May 20, 2015
PwC’s recent survey of Canadian private companies found that 88% of firms agreed or strongly agreed that cybersecurity is an important issue for their organization. However, firms are more in the dark about what they need to do, where their vulnerabilities lie and what to do about them.
According to the consulting firm, just because a company does not accept credit card payments or store personal information, does not mean they will be immune to a cyberattack. Attacks are also on health information, SINs and employee lists, as information brokers in the black market place increased value on personal information.
Jason Green, director in PwC’s Cyber Resilience team, said “today’s cybercriminals often target companies that have been slower to invest in security as a platform to launch an attack on other organizations.”
Even as a gateway, there are legal implications for a company that is used to gain access to information from another company, the firm said.
“To thrive in today’s rapidly changing risk environment, companies need a well thought-out cybersecurity and privacy strategy, along with the right skills and resources to implement it.
The cost to a business that is hacked may be measured by loss of customers, lawsuit payouts, interruption to business or reputational damage. Protecting the business from cyber-attacks needs to be seen as a business imperative, not discretionary spending. Simply put, the response to “we can’t afford to” is “you can’t afford not to.”
David Craig, Leader of PwC’s Risk Assurance Services Cybersecurity and Privacy practice, noted that “investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach.”
PWC suggests that companies:
* Learn where their blind spots are and understand your cyber ecosystem
* Identify their most valuable data and who has access to it
* Train employees as their first line of defense (75% of breaches are driven by insiders, but 42% of respondents said they never conducted formal cybersecurity employee training)
* Implement suitable controls over the most sensitive data from the most likely means of compromise
* Have protocols in place that identify responsible parties in the event of a breach (49% of respondents said that if a cyberattack happened to them tomorrow, they either wouldn’t, or don’t know if they would be able to respond effectively)
“These steps are not only important to protect a company’s operations in Canada, but it may become necessary to prove the right protocols are in place in order to do business with companies in the United States and certainly necessary if a company is looking to grow its business in international markets,” PwC said in a release.
A full copy of the report is available at: http://www.pwc.com/ca/en/private-company/business-insights.jhtml