Canadian firms slow in responding to cyber attacks, report suggests

It can take Canadian organizations up to 48 days to detect and recover from a cyber attack, according to a new survey of infosec professionals.

The number is included in a survey of 553 Canadian IT security and risk and compliance professionals released today by CDW Canada.

The mean time to detect a cyber incident was 7.1 days. However, 29 per cent of respondents said it took over between four days and week to detect an incident.

In addition, about 57 per cent of respondents said it took them over a week to respond to a a cyber attack, with a mean time of 25.6 days. Looking at the combined detection and response numbers gives a mean time of 48 days. The average times, however, were lower — the average time to detect an incident was 7.1 days, with the average time to respond 14.9 days.

The numbers are “truly disappointing,” said Ivo Wiens, CDW Canada’s practice lead for cybersecurity, with the recovery time “too long.”

The incident response numbers weren’t the only bad news. The data also showed that while the total number of successful incidents reported in the latest survey was down from the 2022 report, the number of data breaches went up. The number of data breaches in the previous three years of surveys was in the low teens each year; in the most recent survey it jumped to 30.

On average, seven per cent of respondents said their organization had suffered a successful cyber attack. Seven per cent said that the attack resulted in theft of data.

“With cyberattacks now more sophisticated and effective than ever before, the infection rate has seen an increase,” notes the report. “This indicates that cyberattacks have a significantly better ‘hit rate’ (number of attacks that are successful and become an incident) than in previous years.”

Cloud adoption is increasing, the report shows, but respondents found problems. Lack of visibility into the underlying cloud infrastructure was an issue cited by 37.1 per cent of respondents, while 31.5 per cent mentioned alert overload and poor fidelity detection. Problems with extending on-prem detection rules to the cloud was cited by 42.9 per cent of respondents, while 47.4 per cent cited data collection and analysis in a multi-cloud environment.

Interestingly, 34.7 per cent of respondents who had migrated workloads to the cloud said it has underdelivered on their security expectations. But two-thirds said it has either met or exceeded their expectations.

A high proportion of respondents with data in the cloud — on average about 40 per cent — said they had experienced a security incident. That included those who said that data was confidential or highly restricted.

There were some bright spots in the numbers, Wiens said. He was surprised with adoption of DevOps: 32.5 per cent of respondents said DevOps was their preferred software deployment method. That sets up organizations for a discussion of shifting to DevSecOps, he said. Thirty-nine per cent of respondents said they are currently evaluating or planning to adopt DevSecOps.

Just under 28 per cent of respondents said they use agile software development.

Wiens said the numbers also show there is more acceptance of zero-trust architectures. However, the report notes it is heavily skewed towards identity and access management. Only 30 per cent of respondents said their zero-trust strategy includes continuous threat detection monitoring of data and assets.

Overall, the report’s numbers are “disappointing — with a silver lining,” Wiens said, “because we are making some good strides in terms of moving towards better systems. I think once we figure out how to secure the cloud, we’re going to be in a much better spot to automate, to do things like secure APIs and secure networks. The silver lining is while we’re not in a good spot now, we have the ability to move, now that we’ve made that migration [to the cloud]. The problem in previous years is that we had so much technical debt from legacy systems that we couldn’t move forward.”

The report recommends infosec pros:

— orchestrate, then automate security workflows. “Organizations that rely heavily on manual processes often become dependent on ‘security heroes,'” says the report. “Without them, security investigations and incident response are often chaotic and not repeatable. Standardization and documentation through the creation of consistent workflows are the first steps toward achieving security automation;”

— move faster on adopting zero-trust. “Find your own path to zero trust,” the report urges. “Zero trust is not a collection of tools; rather, it is a set of principles for security and systems management. There is no defined path that works well for all organizations, as it will differ depending on each organization’s unique landscape;”

— incorporate security into your cloud migration strategy;

— and add DevSecOps to application development.

The report is available here. Registration is required.