A full 86% of decision-makers believe their company is capable of defending itself against cyberattacks; clearly, hackers aren’t keeping business leaders up at night. This overconfidence is a cause for alarm according to some security experts, and doesn’t reflect the true frequency of cyberattacks.

One third of Canadian companies say they’ve already been targeted by ransomware or some other form of cybercrime, according to the 2018 edition of IT Trend Perceptions in Canadian Large and Medium-Sized Businesses, a study conducted by Léger and NOVIPRO.

However, this figure probably underestimates the true scale of the threat. Roger Ouellet, Solutions Designer and Security Practices Manager at NOVIPRO, believes that most businesses simply aren’t aware of failed or undetected attacks.

“A lot of malware and viruses are dormant; they wait until a certain date or action before activating,” Roger Ouellet explains. “When you start to carefully monitor what goes through a company’s network, you almost always find a threat or suspicious behaviour.”

Even large corporations like Equifax, Yahoo and Uber have made headlines due to their failure to protect their clients’ personal data. “The victims of these attacks face serious consequences,” says Cyrille Aubergier, Senior Lead, Security Architect at SITAONAIR in Montreal and a cybersecurity lecturer at Polytechnique Montréal. Hackers can gain access not only to their full name, password, date of birth and Social Insurance Number, but also the security questions they use to change their password. These issues are almost always the same from one department to the other.”

Despite the consequences, the majority of cyberattacks against businesses aren’t publicized in the media. Most often, the hackers seek to extort money from the business, often by encrypting its data and demanding a ransom to make the data accessible again.

More connected devices means more potential targets for hackers

With an ever-growing amount of equipment being connected to networks, no company is immune from attacks. “Ten or fifteen years ago, a business network might have been limited to one or two servers, the office computers and printers,” Roger Ouellet explains. “Since then, we’ve added laptops, tablets and smartphones to our networks, as well as other connected objects like thermostats and video conferencing systems. For hackers, this presents a much larger attack surface.”

Despite these threats, Canadian business leaders feel confident: 86% claim their company is well protected and 40% of these firms believe they are very well protected.

Aubergier is somewhat surprised by this level of confidence. “Canadian businesses may be overconfident. I’ve noticed that Canadian consumers seem less cautious than Americans and Europeans about the threat of email phishing scams. Organizations face similar threats because a lot of employees use their smartphones and laptops for both personal and work-related communication.”

The importance of regular testing

Business leaders’ confidence in their security preparedness stands in contrast to other findings in the study: over the last year, less than 40% of businesses conducted a security audit and only 38% tested their contingency plans to verify if they could withstand an attack or disaster and quickly resume operations.

According to Roger Ouellet from NOVIPRO, these numbers are too low. “I believe companies should do at least one security audit and one backup and recovery test a year. Antivirus software updates alone will not be enough to protect them,” Ouellet warns.

SITAONAIR’s Cyrille Aubergier also believes businesses should be doing more to protect themselves. “When thinking about security, most managers focus on equipment and software, forgetting that there's also a human factor to take into account. Negligence and recklessness are also risks. At the end of the day, it’s the people—not the machines—that keep an organization secure.”

At least some businesses leaders and IT managers seem to be getting the message: 44% of businesses plan to undertake IT security projects over the next two years, with IT security enhancements topping the list of short-term priorities.