
seek out vulnerabilities regardless of the IT environment. It is crucial for organizations to integrate security into their cloud roadmap and understand their responsibilities for securing
these environments.
TABLE 14. Number of attacks on on-premise infrastructure and applications versus cloud-based infrastructure and applications
ORGANIZATION SIZE
Attacks against on-premise 214.06 35.73 85.22 (139% increase from Smaller) 548.71 (544% increase from Medium/Large)
infrastructure/applications
Attacks against cloud-based 216.05 22.83 77.23 (238% increase from Smaller) 577.36 (648% increase from Medium/Larger)
infrastructure/applications
36
One in ten Canadian organizations have completely migrated to cloud
In Canada, 75% of organizations have either fully adopted cloud or are using a hybrid
model of on-premise environments complimented by either IaaS or PaaS. Smaller
organizations are more likely to remain on-premise, while medium/large and enterprise
organizations are more likely to go entirely cloud-based.
FIGURE 9. Three quarters of organizations have embraced cloud but not necessarily in a secure way
HIPAA, PHIPA 11.5%
15.8%
4.8%
12.3%
68.%
FFIEC, ITAR, OSFI, FedRAMP, FISMA
56.9%
67.5%
62.4%
Digital Privacy Act/PIPEDA 20.5%
27.2%
27.7%
25.3%
0% 10% 20% 30% 40% 50% 60% 70%
maller Total
37
Organizations fail to update and patch cloud environments as quickly as on-premise
When updating and patching, Canadian organizations give higher priority to their on-premise infrastructure, operating systems, and applications than their public cloud environments. Survey
respondents indicated that their organizations are patching on-premise network equipment, databases, apps, servers, and web applications faster than their public cloud environments. Less than
60% of Canadian organizations update/patch public cloud environments within a week of patch releases, versus 63% for on-premise network equipment, and 75% for on-premise databases, apps,
servers, and web applications. Medium/large organizations are the slowest to update and patch their cloud environments.
TABLE 15. On-premise IT environments are given priority for installing security updates/patches
28.5%
28.6%
and upgrades over public cloud
27.1%
28.2% ORGANIZATION SIZE

MEANS TOTAL SMALLER 41.5% MEDIUM/LARGE ENTERPRISE
Network Equipment
Immediately when released 10% 10% 11% 9%
Within a week 53% 52% 51% 58%
Within a month 31% 33% 33% 28%
Within a year or longer 5% 6% 5% 5%
On-premise databases, apps, servers
Within a week 52% 45% 54% 55%

Web Applications
Within a week 47% 40% 49% 48%
26%
Public Cloud
Within a week 51% 58% 48% 53%
38
Updating/patching within a reasonable time period is a key component of practicing cyber resilience fundamentals. Taking longer than a month to install security updates, patches, and upgrades
leaves a significant amount of time for malicious actors to exploit vulnerabilities in out-of-date infrastructure, operating systems, and solutions.
Of the survey respondents, 8.4% indicated that it took them longer than a month to patch an aspect of their IT environment. Over 90% of these respondents understood the risks associated with
unpatched IT environments, with 59% unable to update/patch faster due to IT and business reasons. Of greater concern, one third of these respondents indicated that they were aware of the risks
they were exposing their organization to but were willing to take these risks or had no particular reason why they didn’t patch or update sooner.
TABLE 16. Does your organization understand the potential security risks and vulnerability
28.5%
28.6% it is exposing itself to by not updating/patching on a timely basis?
27.1%
28.2% ORGANIZATION SIZE

41.5%
No
No Not fully, we need more education 9% 14% 6% 10%
Yes (net) 91% 86% 94% 90%
Yes - and there's really no good reason why we don't update/patch 24% 29% 24% 20%
sooner
Yes - but for various IT or business-related reasons we can't 59% 43% 65% 60%
update/patch any sooner
es - but for our risk profile versus the pain/issues we have
Y 9% 14% 6% 10%
implementing certain updates/patches it's a risk we are willing
to take
39
FINDING 5: STRATEGY FOCUS IS SHIFTING FROM PROTECTION TO

DETECTION AND RESPONSE
In a market as heavily fragmented as security, selecting the proper security controls, tactics, and tools is an ongoing priority for Canadian organizations. As budgets are finite,
organizations must carefully consider and invest in the security solutions that will be most effective at reducing risk based on each individual environment and their business
objectives. Today, many organizations find traditional perimeter and endpoint security controls most effective at protecting their organizations, but this viewpoint is set to change
significantly over the next three years. By 2022, Canadian organizations expect that detection controls based on artificial intelligence and machine learning will significantly add to the
security of their organizations.
Table 17 presents survey respondents’ perception of the security controls/tactics/tools that will be most effective at adding to their security position three years from now versus
what is most effective today.
TABLE 17. Which controls, tactics, or tools do you feel have been the most effective at protecting your organization from cyber security threats over the past year, and which would be
most interested in looking at to add additional effectiveness over the next three years?
ORGANIZATION SIZE
SECURITY CONTROL/TACTIC/TOOL TODAY 3 YEARS
Controls
Email Security 61% 18%
Identity and Access Management 60% 15%
Web Content Filtering 58% 20%

Vulnerability Management 48% 22%
Endpoint Protection 43% 25%

Data Security (encryption/DLP) 26% 50%
Security Monitoring (SIEM, Log Management) 24% 53%
DNS Security 23% 21%
Next Generation Firewalls/IPS 20% 57%
Continued on next page
40
Continued from previous page
ORGANIZATION SIZE
SECURITY CONTROL/TACTIC/TOOL TODAY 3 YEARS
User Behaviour Analytics (UBA) 20% 45%
Endpoint Detection and Response (EDR) 17% 33%
Tactic
Security Awareness Training 44% 19%
Threat Hunting 19% 50%
Tools
Risk and Compliance Automation 17% 14%
Breach Response and Forensics Tools 13% 46%
Security Orchestration Tools 6% 13%
The following are the major trends in technology, tactics, and tools we expect to see over the next 3 years:
Organizations use the full feature set of their Next Generation Firewalls (NGFWs). Many organizations have next generation firewalls in place, but few actually use them to their full advantage.
Modern NGFWs can handle items such as identity management, malware, antivirus analysis, and compliance, however complex configurations, licensing fees, and throughput concerns hamper
adoption. As more vendors build out security platforms and fabrics, Canadian organizations expect tight integration between their NGFWs and other security controls to better secure their
organizations. Higher performing ASICs and simpler licensing will allow more organizations to leverage advanced NGFW features.
Monitoring controls become a necessity. Continuous monitoring of the network and endpoint via SIEM and EDR is viewed as being pertinent to security effectiveness in the future. Monitoring
controls are becoming more important, but so are monitoring tactics such as threat hunting.
Increased focus on internal threats. Data security controls such as data loss protection (DLP) control user access under specified conditions, while UBA can detect unusual user activity. The
ability of UBA to increase proactive cyber resilience by helping identify anomalous behaviour will increase over time as the amount of data available for analysis (alerts generated) increases with
protection technology deployment.
Increased breach response and forensics tools adoption. Breach response and forensics tools trailed only NGFWs in respondents’ perception of security controls that will be most effective at
adding to their security position in the future. An increased focus on response will improve the cyber resilience of Canadian organizations.
41
Enterprise organizations see tactics and tools as the most effective way to secure their organizations
Today, regardless of size category, organizations have similar views as to what security controls are most effective at securing their organizations, but there is significant divergence looking ahead.
Enterprise organizations are the only organizations to rank security awareness training as a top 5 most effective technology, tactic, or tool today, but over the next three years threat hunting, and
breach response and forensics tools will top their lists. Respondents from Smaller and Medium/Large organizations indicated that NGFWs will be the most effective at securing their businesses in
three years’ time.
TABLE 18. Most effective security controls/tactic/tools by organization today
RANK SMALLER MEDIUM/LARGE ENTERPRISE

1 Web Content Filtering Identity and Access Management Email Security
2 Identity and Access Management Email Security Web Content Filtering
3 Email Security Web Content Filtering Identity and Access Management
4 Vulnerability Management Vulnerability Management Security Awareness Training
5 Data Security (encryption/DLP) Endpoint Protection Endpoint Protection
TABLE 19. Security controls/tactics/tools most interested in looking at to add additional effectiveness over the next three year
RANK SMALLER MEDIUM/LARGE ENTERPRISE

1 Next Generation Firewalls/IPS Next Generation Firewalls/IPS Threat Hunting
2 User Behaviour Analytics Security Monitoring Breach Response and Forensics Tools
3 Security Monitoring Data Security (encryption/DLP) Security Monitoring
4 Data Security (encryption/DLP) Threat Hunting Next Generation Firewalls/IPS
5 Threat Hunting Breach Response and Forensics Tools User Behaviour Analytics
42
PART 4:
CONCLUSIONS
43
PART 4: CONCLUSIONS
Canadian organizations are still too confident in their capabilities to successfully defend against cyber security attacks, but changes in behaviour are occurring. The new normal of cyber security
breaches occurring on a regular basis has organizations rethinking their cyber security strategies. Many recognize future need to adopt technologies, leveraging artificial intelligence and machine
learning that can more proactively detect malicious activity on networks and devices, but still have deficiencies in how they handle the security risk created by people and inadequate cyber
security planning. Organizations that understand cyber resilience and take a holistic approach encompassing more than just the protection provided by security controls suffer far fewer security
incidents, and significantly reduce the costs associated with them.
Although the average number of cyber attacks per organization declined slightly this year, the costs associated with cyber security incidents has risen. Malicious actors shifted their attack
volume to enterprise, as attack success rates were dramatically lower for this size group than for smaller and medium/large organizations. The average annual hard and soft costs per
organization of addressing cyber security incidents varies by category: $4.8 million for exfiltration, $4.6 million for infiltration, and $5.8 million for DoS. Increased network downtime and days
spent recovering after a breach were significant factors in the higher cost of cyber security incidents reported this year.
KEY CALLS-TO-ACTION FOR CANADIAN ORGANIZATIONS
Conduct Regular Threat Risk Assessments (TRAs)

Before a cyber resilience plan can be created or updated, an organization must understand its current vulnerabilities and the risks associated with them. There are a number of frameworks
available for assessing risk such as NIST 800-30 and Open FAIR, but calculating risk is complicated and many organizations turn to a third party for help. As modern organizations have a
constantly evolving attack surface, it is important to understand the acceptable level of risk before investing in resources to secure assets. TRAs can provide insight into these considerations,
and should be conducted regularly, and especially whenever any significant change occurs to the business.
Create a cyber resilience plan and keep it up to date

The NIST Cyber Security Framework is an excellent guide for organizations to create a cyber resilience plan. Many organizations focus too strongly on protection – investing in security controls
– rather than detection and response capabilities. Ensure your plan covers the full NIST cyber security stack including identify, protect, detect, respond, and recover. Cyber resilience plans need
to be updated whenever a TRA is conducted. However, following a framework does not guarantee security. It is important to ensure you implement a framework in an effective way, based on your
business objectives and environment. Know which assets require the highest levels of protection. Be sure that you have a well-defined and up to date incident response plan that is reviewed and
rehearsed often through simulated exercises.
Practice cyber resilience fundamentals

Creating a cyber resilience plan is a great start but adhering to it can be challenging. Organizations that conduct the fundamentals of cyber resilience on an ongoing basis significantly improve their
security posture; implementing even basic incident response and recovery plans has significant benefits versus having no plans at all.
Cloud security should be included in adoption roadmap planning

As the rate of cloud adoption continues to accelerate, considerations regarding cyber resilience planning for cloud is critical, including patching, visibility, and the shared responsibility model. Cloud
infrastructure is targeted as often as on-premise infrastructure and therefore its security posturing should be defined as a part of the migration. To help with this, be sure you are familiar with the
applicable shared responsibility for your consumption model.
Shifting sole focus from protection, to including monitoring and response

If your protection strategy is effective, we do not recommend discontinuing it. However, there are an ever-increasing number of logs and alerts as more effective protection solutions are deployed.
Keep an eye on how machine learning and AI are affecting solutions and offerings in the marketplace.
If your organization handles PII, and a breach does happen to occur, having a strong monitoring & response strategy will be key in your ability to report on the breach and remediation.
45
PART 5:
CAVEATS
PART 5: CAVEATS
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
NON-RESPONSE BIAS: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite nonresponse tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.
SAMPLING FRAME BIAS: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in various organizations
in Canada. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a
specified time period.
SELF-REPORTED RESULTS: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey
process, there is always the possibility that a subject did not provide accurate responses.
47
APPENDI X:
DE TAILED SURVEY
RESULTS
APPENDIX A: DE TAILED SURVEY RESULTS
DEMOGRAPHICS: A sampling frame of 4,688 Canadian IT security and risk & compliance professionals were selected to receive invitations to participate in this survey. All survey participants were screened for
direct involvement in improving or managing their organization’s IT security. The following table shows the returns including the removal of certain participants based on screening and reliability checks. Our final
sample consisted of 407 surveys, or an 8.6% response rate.
The survey firmographics and demographics are as follows:
PIE CHART 1: Employee Size Range assi- PIE CHART 2: Classification Based on PIE CHART 3: Number of Full-Time IT Staffass PIE CHART 4: Level of Respondent
fi based on Organization Size Attacks per Year asscation based on Orga- ification based on Organization Size
Total: nization Size
Total: Total:
Total: IT Executive - eg. CIO/CTO/VP, CSO/CISO
S
maller: 15-249 1-2
IT Director
Smaller
M
edium/Large: 250-4,999 3-5 Infosec Director
M
edium/Large IT Manager
E
nterprise: 5,000+ 6-15
E
nterprise Infosec Manager
Smaller: 15-249 16-40
IT Supervisor
Smaller: 15-249
Medium/Large: 250-4,999 41-99 Infosec Supervisor
Medium/Large: 250-4,999 IT Staff/Associate/Technician
100 or more
‘41-99 IT Associate/Staff
IT Consultant/Contractor
Legal/Compliance/Risk
Executive,Manager or Staff
14.74%
60.1 20 19 17.94%
20.4% 166.03 57
29.98% 64 3.19%
3.93%
3.69% 15.23%
8.11%
128 4.91%
119 7.37%
49.63% 1151.98 3.93%
16.95%
49
Detailed Survey Results
S1. TOTAL
Which of the following industry categories best represents Base: All Respondents (407)
the principal business activity of your organization? Business/Professional Services (eg. Legal, Accounting, Engineering, Architecture, etc.) 7.62%
Personal/Consumer Services (eg. Travel, Beauty, Personal Training, Dry Cleaning etc.) 3.93%
Construction 6.63%
Hospitality 6.14%
IT industry 9.58%
Not for profit
Manufacturing 8.60%
Crown Corporation or other publicly funded organization 0.25%
Education K-12
Education College/University 3.93%
Financial Services 7.62%
Government 3.69%
Healthcare 4.67%
Primary (eg. Agriculture, Mining, Forestry, etc.)
Oil & Gas or Field Services related 4.18%
Retail 5.16%
Communications (eg. Cable and Telecommunications Services, etc.) 4.18%
Media (eg. Radio/TV Broadcasting) 5.90%
Printing, Publishing, etc. 3.93%
Transportation and Warehousing 5.16%
Utilities 4.67%
Wholesale and Distribution 4.18%
Other (please specify)
Don't know
50
S1a. TOTAL
Which level of government best describes Base: All Respondents Who Select Government at S1 (15)
your organization? Federal 13.33%
Provincial 73.33%
Municipal 13.33%
S2. TOTAL
How many full-time employees does your company have Base: All Respondents (407)
located within Canada? 1 - 14
15 - 24 5%
25 - 99 4%
100 - 249 11%
250 - 499 13%
500 - 999 18%
1,000 - 4,999 18%
5,000+ 30%
Don't know
Mean 2,253.60
S3. TOTAL
What percentage of your total employees are located within Base: All Respondents (15)
Canada? 1% - 9%
10% - 25% 15%

26% - 50% 15%
51% - 75% 20%
76% - 100% 50%
Don't know
Mean 64.84%
51
S4. TOTAL
Is your company headquartered in Canada, and if so which Base: All Respondents (407)
of the following areas is it headquartered in? Not headquartered in Canada
Western and Central Canada (BC, AB, SK, MB) 25.06%

Ontario 24.82%
Québec 25.06%
Atlantic Canada (NB, NS, NFLD, PEI) 25.06%
Yukon
Northwest Territories
Nunavut
S6. Base: All Respondents

TOTAL
(407)
How many full-time IT staff does your organization
None
have?
1-2 5%
3-5 14%
6 - 15 31%
16 - 40 29%
41 - 99 16%
100 or more 5%
Mean 28.04
52
S7. TOTAL
Which of the following best describes the Base: All Respondents (407)
department you work for? Administration
Customer Support
C-level Executive Management excluding IT 9.83%

Line of Business Management excluding IT
CIO/CTO/CSO/CISO, etc. 8.35%

Finance/Accounting
Human Resources
IT/IS/MIS/Data Centre/IT Security 67.81%

Legal/Compliance/Risk 14.00%
Logistics
Manufacturing/Production
Sales/Marketing
Purchasing/Procurement
Research & Development/Engineering excluding IT
Other
S7a. TOTAL
Do you directly manage IT security for your Base: All Answering "C Level Executive Management Excluding IT" at S7 (40)
organization? YES 100.00%
NO
S8. TOTAL
At your organization, do you play a role in, or are Base: All Respondents Answering "No" to Q: S7a (367)
you part of any of the following: Directing the IT function 45.78%
Improving/Managing IT security 100.00%
Setting IT priorities 35.69%
Managing IT budgets 33.24%
53
S9. TOTAL
Which of the following best describes your job title? Base: All Respondents (407)
IT Executive - eg. CIO/CTO/VP, CSO/CISO 17.94%
IT Director 15.23%
Infosec Director 4.91%
IT Manager 16.95%
Infosec Manager 3.93%
IT Supervisor 7.37%
Infosec Supervisor 8.11%
IT Staff/Associate/Technician 3.69%
IT Associate/Staff 3.93%
IT Consultant/Contractor 3.19%
Legal/Compliance/Risk Executive, Manager, or Staff 14.74%
Don't know
S10. TOTAL
How many IT security staff are employed at your Base: All Respondents (407)
organization? 1-2 19
3-5 57
6 - 15 128
16 - 40 119
41 - 99 64
100 or more 20
Mean 6.43
54
S11. TOTAL
Which of the following ranges would your organization’s Base: All Respondents (407)
annual revenue (or budget for government) fall under? Less than $10 million 5.41%
$10 million - $25 million 18.67%
$1 billion or more 6.14%
Mean 364.45
Q1. TOTAL
Which of the following government or industry Base: All Respondents (407)
regulations does your organization need to be PCI 41.77%
compliant with? Digital Privacy Act/PIPEDA 71.25%
GDPR 64.37%
FFIEC, ITAR, OSFI, FedRAMP, FISMA 15.97%
SOX, C-SOX 62.41%
HIPAA, PHIPA 6.14%
NERC/FERC 12.53%
Other 0.25%
SUMMARY: Mean
Q2.
TOTAL
How many of each of the following does your
PCs/Laptops 2,122.97
organization have in Canada?
Smartphones/Tablets 1,276.56
Servers (virtual or physical) 80.33
TBs of storage capacity attached to/within servers (not in PC, smartphone, or other devices) 938.13
55
Q3. TOTAL
Please indicate how your organization uses the internet to Base: All Respondents (407)
connect with its employees, partners, and customers. Online payments 57.00%
3 party portal
rd
43.98%
Customer portal 62.41%
Employee HR portal 85.26%
Employee access to corporate network from outside the office 23.59%
None of these apply
Q4. SUMMARY: Mean TOTAL

What percentage of the data at your organization Base: All Respondents (407)
would be classified into each of the following levels Top Secret/Highly Confidential 38.45%
of sensitivity? Proprietary/Internal Use 33.32%
Public 28.23%
Q5. TOTAL
Estimated total annual IT budget (eg., staff, Base: All Respondents (407)
hardware, software, services) of your organization: Mean 10,503.69
Q6. TOTAL
Percentage of total annual IT budget devoted to Base: All Respondents (407)
security? Mean 9.78%
Q7. TOTAL
What percentage of your IT security budget is spent
on staff versus all other costs?
Staff Portion of IT security budget 35.45%
All other costs 64.55%
56
Q8. TOTAL
Which of the following best describes how your Base: All Respondents (407)
organization approaches the following:
a.Taking inventory of applications, devices and systems. Not conducted 7.62%

Conducted across select areas/departments of the organization 51.60%
Conducted across the entire organization 40.79%
b.Discovering/assessing security weaknesses/ Not conducted 5.41%

vulnerabilities across applications, devices, and Conducted across select areas/departments of the organization 51.84%
systems. Conducted across the entire organization 42.75%
c.Assessing the business impact of data loss/corruption, Not conducted 17.20%

disruption of work. Conducted across select areas/departments of the organization 46.93%
d.Prioritizing deployment of specific security solutions. Not conducted 11.79%

Conducted across select areas/departments of the organization 50.37%
Q9. TOTAL
Does your security planning consider your key suppliers Base: All Respondents (407)
and third-party relationships, and the data flows between YES - in a comprehensive manner 37.84%
you and them? YES - but we should look at this in more detail 53.56%
NO 8.60%
Not sure/Don't know
57
Q10. PAST YEAR TOTAL

Please select the five security controls, tactics or tools Base: All Respondents (407)
you feel have been the most effective at protecting your Data Security (Encryption/DLP) 26.04%
organization from cybersecurity threats over the past year, DNS Security 23.10%
and which (different) five you would be most interested Identity and Access Management 60.44%
in looking at to add additional effectiveness over the next Next Generation Firewalls/IPS 20.39%
three years: Web Content Filtering 57.99%
Email Security 60.93%
Security Monitoring (SIEM, Log Management) 24.32%
User Behaviour Analytics 20.15%
Vulnerability Management 47.91%
Endpoint Protection 43.00%
Endpoint Detection and Response (EDR) 17.20%
Threat Hunting 19.16%
Security Awareness Training 43.73%
Breach Response and Forensics Tools 13.27%
Risk and Compliance Automation 16.71%
Security Orchestration Tools 5.65%
NEXT THREE YEARS TOTAL

Data Security (encryption/DLP) 50.37%
DNS Security 20.64%
Identity and Access Management 15.23%
Next Generation Firewalls/IPS 57.25%
Web Content Filtering 20.15%
Email Security 17.69%
Security Monitoring (SIEM, Log Management) 53.07%
User Behaviour Analytics 44.96%
Endpoint Protection 24.57%
Endpoint Detection and Response (EDR) 32.68%
Threat Hunting 49.88%
Security Awareness Training 18.92%
Breach Response and Forensics Tools 45.95%
Risk and Compliance Automation 14.25%
Security Orchestration Tools 12.78%
58
Q11. TOTAL
Which of the following best describes how your organization Base: All Respondents (407)
trains employees on the following?
a.To frequently update PC and smartphone OS No training 10.07%

and apps. Ad hoc training and reminders 37.35%
Formal training with reminders as required by new threats, etc. 52.58%
b.How to use security technology. No training 12.29%

Ad hoc training and reminders 38.33%
c.How to identify attacks such as phishing No training 9.09%

and other scams. Ad hoc training and reminders 41.03%
d.Proper care of sensitive data such as customer/other No training 8.11%

employee private data. Ad hoc training and reminders 40.29%
Q12. TOTAL
How long does it take your organization to install security Base: All Respondents (407)
updates/patches (including critical updates/patches) or
upgrade to the most secure version of operating systems and
applications for the following?
a.On-premise databases, apps, servers (and the Immediately when released 22.85%
operating systems + applications running on your
Within a week 52.33%
on-premise infrastructure).
Within a month 24.57%
Within a year
A year or more 0.25%

59
b.Web applications. Immediately when released 28.99%

Within a year
A year or more
c.Network equipment. Immediately when released 10.32%

Within a year 4.91%
A year or more 0.49%
d.Public cloud (IaaS/PaaS) (and the operating Immediately when released 7.37%
systems + applications running on cloud Within a week 51.35%
infrastructure that your organization Within a month 38.33%
administers/manages).
Within a year 2.95%
A year or more
Q13. TOTAL
Does your organization understand the potential security Base: Respondents Answering "Within a Year" or "A Year or More" for Q12 (34)
risks and vulnerability it is exposing itself to by not NO
updating/patching on a timely basis?
Not fully, we need more education 8.82%
YES (NET) 91.18%
YES - and there's really no good reason why we don't update/patch sooner 23.53%
YES - but for various IT or business-related reasons we can't update/patch any sooner 58.82%
Y
ES - but for our risk profile versus the pain/issues we have implementing certain updates/patches it's a 8.82%
risk we are willing to take
60
Q14. TOTAL
Please estimate how many times your organization has Base: All Respondents (407)
been subject to an IT security related attack or threat over 0
the past twelve months: 1 - 50 34.64%
51 - 100 16.22%
101 - 200 17.44%
201 - 500 18.43%
501 - 700 3.19%
701 - 1000 1.97%
1001 - 1500 0.98%
1501 - 2000 1.72%
2001 - 3000 1.47%
3001 - 4000 0.74%
4001 - 5000 2.21%
5000 + 0.98%
Mean 439.97
Q14a. TOTAL
Is your organization entirely on-premise or entirely Base: All Respondents (407)
cloud-based? We are a mix of on-premise and cloud 62.41%
Entirely on-premise 25.31%
Entirely cloud-based 12.29%
Q15. TOTAL
Please estimate the number of attacks your on-premise Base: All Respondents (407)
infrastructure/applications were subject to versus your
cloud-based infrastructure/applications:
a.Attacks against on-premise infrastructure/ Mean 214.06

applications.
61
b.Attacks against cloud-based infrastructure/ Mean 216.05

applications.
Q16. TOTAL
Please indicate whether your organization experienced Base: All Respondents (407)
any of the following as a result of attacks it faced over the Denial of service (network went down) 34.15%
past year: Infiltration (attackers gained access to the organization's network/infrastructure/data but no data was 38.08%
exfiltrated)
Breach (data was exfiltrated) 58.48%
None of these apply 1.97%
Q17a. Base: All Organizations Subject to DoS Incidents Over the Past Twelve Months
TOTAL
(139)
For the past year, please estimate the:
1.Number of denial of service incidents your Mean 22.91

organization experienced.
2.Total amount of downtime (in business days) Mean 19.17

your organization experienced from DoS attacks.
3.Hard costs (eg. staff time, legal, customer Mean 4,739.21

outreach, software, services, etc.) $000’s.
4.Soft costs (eg. brand image, competitive Mean 3,509.42

standing, employee morale, etc.) $000’s.
62
Q17b. TOTAL
For the past year, please estimate the: Base: All Organizations Subject to Infiltration Incidents Over the Past Twelve Months (155)
1.Number of infiltration incidents your organization Mean 25.82

experienced.

your organization experienced from infiltration
incidents.

4.Soft costs (eg. brand image, competitive Mean 2,595.14

standing, employee morale, etc.) $000’s.
5.Number of files/records that were affected. Mean 116.9
6.Percentage of files impacted that contained Mean 27.81

sensitive but not personal data.
63
7.Percentage of files impacted that contained Mean 22.96

customer or employee information.
Q17br6. TOTAL
For infiltration incidents, was any of your data subject to Base: All Organizations Subject to Infiltration Incidents Over the Past Twelve Months (155)
an attacker: Making ransomware demands 47.74%
Encrypting it 44.52%
Deleting it 31.61%
None of these apply 12.26%
Q17c. TOTAL
For the past year, please estimate the: Base: All Organizations Subject to Breach Incidents Over the Past Twelve Months (238)
1.Number of breaches your organization Mean 21.32

experienced.

your organization experienced from breaches.
3.Number of files/records that were affected. Mean 134.20
4.Percentage of files exfiltrated that contained Mean 24.64

sensitive but not personal data.
64
5.Percentage of files exfiltrated that contained Mean 25.13

customer or employee information.

7.Soft costs (eg. brand image, competitive standing, Mean 2,104.24

employee morale, etc.) $000’s.
Q18a. TOTAL
How long would you estimate it takes your organization to Base: All Respondents (407)
detect:
1.Infiltration (attackers gained access to the Within hours 46.44%

organization’s network/infrastructure/data but no Within a week 42.75%
data was exfiltrated). Within a month 10.81%
Within a year
A year or more
2.Breach (data was exfiltrated). Within hours 46.19%

Within a year
A year or more
65
Q18b. TOTAL
After detection how long would you estimate it takes your Base: All Respondents (407)
organization to respond to:
1.Infiltration (attackers gained access to the Within hours 47.17%

organization’s network/infrastructure/data but no Within a week 49.14%
data was exfiltrated). Within a month 3.69%
Within a year
A year or more
2.Breach (data was exfiltrated). Within hours 32.68%

Within a year
A year or more
Q19. TOTAL
How many work days do you estimate your organization’s Base: All Respondents (407)
security/IT/legal and any other relevant staff spent Mean 19.38
recovering from breaches over the past year?
Q20. TOTAL
Which of the following best describes the in-house Base: All Respondents (407)
resources your organization devotes to monitoring its 24x7x365 monitoring by in-house security analysts 11.06%
security technologies and network for potential harmful 9-to-5 monitoring by in-house security analysts who are also on call outside of work hours in case of an incident 52.09%
activity:
9-to-5 monitoring by in-house security analysts but they are not on call outside of work hours 16.95%
Ad hoc monitoring by in-house security analysts 12.29%
Monitoring by non-IT security specific staff 7.13%
No monitoring 0.25%
Don't know 0.25%
66
Q21. TOTAL
What percentage of your total security budget is spent on Base: All Respondents (407)
external third party provided managed security services: Mean 38.6
(eg. EDR, firewall monitoring, threat intelligence, web app
monitoring, etc.)?
Q22. TOTAL
Which of the following external managed security services Base: Respondents Answering >0 for Q21 (380)
does your organization use? DDoS 32.37%
NGFW/Firewalls 42.11%
SIEM 36.84%
Endpoint Protection, Detection, and Response 46.58%
Web Application Firewall 50.26%
Data Loss Prevention (DLP) 52.63%
None of the above 0.26%
Q23. TOTAL
Which of the following best describes how often your Base: All Respondents (407)
organization uses the following external security services?
a. Security Program Consulting. Monthly 8.85%

Quarterly 13.51%
Semi-annually 32.43%
Annually 38.57%
Every 2 years or more 5.16%
Don't use 1.47%
67
b.Security Threat Risk Assessment. Monthly 8.60%

Quarterly 44.96%
Annually 11.06%
Don't use 1.47%
c.Data Privacy Impact Assessment. Monthly 28.50%

Quarterly 30.96%
Annually 8.35%
Don't use 2.21%
d.Vulnerability Assessment. Monthly 12.29%

Quarterly 33.66%
Annually 14.74%
Don't use 0.98%
e.Penetration Testing. Monthly 3.19%

Quarterly 7.37%
Annually 23.83%
Don't use 26.54%
68
f.IT Operational Risk Assessment. Monthly 8.35%

Quarterly 15.97%
Annually 36.36%
Don't use 1.23%
g.ITIL Consulting. Monthly 7.62%

Quarterly 13.27%
Annually 29.48%
Don't use 3.19%
h.Virtual CSO. Monthly 3.44%

Quarterly 10.32%
Annually 15.48%
Don't use 44.96%
i.Breach Response and Forensics. Monthly 9.34%

Quarterly 15.97%
Annually 48.16%
Don't use 2.21%
69
j.Audit and Assurance Services. Monthly 6.88%

Quarterly 17.20%
Annually 28.75%
Don't use 1.97%
k.Security Awareness Training. Monthly 30.22%

Quarterly 34.15%
Annually 13.51%
Don't use 1.97%
Q24. TOTAL
Which of the following best describes your organization’s Base: All Respondents (407)
security incident response plan? We do not have a security incident response plan 7.62%
Our security incident response plan is informal 25.55%
We have a documented security incident response plan, but it's not often updated 40.79%
We have a fully documented security incident response plan and it is regularly updated 26.04%
70
Q25. TOTAL
What triggers your organization to update your incident Base: All Respondents (407)
response plan? Outcomes from table top exercises 21.62%
Periodic reviews (updated every year) 47.17%
Changes to government legislation 32.68%
Changes to industry standards 23.34%
A security incident at my organization 39.56%
Breaches being reported in the news 27.03%
Security researchers reporting new threats or discovery of breaches 25.06%
Mergers or acquisitions 39.31%
Internal changes to the organization 26.29%
Adoption of new technologies 32.68%
We do not have an incident response plan 6.88%
Q26. TOTAL
Which of the following best describes your organization’s Base: All Respondents (407)
plan for recovery back to trusted state after a data breach:
a.Provides a step-by-step process for the initial Fully detailed and documented processes 27.03%
response to a data breach. Processes are in place but documentation is not complete 37.59%
Processes are in place but there is no documentation as of yet 23.10%
Ad hoc processes are in place 12.29%
b.Provides a process for recovering to a trusted Fully detailed and documented processes 36.36%
state and normal operation after a breach. Processes are in place but documentation is not complete 31.70%
Processes are in place but there is no documentation as of yet 16.46%
Ad hoc processes are in place 15.48%
71
c.What would you say is your organization’s Hot - immediate/instant recovery 1.23%
expectation for time-to-recovery back to Within minutes, eg. <5 minutes 4.91%
trusted state in a data breach situation that 5 - 15 minutes 17.44%
could be described as affecting a mission
15 - 60 minutes 23.34%
critical business process, service, application or
1 - 2 hours 19.66%
workload?
3 - 8 hours 13.76%
Within 24 hours 13.51%
24 hours+ 6.14%
d.Would you say this time-to-recovery expectation YES (NET) 81.33%

is reasonable given the amount of budget YES 28.26%
your organization devotes to IT security and YES - but the expectation should be higher and we should give IT security and recovery more budget 53.07%
recovery?
NO - the expectation is too high for the budget we have 13.76%
NO - our IT security and recovery budget is fine but the expectation is too high 4.42%
Don't know 0.49%
Q27. TOTAL
How much do you feel executive (outside of IT) leadership Base: All Respondents (407)
at your organization is involved in leading a culture where Mean 3.60
security best practices must be followed?
72
Q28. SUMMARY TABLE OF TOP 2 BOX TOTAL

Do you have concerns in any of the following areas Base: All Respondents (407)
regarding implementing a security plan for your Obtaining adequate budget 56.51%
organization? Achieving organization-wide implementation and compliance with your security plan 51.35%
Obtaining cooperation between business and IT on security planning 53.07%
Exposure to insider threats from employee or contractors 53.32%
Finding and recruiting qualified security staff 52.33%
Not having enough operational personnel to meet security objectives 53.32%
Getting the organization to conduct regular cybersecurity risk assessments and audits 53.07%
Not being able to identify the threats that could jeopardize infrastructure and data 53.32%
Not being able to protect against sophisticated Advanced Persistent Threats even if they are identified 51.84%
Business executives and managers taking responsibility for cybersecurity and sponsoring appropriate action 46.44%
to protect the organization
Q29. SUMMARY TABLE OF TOP 2 BOX TOTAL

Please rate how concerned you believe your organization Base: All Respondents (407)
is with each of the following: Insider/Malicious employee threat 67.32%
Ransomware 45.70%
Mobile threats 67.08%
IoT security 46.44%
Data not being backed up 65.85%
Cloud security 41.03%
Public exposure of customer data 67.57%
State Sponsored Attacks 31.70%
Hacktivism 56.51%
Security related downtime of business-critical IT resources 46.19%
73
Q30. TOTAL
How confident are you in your organization’s overall ability Base: All Respondents (407)
to prevent cybersecurity breaches from happening? Highly confident (5) 11.06%
4 42.51%
3 37.10%
2 9.34%
Not at all confident (1)
Q31. TOTAL
How confident are you in your organization’s overall ability Base: All Respondents (407)
to find and respond to cybersecurity breaches once they Highly confident (5) 14.99%
have happened? 4 48.16%
3 28.26%
2 8.60%
Not at all confident (1)
Q32. TOTAL
How confident are you in your organization’s ability to Base: All Respondents (407)
recover to a trusted state following a breach? Highly confident (5) 16.71%
4 32.92%
3 30.96%
2 14.25%
Not at all confident (1) 5.16%
74
ABOUT SCALAR:
Scalar is Canada’s leading IT solutions provider, focused on security, infrastructure, and cloud. Founded in 2004, Scalar is
headquartered in Toronto, with offices in Montreal, Ottawa, Winnipeg, Calgary, Edmonton, Vancouver, and Victoria. Scalar
was recently named one of Canada’s Best Managed Companies, named to CRN’s 2018 Solution Provider 500 List, and listed
on the Growth 500 for the ninth year running. In addition, Scalar was deemed a major player in the IDC MarketScape for
Canadian managed security service providers and ranked the #1 ICT security company on the 2014 -2018 editions of the
Branham 300. For further details, visit www.scalar.ca or follow Scalar on Twitter, @scalardecisions.
ABOUT IDC CANADA

International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for
the information technology, telecommunications, and consumer technology markets. IDC Canada is part of a network of
over 1100 analysts providing global, regional, and local expertise on technology, industry opportunities and trends with more
analysts dedicated to understanding the Canadian market than any other global research firm.
75
Research independently conducted by IDC Canada | Published February 2019

Scalar Security Study 2019

Uploaded by

Copyright:

Available Formats

Scalar Security Study 2019

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Scalar Security Study 2019

Uploaded by

Copyright:

Available Formats

The Cyber Resilience

1. EXECUTIVE SUMMARY ............................................3

2. INTRODUCTION AND METHODOLOGY....................7

PART 2: EXECUTIVE SUMMARY

Inability to prevent cyber security breaches

Firms also have organizational blind spots to risk areas, including:

PART 2: INTRODUCTION AND METHODOLOGY

Organization Size Segmentation

Cyber Resilience Fundamentals Segmentation

PART 3: KEY FINDINGS

FINDING 1: COST OF COMPROMISE IS AT AN ALL TIME HIGH

Malicious actors are becoming more effective

MEANS TOTAL 2018 TOTAL 2019

TABLE 3. Impact of infiltration and DoS on overall incidents per organization

MEANS TOTAL 2019 19.5%

MEANS ORGANIZATIONS SUBJECT TO RANSOMWARE, ENCRYPTION, OR TOTAL 2019

• Encryption of data 44.52%

Total cost of compromise has increased dramatically

Despite the data, Canadian organizations are still unprepared

Decrease in enterprise confidence coincides with significant increase in attacks on enterprise

FINDING 2: DE TECTION AND RESPONSE TIME IS TOO SLOW, RESULTING IN

Detection and response are taking weeks

Recovery time is increasing

0% 5% 10% 15% 20%

We do not have a security incident 6.6%

We have a documented incident 48.4%

response plan, but it is not often 37.6%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

0% 10% 20% 30% 40% 50% 60%

Within weeks-to a month 11.06% 8.18% 12.12%

Organizations’ expectations for time-to-recovery back to a trusted state remains unrealistic

0% 5% 10% 15% 20% 25% 30% 35%

Percentage of highly confidential data is on the rise

Insider/malicious employee threat or risk (for example untrained end-users)

Does your organization train users

*Average across all size organizations

FINDING 3: EVOLVING THREATS CREATE NEW OPPORTUNITIES FOR

3rd party portal 49.2%

Canadian organizations are becoming more concerned about third-

Canadian organizations faced stringent government regulations in 2018

0% 10% 20% 30% 40% 50% 60% 70% 80%

The Attack Surface Continues to Evolve

0 1,000 2,000 3,000 4,000 5,000 6,000

FINDING 4: CLOUD SECURIT Y STRATEGY IS NOT KEEPING UP WITH THE

One in ten Canadian organizations have completely migrated to cloud

HIPAA, PHIPA 11.5%

Digital Privacy Act/PIPEDA 20.5%

0% 10% 20% 30% 40% 50% 60% 70%

Organizations fail to update and patch cloud environments as quickly as on-premise

28.2% ORGANIZATION SIZE

Within a week 52% 45% 54% 55%

28.2% ORGANIZATION SIZE

FINDING 5: STRATEGY FOCUS IS SHIFTING FROM PROTECTION TO

Web Content Filtering 58% 20%

Endpoint Protection 43% 25%

Continued on next page

Continued from previous page

TABLE 18. Most effective security controls/tactic/tools by organization today

RANK SMALLER MEDIUM/LARGE ENTERPRISE

b.Discovering/assessing security weaknesses/ Not conducted 5.41%

c.Assessing the business impact of data loss/corruption, Not conducted 17.20%

d.Prioritizing deployment of specific security solutions. Not conducted 11.79%

a.To frequently update PC and smartphone OS No training 10.07%

c.How to identify attacks such as phishing No training 9.09%

d.Proper care of sensitive data such as customer/other No training 8.11%

b.Web applications. Immediately when released 28.99%

a.Attacks against on-premise infrastructure/ Mean 214.06

b.Attacks against cloud-based infrastructure/ Mean 216.05

1.Number of denial of service incidents your Mean 22.91

2.Total amount of downtime (in business days) Mean 19.17

3.Hard costs (eg. staff time, legal, customer Mean 4,739.21

4.Soft costs (eg. brand image, competitive Mean 3,509.42

1.Number of infiltration incidents your organization Mean 25.82

2.Total amount of downtime (in business days) Mean 15.71

3.Hard costs (eg. staff time, legal, customer Mean 4,007.59

4.Soft costs (eg. brand image, competitive Mean 2,595.14

5.Number of files/records that were affected. Mean 116.9

6.Percentage of files impacted that contained Mean 27.81

7.Percentage of files impacted that contained Mean 22.96

1.Number of breaches your organization Mean 21.32

2.Total amount of downtime (in business days) Mean 8.80

4.Percentage of files exfiltrated that contained Mean 24.64

5.Percentage of files exfiltrated that contained Mean 25.13

6.Hard costs (eg. staff time, legal, customer Mean 2,957.56

7.Soft costs (eg. brand image, competitive standing, Mean 2,104.24

1.Infiltration (attackers gained access to the Within hours 46.44%

2.Breach (data was exfiltrated). Within hours 46.19%

1.Infiltration (attackers gained access to the Within hours 47.17%

2.Breach (data was exfiltrated). Within hours 32.68%

b.Security Threat Risk Assessment. Monthly 8.60%

c.Data Privacy Impact Assessment. Monthly 28.50%

d.Vulnerability Assessment. Monthly 12.29%

e.Penetration Testing. Monthly 3.19%

f.IT Operational Risk Assessment. Monthly 8.35%

g.ITIL Consulting. Monthly 7.62%

h.Virtual CSO. Monthly 3.44%

i.Breach Response and Forensics. Monthly 9.34%

k.Security Awareness Training. Monthly 30.22%

d.Would you say this time-to-recovery expectation YES (NET) 81.33%