Only 9 per cent of Canadian firms are cyber mature: Cisco report

Only nine per cent of companies in Canada and 13 per cent in the U.S. have a mature level of preparedness to face cyber attacks, according to a Cisco Systems estimation.

The numbers are part of Cisco’s Cybersecurity Readiness Index, released today, which uses self-assessment responses from 6,700 companies in 27 jurisdictions to create a score. Companies were ranked as beginner, formative, progressive, or mature according to their responses to questions on their use of 19 solutions in five areas (identity, devices, network, application workloads, and data. For example, respondents were asked if their firms use encryption, have network segmentation policies based on identity etc).

Globally, 15 per cent of companies would have a mature cybersecurity readiness, according to the responses. Forty-seven per cent would be ranked as formative, 30 per cent as progressive and eight per cent as beginners.

“We have an alarming cybersecurity readiness gap,” warns the report, “and it’s only going to widen if global business and security leaders don’t pivot quickly.”

Interestingly, a much larger percentage of companies in emerging countries would rank as mature based on their responses, compared to wealthy nations. The top-ranking countries with mature firms are Indonesia (39 per cent), the Philippines (27 per cent), Thailand (27 per cent), and Brazil (26 per cent). By comparison, only 13 per cent of American companies would be considered mature, nine per cent in Canada, seven per cent in South Korea, and five per cent in Japan.

“This variance could be largely explained by the fact that companies in emerging markets started their digitization journeys more recently compared to their peers in developed markets,” the report speculates. “That means many of these companies do not have legacy systems holding them back, making it relatively easier to deploy and integrate security solutions across their entire IT infrastructure. While awareness of security risks and their impact on business has never been higher, this finding highlights that ‘tech debt’ continues to be a major driver of the readiness gap.”

“This trend is not seen across Europe, though,” the report admits, “where companies are lagging the global average on readiness. In almost all countries, less than 10 per cent of companies are deemed mature enough to tackle today’s cybersecurity issues. The U.K. and Germany are two exceptions, with 17 per cent and 11 per cent of companies in a mature state of readiness respectively.”

Globally, mid-sized firms of between 250 and 1,000 employees reported themselves as best prepared. Over 19 per cent of these were rated as being at a mature stage of overall readiness, compared to 17 per cent of larger businesses. “This suggests that while larger organizations may have bigger budgets, they typically require more complex deployments, which can take longer to implement.

Smaller organizations are the least well-prepared, with just 10 per cent being mature in their readiness.

Among Canadian respondents, 57 per cent of companies in Canada fall into the beginner or formative stages, says Cisco. The Canadian numbers can be found here.

They show:

• 77 per cent of security leaders believe cybersecurity incidents are likely to disrupt their businesses over the next 12 to 24 months, compared to 82 per cent globally who feel the same.
• 78 per cent of Canadian organizations have plans to increase their cybersecurity budget by more than 10 per cent over the next 12 months, compared to 86 per cent globally.

“The picture,” says the global report, “is largely positive.” It notes 95 per cent of respondents are at least at some stage of deploying an identity management solution, and 94 per cent have either partially or fully deployed a data protection solution.

“However,” the report adds, “organizations around the world – and perhaps governments – need to recognize that there is a long way to go. Deployments of some solutions, particularly those for identity, devices, and networks, are not being rolled out as quickly as they could, leaving some organizations vulnerable to attack.”