Cybersecurity study finds 30% of Canadian companies performing ‘poorly’

Thirty per cent of Canadian companies are performing poorly with regards to cybersecurity, leaving themselves at risk to attack, according to a new study by the Canadian Advanced Technology Alliance (CATA).

“This does not mean that these companies are doing nothing to ensure their protection,” says Jean-Guy Rens, vice-president of the CATA Alliance, in a release.

“It’s just that they have not deployed a comprehensive strategy to this end. The three basic actions of such a strategy involve the regular execution of a full audit of its information systems (IS), the presence of a written cybersecurity program and the appointment of a chief information security officer (CISO). Again, these three actions are the minimum hygienic rules.”

Spotlight on the digital enterprise

This finding comes from “Cybersecurity in Canada – Survey of Cybersecurity in the Manufacturing Sector and Critical Infrastructure,” a project commissioned by CATA, and with the participation of CyberNB and Siemens Canada.

The purpose of the study was to assess the implementation of cybersecurity by Canadian industrial companies, as well as organizations in critical infrastructure such as the power grid, banking, airports, etc. More specifically, the study focusses on the physical aspects of cybersecurity: how to protect robots, sensors and other intelligent devices once they are online.

One major trend in the economy is the digitization of operational technologies (OT) and their interconnection with information technologies (IT), all within a process referred to as Industry 4.0. This new evolution increases the efficiency of organizations, but also their vulnerability.

Nearly two-thirds of Canadian companies interviewed are engaged in a process of digitizing OTs, with the majority of them adopting the Industry 4.0 paradigm entailing the convergence of IT and OT housed in a cloud. These companies are among the most advanced technological segment of the Canadian economy.

How is it that this privileged segment includes up to 32 per cent of “bad students”? The answer is naturally financial. The companies consulted have scant budgets: nearly two-thirds invest less than $100,000 a year in their cybersecurity budget. The issue is mostly corporate culture. Cybersecurity is not considered a separate discipline, and too many companies have not created CISO positions (42 per cent). In addition, when a company appoints a CISO, it usually chooses an IT employee (54 per cent) who reports to the IT department (59 per cent).

Cybersecurity is seen as a simple component of computing, when in fact it is much larger. “Cybersecurity is not just a technological discipline, it also covers governance, communications, employee training and third-party management. In terms of governance, it should be noted that the CISO’s mission is to define the type and extent of information available to every employee, including senior management. This is not a technical function.

“As for crisis management, it requires a direct control of communications that can determine the survival or not of the company, such as what to communicate to whom and in what order? No public relations officer can make these types of decisions. The CISO has a key role to play in a crisis. If we add employee training, we realize that the CISO is a versatile executive who must report to the CEO in person, without any intermediary.”

Critical issues

In addition to measuring the intensity of Canadian companies’ cybersecurity activities, the study gave a voice to nearly 27 CISOs working in advanced critical infrastructure. “These large companies, such as RBC, Air Canada, Canadian Nuclear Laboratories (CNL) and others, set examples for SMEs,” says Rens.

“They are the first to digitize and migrate their operations (both IT and TO) to the cloud; to use new technologies such as big data and artificial intelligence, to reorganize their administration around cybersecurity, to continuously review their positions in the face of threats, to engage in major R&D projects, to manage very large budgets, and to collaborate with other companies despite competing against each other’s.”

The result of this overview of the “big” cybersecurity stakeholders then highlights a series of fundamental issues.

Oliver Winkler, director of business and technology at Siemens, explains one of the basic skills to be passed on to SMEs: “The major transformation of Canadian companies is well underway. More than 50 per cent of companies have already digitized more than half of their processes based on IT and 28 per cent have already digitized more than half of their processes based on operation technologies OT.”

The report emphasizes that many organizations who have implemented Industry 4.0 do not know whether their organization is operating critical infrastructure or not. There is much work that needs to be done in raising the awareness of critical infrastructures. Oliver Winkler explains: “We need to secure the critical assets of infrastructure, whether it is a power plant, a power grid or a manufacturing site.”

The full study is available for purchase.