Study of the Impact of cyber crime on businesses In canada

Transcription

1 Study of the Impact of Cyber Crime on businesses in Canada

2 2

3 Introduction The International Cyber Security Protection Alliance (ICSPA) has conducted a study on the impact of cyber crime on businesses in Canada. The ICSPA is a global not-for-profit organization established to channel funding, expertise and assistance directly to assist law enforcement cyber crime units in both domestic and international markets. The ICSPA is a business-led organization comprising large national and multi-national companies who recognize the need to provide additional resourcing and support to law enforcement officers around the world, in their fight against cybercrime. The ICSPA is also supported by law enforcement partners, such as the Europol, and associated international organizations whose remit is complementary to our own. The study was sponsored by the following ICSPA Canadian business associates: Above Security BlackBerry CGI Group Inc. Lockheed Martin McAfee Inc. The purpose of the study is to provide business leaders and government officials with independent and credible data relating to the impact of cyber crime on businesses in Canada. The study is one of a series of studies planned by the ICSPA that will form a view of cyber crime in different parts of the world. The study comprises a survey of businesses in Canada and includes commentary from the sponsors providing their perspectives on cyber criminality. The survey was conducted across 520 small, medium and large Canadian businesses in the Finance, Airline/Shipping, Telecommunications, Utilities, Aerospace & Defense and Retail sectors. Each business was asked a series of questions to establish the: Prevalence of cyber crime Cyber crime impact on their business operations Organizational preparedness against cyber crime Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime Awareness of the RCMP and Public Safety Canada s roles in cyber crime education and prevention. To compliment the survey and provide independent views of cyber crime from leading Canadian businesses, sponsors of the study were asked to provide papers covering the following: The nature of cybercrime in Canada today including threats and their impact on Industry and Business New and emerging cybercrime threats that may impact Canada over the next 5 years and those sectors most at risk Effective deterrents, responses and practices in fighting cybercrime Global cybercrime threats and the potential impact on Canada Measures needed to combat cybercrime in Canada. This study report consists of: Introduction Executive Summary Survey Report Sponsors Contributions Conclusions 3

4 Executive Summary The following provides a brief overview of the ICSPA Cyber Crime Study and includes the survey findings and views of sponsors on cyber crime trends. The study provides the opportunity for the reader to review both the survey findings and the sponsor contributions, so that they may form their own conclusions as to the impact of cyber crime on business in Canada and the rest of the world. The study reinforces the need for close collaboration between the public and private sector in fighting cyber crime through the pooling of knowledge and resources. Survey Report The survey report shows that cyber crime is fairly prevalent among Canadian businesses, with 69% reporting some kind of attack within a twelve-month period. The types and frequency of attack vary depending on the nature and size of businesses and are crafted to the crime being perpetrated. Malware and virus attacks are shown to be the most prevalent with phishing and social engineering coming second. Certain cyber crimes, while impacting fewer organizations, occur frequently among them. These include: Unauthorized access or misuse of corporate websites Misuse of social networks Telecommunication fraud About a quarter (26%) of those interviewed say that attacks had a considerable impact on their business both in terms of financial loss and reputational damage with financial fraud being the biggest threat. The total cost of cyber crime increases with revenues, which is reflected in the survey findings between Large, Medium and Small businesses. The majority of respondents (64%) say that senior management takes cyber crime threats seriously. However, there are considerable gaps in Canadian businesses preparedness against cyber crime. Large businesses are somewhat better prepared than medium and small ones, but still much remains to be done to prevent and deal with such attacks. The help of external agencies to assist with cyber crime incidents is reported by 44% of affected organizations, with private agencies far more likely to be engaged than those from government. This preference of private versus government involvement appears common to all businesses irrespective of size and type. Overall, few organizations (11%) ever involved the RCMP or other government agencies in relation to cyber crime and the survey shows the need for greater awareness and information to business from Government bodies. 4 Sponsors Contributions Emphasizes the changes to information storage and the trend to use cloud services. They describe various threats, especially DOS and DDOS attacks and their effects. They also promote awareness and education as a key tool in the fight against cyber crime and identify the need for governments to strengthen legal and regulatory systems to address cyber crime. They also promote improved business/government collaboration. Highlights the growing security risks to mobile users and the shift from social engineering of computer malware to the distribution of third party app based malware via provider app stores. They also demonstrate the need for collaboration between communications providers and cyber security companies to provide a safe and trusted environment for users. Explains how Advanced Persistent Threats (APT s) pose a major risk to the Canadian economy through the theft of intellectual property. They describe the intelligence-driven approach they have taken to provide their analysts with the necessary information to combat the threat, through the disruption of the Cyber Kill Chain. Lockheed Martin advocates public and private sector collaboration and the sharing of information on threats and mitigation techniques. Provides an insight into the current Canadian cyber crime landscape and the wider global threats that impact everyone. They give an insight into new and emerging cyber crime threats that will be prevalent in 2013 with an emphasis on mobile communications and the increase in malware, mobile worms and the targeting of Near Field Communications (NFC) transactions. Their contribution provides a seven point good practice list to safeguard against cyber crime attacks.

5 Survey Report Table of contents I. Objectives and Methodology 6 II. Executive Summary 8 A. Scope of cyber crime in Canada 8 B. Cyber crime and corporate responsibilities 8 C. Involvement of external agencies 9 D. Public Safety Canada s / the RCMP s roles in raising awareness of cyber crime 9 III. Conclusions and Recommendations 9 IV. Detailed Findings 10 A. Security-related responsibilities 10 B. IT budget allocation toward cyber crime prevention 10 C. Appropriateness of current spending on IT security/what it should be 10 D. Main cyber crime threats (as perceived by businesses) 11 E. Incidence of cyber crime in the past 12 months 12 F. Types of cyber crime attacks and their impact on businesses 15 G. Financial costs / losses due to cyber crime 16 H. Reputation damage as a result of cyber crime attacks 18 I. Internal versus external cyber attacks 18 J. Cyber crime impact on various organizational aspects 18 K. Attitudes toward cyber crime incidents 19 L. Steps employed to raise awareness of cyber crime 19 M. Employment of risk assessment process 19 N. Incidence and frequency of security audits 20 O. Incidence of formal procedures to deal with cyber crime incidents 20 P. Individuals responsible for dealing with cyber crime attacks 20 Q. Familiarity with cyber crime security strategy 21 R. Involvement of external agencies 21 S. Involvement / Effectiveness / Expectations of the RCMP and / or other Government agencies in relation to cyber crime 22 T. Awareness of Public Safety Canada s/rcmp s roles in raising awareness of cyber crime/ Sources of awareness 22 5

6 I. Objectives and Methodology The International Cyber Security Protection Alliance Ltd.conducted a quantitative study among Canadian businesses to measure the following characteristics: Prevalence of cyber crime Cyber crime impact on organizations Organizational preparedness against cyber crime Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime Awareness of the RCMP and Public Safety Canada s roles in cyber crime education and prevention A total of 520 telephone surveys were obtained from businesses across Canada, and these included a set of 10 interviews conducted by senior research staff. 400 surveys in English 120 surveys in French No quota by industry and business size (revenues) was set, but a reasonable spread, representative of selected industries and revenues was achieved. The study covered the following 6 sectors and completes per sector: Industry Financial services (in the report referred to as Financial) Number of completes n=148 Airlines, shipping, transportation (Airlines/Shipping) n=75 Telecommunications Technology (Telecom) n=73 Utilities and critical infrastructure (Utilities) n=66 Aerospace and Defense (Aerospace/Defence) n=29 Retail n=129 A representative spread of businesses by revenue size was also reached: Revenue size Number of completes Under $1 Million n=22 $1 Million to under $5 Million n=229 $5 Million to under $10 Million n=90 $10 Million to under $20 Million n=61 $20 Million to under $50 Million n=54 $50 Million to under $100 Million n=27 $100 Million or more n=37 6

7 For the purposes of more meaningful analysis, the revenue sizes were combined into, and examined as three segments: Revenue size Number of completes Small: revenues under $10 Million n=341 Medium: revenues of $10 Million to under $50 Million n=115 Large: revenues of $50 Million or more n=64 Overall, the results are accurate ±4.38% nineteen times out of twenty. The survey was conducted between November 15 and December 15, 2012 A note on differences in responses by industry and business size identified throughout the report: Because the sample sizes within each industry and business sizes are relatively small, the differences of at least 9 percentage points between a particular sub-segment and the total sample responses will be needed to be deemed statistically significant. The table below specifies what constitutes a statistically significant difference between each segment and the overall results. For results between small sub-segments to be statistically significant, the differences would have to be even larger than the ones indicated in the table below. All other differences should be viewed as directional. Industry Number of completes Difference from total (n=520) that is statistically significant Financial n=148 9 points Airlines/Shipping n=75 12 points Telecom n=73 12 points Utilities n=66 12 points Aerospace/Defense n=29 19 points Retail n=129 9 points Revenue size Number of completes Difference from total (n=520) that is statistically significant Small: revenues under $10 Million Medium: revenues of $10 Million to under $50 Million Large: revenues of $50 Million or more n=341 6 points n= points n=64 12 points 7

8 II. Executive Summary A. Scope of cyber crime in Canada Overall, cyber crime is fairly prevalent among Canadian businesses, with 69% reporting some kind of attack within a twelve-month period. A total of 5,866 attacks were reported or 16.5 attacks per affected business. However, for the most part, each form of cyber crime does not have high incidence among businesses, with malware/virus attacks being an exception as they occurred among 51% of businesses (6.6 attacks per business). Phishing and social engineering attacks are a distant second, at 18%. Although reported by a relatively low number of organizations, the frequency of phishing/ social engineering attacks within these organizations is very high (17.2 attacks). All other forms of attacks are reported among 15% or fewer organizations, however, it is noteworthy that certain cyber crimes, while impacting fewer organizations, occur frequently among them. These include: Unauthorized access or misuse of corporate websites (13% affected, 11 attacks per organization) Misuse of social networks (15% affected, 8 attacks) Telecommunication fraud (8% affected, 9 attacks) Cyber crimes do not result in far-reaching negative consequences to organizations. Among those affected, only about a quarter (26%) say the attacks had a considerable impact (severity of 7 to 10 on a 10 point scale) on their business. They also do not significantly affect organizational reputation. On average, only 17% of cyber attacks cause between some (13%) to significant (5%) reputational damage. Cyber crime attacks conducted over the past 12 months resulted in total financial losses of approximately $5,328,916, or $14,844 per affected organization, on average. Of this sum, financial fraud accounts for the largest portion (36%, $1,892,683, or $6,438 per attack). Theft of devices containing company information is a distant second source of costs (16%, or $849,499, $4,007 per attack). 1 The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected). Because of high incidence among businesses, malware and virus attacks represent the third highest cost overall, at $771,937, but the average loss per incident is relatively low, at $454. Sabotage of data and networks is 4th in terms of incurred costs, with $583,298 in losses, but the average cost per incident is 2nd highest, $5,952. Total cost due to cyber crime attacks increases with revenues: on average, an incident costs large organizations $1,181, compared to $991 in medium, and $741 in small ones. Cyber crime attacks tend to be viewed as originating outside rather than within the organizations. Over half (56%) of affected businesses say that more than 60% of incidents were external and 41% believe that 100% were external. Only 21% of respondents believe that over 60% of incidents were internal, and fewer (12%) believe that 100% of incidents are attributed to internal attacks. B. Cyber crime and corporate responsibilities Although a majority of respondents (64%) say that senior management takes cyber crime threats seriously, there are considerable gaps in Canadian businesses preparedness against cyber crime. Large businesses are somewhat better prepared than medium and small ones, but still much remains to be done to prevent and deal with such attacks. A majority (64%) employs just one or two ways to raise awareness of cyber crime in organizations, mostly through s (59%) and corporate guidelines/ manuals (54%). Nearly one-in-five (19%) organizations do nothing to raise awareness of cyber crime, and this is more frequent among small organizations than medium and large ones. Risk assessment processes are not common among surveyed businesses; only 22% employ them, and 77% do not. This behaviour holds across industries. Likelihood of employing such processes increases with revenues. Few organizations (6%) report accreditation of IT security standards, and this percentage is equally low across industries and revenue levels. Of those without accreditation, just over half (56%) say they carry out regular security audits. Regular audits also increase with revenues. 8

9 Most organizations (69%) do not have formal procedures in place to follow in the event of a cyber crime; only 28% do. Again, such procedures are more common in large businesses than in medium or small ones. Similarly, only about a third (28%) has a trained crisis management team, and it is somewhat higher only among organizations with the largest revenues ($100 million or more), at 41%. Typically, senior management and senior/key IT security personnel (e.g., head of IT, CIO, IT director) would deal with any type of cyber crime incident. The same individuals would most likely make a decision to involve external agencies in the case of cyber crime attacks. Canadian businesses have minimal awareness of the 2010 Cyber crime security strategy (7%). C. Involvement of external agencies Involvement of external agencies in relation to cyber crime is reported by 44% of affected organizations, with private agencies far more likely to be engaged than government ones (63% and 21% respectively). In general, this preference of private versus government involvement appears to hold among all businesses: A fourth (39%) of all surveyed businesses say they would first engage a private organization and 29% would first reach to a government agency. However, when asked to specify which organizations these would be, some confusion exists among businesses as to which external agencies they would be likely contact in the event of a cyber crime attack. A plurality (46%) would not know who to contact, but other more often cited top-of-mind mentions include government, not private organizations: 23% mentioned the RCMP, 20% police, and only 8% mentioned other (private) organizations. Overall, few organizations (11%) ever involved the RCMP or other government agencies in relation to cyber crime, and of those, two thirds (62%) felt that the organizations effectively handled the situation, while 30% were dissatisfied. D. Public Safety Canada s/the RCMP s roles in raising awareness of cyber crime Awareness of cyber crime prevention campaigns is low, at 12% (comparatively higher among large businesses, at 19%). Overall, 39% of businesses are aware that at least one of the two organizations has a role in combating cyber crime, and a majority (67%) of those aware view this responsibility as relevant. Organizations expect the RCMP and other government agencies to primarily build awareness of cyber crime and its prevention (45%), with active prevention, investigation and prosecution at a distant second (17%). Media (TV, news, newspapers, internet) should be the key element in the awareness building strategy, given that it is the main driver of awareness (76%), with all other methods trailing behind (under 10% each). But businesses indicate that a range of other means of educating/promotion would also be effective in raising awareness of cyber crime, with events/ media coverage (69%), internet presence (62%) and publications (61%) being the top three suggestions. III. Conclusions and Recommendations There are multiple gaps in cyber crime preparedness among Canadian businesses, from a lack of trained personnel to a lack of strategies and procedures that could mitigate such attacks. Two factors could be responsible for this situation: The damage (financial or reputational) caused by cyber attacks have not been significant to merit shifts in attitudes and behaviour, and/or Organizations do not have enough awareness and knowledge of what strategies they should be implementing to minimize their vulnerability against such attacks. A widespread need for information and education on the subject is needed and Public Safety Canada and the RCMP are the appropriate organizations to fulfill this need by serving as the main sources of awareness, knowledge, and support in building awareness of cyber crime. Businesses expect these two organizations to be more visible in fulfilling these roles. Mainstream media appears to be an effective choice for initial awareness building; however communication and outreach to businesses should go beyond mass media, reaching them with more targeted publications and messages. 9

10 IV. Detailed Findings A. Security-related responsibilities In many surveyed organizations the individuals responsible for IT security also cover a range of other roles - 74% have three or more responsibilities. Generally a similar pattern holds across industries and revenue sizes. Table 1: Which of the following aspects of security are you responsible for within your organization? IT related security 79 Risk assessment Business continuity and resilience Development of security policy Physical security of personnel & property 61 Other aspects of security 39 Don t know/refused % B. IT budget allocation toward cyber crime prevention Across industries and business sizes, a majority of organizations (51%) allocate 1-5% of their IT budget to cyber crime prevention. About 6% don t apportion any amount to cyber crime prevention, 8% allocate 6%-25%, 2% apportion over 25% and a third (32%) does not know if anything is allocated for this purpose, or how much. These proportions generally hold across industries and business sizes, although small businesses are slightly more likely than large and medium size businesses not to allocate any of its IT budget to cyber crime prevention (9% vs. 2% and 3% respectively). C. Appropriateness of current spending on IT security/ What it should be A majority of respondents (78%) find the budget allocation sufficient, and 12% disagree. The response pattern is the same across all industries. The only significant difference in views is among large businesses, as 28% believe that the budget allocated to cyber crime prevention is insufficient. Among those who feel the allocation is inappropriate, opinions are split: 45% say it should be 5% or less, 25% believe it should be over 5%, and 29% do not know what it should be. The small base size (n=42) doesn t allow for further reliable breakdown, but there does not appear to be any underlying pattern. 10

11 Table 2/3: Do you believe this is sufficient to mitigate the threat of Cyber Crime and if not what should the percentage be? N=353 Yes 78 20% or more % 14 No 12 What percentage should it be? N=42 5% 26 Under 5% 19 Don t know/refused 10 Don t know/refused 29 % % D. Main cyber crime threats (as perceived by businesses) Malware and virus attacks are by far the highest concern among Canadian businesses (75%), regardless of size and industry. Sabotage of data network is more pronounced in the Utilities (59%), Aerospace/Defense (55%), and the Financial sector (51%), than in Retail (36%) or Airlines/Shipping (43%). Table 4: Which of the following represent the greatest Cyber Crime threats for your organization? Malware, such as Trojans, worms and virus attacks Sabotage of data or networks Financial fraud Phishing, spear phishing, social engineering Theft of laptop(s)... devices with company info Unauthorized access or misuse of website Misuse of social networks by employees Denial of service Telecommunications fraud Theft of other hardware Advanced Persistent Threats (APTs) %

12 Concerns with financial fraud are more visible in the Retail (52%) and Financial industries (50% each) than in the Utilities (35%) or Aerospace/Defense (28%) sectors. As revenues increase, concerns about nearly every form of cyber crime go up, especially for large businesses, e.g. phishing/social engineering (61% vs. 42% overall), theft of devices with company info (55% vs. 40% overall), denial of service (47% vs. 30%), or Advanced Persistent Threats (36% vs. 22% overall). E. Incidence of cyber crime in the past 12 months Nearly seven-in-ten organizations (69%) experienced some type of cyber attack over a 12 month period. Overall, 520 surveyed businesses reported a total of 5,866 cyber crime incidents, or on average 16.4 attacks per affected organization. The average number of attacks is higher in the Financial and Retail sectors (20 and 18 respectively), and lowest in Aerospace/ Defense, at 11 attacks (details in Table 7a overleaf). Table 5: Approximately how many times have any of the incidents I just read occurred in your organization in the last 12 months? Mean number of attacks: % None 1 to 2 3 to 5 6 to 10 Over 10 The proportion of attacks is higher between medium and large organizations (22-23 attacks compared to 13 in small businesses). As Table 6 below shows, malware and virus attacks are the most common form of cyber crime. Over a 12 month period, half (51%) of organizations experienced them. This pattern holds across industries and business sizes. Respondents reported 1,701 malware and virus attacks. This represents 6.6 attacks per affected business. Medium and large businesses reported the highest average number of such attacks, at 11 and 9, compared to 5 attacks among small businesses. Across industries, the Financial and Telecom sectors reported the highest number of such attacks, at 8 each. 2 The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected). 12

13 Phishing, Spear Phishing and Social Engineering are the second most frequently experienced types of cyber crime attacks, although among considerably fewer organizations than malware. Over a 12 month period, fewer than one-in-five (18%) of organizations experienced them, but they reported 1,478 such incidents, or 17.2 attacks per organization, making it the most persistent form of all measured cyber crimes. Medium and small businesses were more likely to be targeted, each reporting 18 attacks on average, compared to 13 among large businesses. Across industries, the Airlines/Shipping and Financial sectors had the highest average number of such attacks, at 28 and 24 respectively. Other noteworthy differences by industries and business sizes include: Unauthorized access or misuse of corporate websites experienced only by 13% organizations, but those few report a large number of such incidents: 745, or 11 per organization, on average. This form of attacks is most prevalent in Retail, with 25 incidents on average, followed by the Financial industry, at 14 attacks. It is also more frequent among medium and large businesses, at 17 and 18 attacks respectively, compared to 6 in small organizations. Financial fraud (at 14% incidence, 294 incidents) is more common in the Retail industry, at 7 attacks, with Telecom a distant second at 4 attacks. It is more prevalent among large businesses, at 9 attacks compared to 3 and 4 between medium and small businesses. Telecommunications fraud (at 8% incidence, 414 incidents) is more common in the Financial and Retail industries, at 13 and 11 incidents respectively, and much more prevalent among large businesses, at 21 attacks compared to 7 and 8 between medium and small businesses. Table 6: Incidence of various cyber crime attacks within the last 12 months (proportion of those who experienced each attack) and frequency of each attack Malware, such as Trojans, worms and virus attacks Phishing, Spear Phishing, Social Engineering Misuse of social networks by employees Financial fraud Unauthorized access or misuse of website Theft of laptop(s), smart phones, tablets and other devices containing company information Denial of Service Telecommunications fraud Sabotage of data or networks Advanced Persistent Threats (APTs) Theft of other hardware Total # of attacks 1,701 1, %

14 Table 7: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations (mean excl. 0) and overall (mean incl. 0) Phishing, Spear Phishing, Social Engineering Unauthorized access or misuse of website Telecommunications fraud Misuse of social networks by employees Malware, such as Trojans, Worms and Virus attacks Mean (excl.0) Mean (incl.0) Denial of Service Financial fraud Advanced Persistent Threats (APTs) Theft of other hardware Theft of laptop(s), smart phones, tablets and other devices containing company information Sabotage of data or networks Mean Table 7a: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations Financial 20 Retail 18 Airlines/Shipping 14 Telecom 14 Utilities/Critical Infrastructure Aerospace/Defense Calculation: Total number of incidents per industry divided by total affected per industry %

15 There is some fluctuation in incidence of various cyber crimes by industry, with the following showing the highest dispersion: Financial fraud more common in the Retail and Financial industries (19% and 16% respectively), and lowest in Aerospace/Defense and Utilities (5% and 3% respectively). Unauthorized access to websites more common in the Airlines/Shipping and Telecom (20% and 19% respectively), and lowest in Aerospace/Defense (7%). Denial of service more common in Telecom (19%), and lowest in Retail (5%). Unauthorized access to websites more common in the Airlines/Shipping and Telecom (20% and 19% respectively), and lowest in Aerospace/Defense (7%). Denial of service more common in Telecom (19%), and lowest in Retail (5%). F. Types of cyber crime attacks and their impact on businesses On average, of the 69% of organizations affected by some form of cyber crime, 46% say that the incident(s) have had at least some impact (severity of 5 or more on a 10 point scale) on their businesses. On average about a quarter of organizations (26%) say the attacks had a considerable impact (rated 7 or more on a 10 point scale) on their organizations. The top three such cyber crimes are relatively low incidence and frequency: financial fraud (37% considerable impact), sabotage of data or networks and denial of service (36% each). Table 8 below provides more details. By comparison, incidents of high prevalence, such as malware and virus attacks and phishing/social engineering have very negative impact on relatively fewer organizations: 23% and 22% respectively rate the impact as considerable (7-10 out of 10). The severity of impact of cyber crime types varies by industry (not so much by size), with the following being most affected (severity of 7-10 out of 10): Sabotage of data networks Telecom 63% Financial fraud Airlines/Shipping 60%, Telecom 50% Advanced Persistent Threats (ATPs) Aerospace/ Defense 50%, large businesses 50% Phishing/social engineering Aerospace/Defense 50%. Table 8: Impact of cyber crime attacks on organizations (measured on a scale of 1 to 10 where 1 means negligible impact and 10 means major impact). Financial fraud Sabotage of data or networks Denial of Service Advanced Persistent Threats (APTs) Telecommunications fraud Unauthorized access or misuse of website Theft of other hardware Phishing, Spear Phishing, Social Engineering Theft of devices containing company information Malware, such as Trojans, Worms and Virus attacks Misuse of social networks by employees % (9-10) Major Impact (7-8) Considerable Impact (5-6) Some Impact (3-4) Minor Impact (1-2) Negligible Impact Don t Know/Refused 15

16 G. Financial costs/losses due to cyber crime Cyber crime attacks conducted over the past 12 months cost businesses a total of approximately $5,328,916. This translates to an average of $14,844 per affected business. Financial fraud accounts for the largest proportion of total cost (36%), at $1,892,683. With 294 reported financial fraud attacks, the average cost per attack is $6,438. Table 9: Costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers 4 ) Theft of devices containing company information is the second largest source of cost, at $849,499 or 16% of the total cost. Each incident cost companies $4,007 on average. Because of the high incidence among businesses, malware and virus attacks account for the third highest cost overall, at $771,937, but the average loss per incident is relatively low, at $454. Sabotage of data and networks is 4th in terms of incurred costs, with $583,298 in losses, but the average cost per incident is 2nd highest, $5,952. More details can be found in Table 9 below. Fianancial Loss {A} Sum Cost of Recovery {B} Loss of business {C} Total Cost / Loss {A+B+C} Average cost per attack* Fiancial fraud $1,162,553 $155,030 $575,100 $1,892,683 $6,438 Theft of devices containing company information Malware, such as Trojans, Worms and Virus attacks Sabotage of data or networks $215,700 $361,800 $271,999 $849,499 $4,007 $283,475 $456,259 $32,203 $771,937 $454 $347,499 $104,300 $131,499 $583,298 $5,952 Telecommunications fraud $178,200 $169,300 $153,000 $500,500 $1,209 Denial of Service $50,000 $172,050 $11,700 $233,750 $1,067 Phishing, Spear Phising and Social Engineering Unauthorized access or misuse of website Advanced Persistent Threats (APTs) Misuse of social networks by employees $123,135 $11,455 $17,445 $152,035 $103 $40,510 $50,599 $28,599 $119,708 $161 $ - $100,300 $ - $100,300 $1,454 $ 39,299 $9,999 $16,098 $65,396 $113 Theft of other hardware $42,300 $17,510 $ - $59,810 $1,031 Total Cost/Loss $2,482,671 $1,608,602 $1,237,643 $5,328,916 * Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type. 16

17 Costs incurred by cyber crime attacks are comparatively higher in the Telecom and Airline/Shipping industries (Table 10 below) with the average cost per incident also higher in these sectors: about $2,364 per incident in Telecom and $1,674 in Airline/Shipping. Total cost due to cyber attacks increases with revenue size: on average, an incident in large organizations costs $1,181, compared to $991 in medium size businesses and $741 in small ones. Table 10: Total costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers) by industry and revenue size. Industry Fianancial Loss {A} Cost of Recovery {B} Loss of business {C} Total Cost / Loss Number of total incidents per industry Average cost per attack Telecom Technology $943,724 $547,299 $391,097 $1,882, $2,364 Airlines / Shipping $492,755 $263,410 $524,509 $1,280, $1,674 Financial $388,437 $257,248 $263,642 $909, $446 Utilities / Critical Infrastructure $154,599 $403,349 $11,199 $569, $911 Retail $398,556 $70,096 $45,396 $514, $361 Aerospace and Defense $104,600 $67,200 $1,800 $173, $800 Total Loss / Cost $2,482,671 $1,608,602 $1,237,643 $5,328,916 Business Size (revenues) Fianancial Loss {A} Cost of Recovery {B} Loss of business {C} Total Cost /Loss Number of total incidents per industry Average cost per attack Under $10 Million $1,140,316 $501,842 $432,943 $2,075,101 2,800 $741 $10 Million to under $50 Million $726,550 $609,860 $577,500 $1,913,910 1,931 $991 $50 Million or More $615,805 $496,900 $227,200 $1,339,905 1,135 $1,181 Total Loss / Cost $2,482,671 $1,608,602 $1,237,643 $5,328,916 * Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type 4 Outlier is a value that is numerically distant from, or is outside the rest of the data (e.g., an extreme value). In larger samplings of data, a small number of extreme data points (outliers) are expected. Extreme outliers have been eliminated from the analysis in order to produce results that are not distorted.* 17

18 H. Reputation damage as a result of cyber crime attacks Cyber crime does not significantly affect organizational reputation (Table 11). On average, 17% of cyber attacks (any form) cause some (13%) or significant (5%) reputational damage. Sabotage of data and networks cause relatively more reputational harm than any other attacks, at 30% (15% significant and 15% some reputational damage). Because of small base sizes, the data for individual forms of attacks cannot be analyzed by industry or revenue range. Table 11: Reputation damage as a result of cyber attacks. Sabotage of data or networks Attacks such as Denial of Service 6 18 Financial fraud 6 15 Misuse of social networks by employees 3 18 Significant Some Unauthorized access or misuse of website 7 13 Advanced Persistent Threats (APTs) 20 Telecommunications fraud 5 14 Theft of other hardware 13 Theft of laptop(s), smart phones, tablets and other devices containing company information Malware, such as Trojans, worms and virus attacks Attacks including Phishing, Spear Phishing and Social Engineering % I. Internal versus external cyber attacks Cyber crime incidents tend to be originating outside companies. Over half (56%) say that more than 60% of incidents were external, 10% believe that fewer than 30% were external, and 13% say that 31%-60% were external. As many as 41% believe that 100% of incidents were external. Telecom reports the highest proportion of exclusively external attacks 65% say 100% of attacks were external, followed by Aerospace/Defense 47%, and Utilities 44%. Nearly half (48%) of small businesses say that 100% of incidents were external, while it is only the case for a third of medium and large businesses. There are no other discernible patterns by business size. Only 21% of respondents report that over 60% of incidents were internal, 17% say fewer than 30% were internal, and 13% say that 31-60% were internal. Only 12% believe that 100% of incidents are attributed to internal attacks. There are no patterns in data by industry or business size. J. Cyber crime impact on various organizational aspects Generally, businesses ability to operate is the most often mentioned concern (64%) associated with cyber crime across industries and business sizes, but other aspects closely tight to businesses wellbeing, such as doing business with customers, company finances and public image are not far behind in importance (52%-59%). 18

19 Public image and reputation are more of a concern in the Utilities, Telecom, and the Financial sectors (around 60% each), compared to about 40% for the remaining industries. K. Attitudes toward cyber crime incidents Two-thirds (64%) believe that senior management treats cyber crime incidents with serious to considerable interest (scores 7 to 10 out of 10). The perceived level of concern about cyber crime among employees is lower, with 43% giving it 7 to 10 out of 10 on the interest scale. Given that individuals in senior/management positions answered the survey, the results for the above question may be biased toward management. Level of concern among senior management is roughly the same across industries, although its intensity (score 9, 10 out of 10) is higher in Telecom and Airlines/Shipping (49% and 47% respectively) than in Retail or Utilities (33% and 26% respectively). Employees are viewed to be less concerned about cyber crime across industries. Slightly more concern among employees is reported in Telecom and Utilities businesses (54% and 51% respectively), and lowest in Retail (32%). L. Steps employed to raise awareness of cyber crime A plurality of businesses (42%) employs only one or two approaches in raising awareness of cyber crime, and these are mostly s (59%), and corporate guidelines and manuals (54%). A quarter (26%) employs 3 or four steps, and 13% use five or more. Nearly one-in-five organizations (19%) do not do anything to raise awareness of cyber threats. Small organizations are more likely to provide no information to their employees (25%) than medium and large ones (7% and 8% respectively). Large businesses tend to offer more opportunities for building awareness about cyber crime 28% employ five or more methods (compared to 14% in medium-sized and 8% in small organizations; vs. 13% overall). M. Employment of risk assessment process Overall only 22% employ risk assessment processes for cyber crime; 77% do not, and 1% don t know. This is true across industries. Telecom tops the list, with 33% organizations reporting such processes, and only 11% of Retail organizations do so (lowest proportion among surveyed industries). Table 12: Steps employed to raise awareness of cyber crime Send s round / reminding / updating 59 Corporate guidelines / manuals 54 Information on your intranet 31 Formal activities to raise awareness Formal security training courses Awareness seminars Posters Other Don t know/refused %

20 Likelihood of employing risk assessment processes increases with revenues: 45% of large businesses do so, compared to 23% among medium, and 17% among small businesses. Few organizations (6%) report accreditation of IT security standards. This percentage is equally low across industries and revenue levels. In this small group, 1% each is accredited to ISO27001, National IT Security Standard, International IT Security Standard, and 3% report other accreditations. N. Incidence and frequency of security audits Of those not accredited to national or international IT security standards (94% of surveyed organizations), over half (56%) say that they carry out regular security audits. In all but one industry, over half conduct regular audits. It s highest for the Utilities organizations (68%). In Retail, only 42% do so. Incidence of regular security audits increases with revenues: 84% of large businesses say they conduct regular audits, compared to 66% among medium, and 49% among small organizations. A plurality (38%) conduct audits at least monthly, 17% do so every three to four months, 9% every six months, 21% annually, and 7% do so at other frequency. Eight per cent do not know. O. Incidence of formal procedures to deal with cyber crime incidents A majority (69%) of organizations do not have formal procedures that have to be followed when cyber crime is identified; only about a third of organizations (28%) do. It is somewhat higher in the Aerospace/Defence, Telecom, and Financial industries (34%, 33% respectively), and lower in Airlines/Shipping and Retail (25%, and 24% respectively), with Utilities on par with the average, at 27%. It is also higher in large businesses, at 47% (particularly those with revenues $100 Million or more: 57%), compared to 29% in medium, and 25% in small ones. Also only about a third of organizations (28%) have a trained crisis management team to respond to cyber crime incidents. It is higher in Aerospace/Defense, Telecom, and Financial industries (38%, 36%, and 34%), and lower in Retail and Airlines/Shipping (19% and 17%), with Utilities at 27%, on par with the average. Presence of trained crisis management teams is considerably higher only in the largest revenue segment ($100 Million or more), at 41%. P. Individuals responsible for dealing with cyber crime attacks Senior management and individuals responsible for IT/ Information security are the key decision-makers and response teams, regardless of industry and revenue size. The same individuals are also most likely to decide whether an external agency should be involved in cyber crime attacks. 20

21 Table 13: Decision-makers in cyber crime attacks CEO/Senior Management IT / IS Manager Head of IT / IT Director / CIO / CISO General Manager/Operations... Other Other Security Network Manager Financial Director Or Equivalent Human Resources Don t Know Legal / Counsel Facilities / Group Manager Decision maker in cyber crime attacks Decision maker re: involvement of external agencies % Q. Familiarity with cyber crime security strategy Awareness of the 2010 Canadian Cyber security strategy is very small, at 7%, and it holds across industries and revenue sizes. It is slightly higher in Aerospace/Defense (10%) and Utilities (9%) and lowest in Retail and Telecom (6% and 5% respectively). It is also comparatively higher in large businesses (14%), than in medium (10%), and small ones (5%). Although familiarity with the strategy is minimal, higher awareness has potential to drive positive change in IT security among Canadian businesses. A quarter (26%, n=10) of those aware say it influenced their company s approach to cyber crime security: 80% increased IT security investments, 50% changed policies, and 20% introduced cyber crime awareness training. Given the small base size, the results should be used with caution, for directional purposes only. R. Involvement of external agencies Over half (56%) of the organizations that experienced cyber crime attacks did not involve any external agencies, and 44% did (this represents 30% of all respondents). Of those who did, a majority (63%) engaged private and 21% government agencies. In a scenario where involvement of external agencies was necessary, a plurality (39%) of all surveyed organizations say they would opt to first engage private organizations, and 29% would first turn to government organizations, with 6% saying it would depend on the type of incident, 2% would contact both, 15% wouldn t know, 9% provided other comments. Retail and Financial organizations would be more likely to first contact private agencies (47% and 45% respectively), while Aerospace/Defense, Airlines/ Shipping, and Utilities would first reach to government organizations (38%, 35% and 34% respectively). Business size has no influence on the type of agencies that would be contacted: all have a somewhat stronger preference for private organizations. While businesses initially show preference toward private agencies, when asked to specify what organizations would be contacted following a cyber crime attack, private organizations are not top-of-mind. A plurality (46%) would not know who to contact, with most other respondents citing a government organizations/agencies: 23% the RCMP, 20% local/provincial police, 6% some other government organization. Only 8% would contact other organizations. These views are uniform across industries and business sizes. 21

22 S. Involvement / Effectiveness / Expectations of the RCMP and/or other Government agencies in relation to cyber crime. The incidence of ever involving the RCMP or other government agencies is small overall (11%, n=57). The RCMP and/or government agencies are primarily contacted to report an incidence/crime (59%), and 24% do so as part of legal obligations. The top two occurrences involved financial fraud and general fraud/theft (29% each). Of the small proportion of incidents (11%), most (61%) were recent (this is a low base of n=34 or 6% of all respondents and results should be used with caution, for directional purposes only). Half (53%) occurred within the current year, 29% within 1 to 5 years, and 15% earlier than that. Of the few businesses that had recently involved the RCMP or government agencies (6%, n=34), a majority (62%) agreed that the organizations effectively handled the situation, and 30% felt that it was not addressed effectively. But overall, virtually all businesses (90%) who have not dealt with the RCMP or other government agency do not know on what basis to determine the effectiveness of the RCMP or government agencies in dealing with cyber crime. 3% each list general media feedback, personal experience, and success rate, with 1% mentioning speed of response. Building awareness of cyber crime and its prevention is by far the most often mentioned expectation from the RCMP and government agencies (45%), with prevention, investigation and prosecution at 17%. Other expectations, such as direct assistance, streamlining of resources are mentioned by 5% to 6% each. Need for more prevention, investigation, and prosecution is slightly more often mentioned among large businesses (23%) and the Aerospace/Defense industry (21%). T. Awareness of Public Safety Canada s/rcmp s roles in raising awareness of cyber crime/ Sources of awareness Awareness of cyber crime prevention campaigns is low, at 12%. It is only comparatively higher in the Utilities industry, at 18% and among large organizations, at 19%. Overall, 39% of businesses are aware that at least one of the two organizations has a role in combating cyber crime. 22% are aware of only the RCMP s role, 17% are aware of the roles of both organizations, but none are aware of Public Safety s role only. This pattern generally holds across industries and business sizes, with the exception of Utilities, where awareness of both organizations roles is higher, at 30%. Among those aware, two thirds (67%) view it as relevant, especially the Telecom industry (82%) and large businesses (75%). Media (news, TV, newspapers, internet) plays a pivotal role in building awareness of Public Safety Canada s and RCMP s roles in combating cyber crime: 76% of those aware say they learned about it through media. All other methods trail behind (under 10% each). This holds true across industries and business sizes, with one exception: conferences are a source of awareness for 14% of large businesses, but the use of this channel is minimal in medium and small businesses (4% and 2% respectively). 22

23 While surveyed organizations indicate that events and media coverage would likely be the most effective form of building awareness of Public Safety Canada s/the RCMP s roles in combating cyber crime, a range of other communication avenues could be just as effective in educating businesses. Table 14: Communication strategies to employ by Public Safety Canada / the RCMP to improve building awareness of their capabilities among Canadian Business Events / Media coverage 69 Presence on specific web sites Publications Advertising in trade publications Involvement in specific professional associations Conferences Case studies Utilities / critical infrastructure - 61% Large businesses - 66% Aerospace - 66% Large businesses - 67% Personal briefings with agency staff Don t know / Refused 5 38 Telecom - 45% Airlines/Shipping - 45% Large businesses - 58% %