The Latest Cybersecurity Trends in Canada from CDW’s 2023 Cybersecurity Study

The IT attack surface is expanding

Post-pandemic, companies have made a rapid shift to hybrid work, digital services, custom-created application programming interfaces (APIs) and rapid adoption of Internet of Things (IoT) devices. Many Canadian organizations are fast-tracking their public, hybrid and multicloud IT strategies. With the expanded use of IT, more data is created, exchanged and processed at lightning speed.

Successful cyberattacks are on the rise

While the total number of cyberattacks has seen a decline, the number of successful incidents continues to trend upward. Across industries and organizational size, seven to 10 percent of various cyberattack types are successful, with the highest “hit rates” of infiltration found among government and educational organizations.

Downtime is bad for business

Downtime resulting from cyberincidents affects both a company’s reputation and its bottom line. In 2023, Canadian firms across all business sizes reported an average downtime of two weeks or more over a period of 12 months in each category of attack, with infiltration and denial of service (DoS) being the attack types cited most often.

Delays in detection and response give cyberattackers free rein

The average time to detect a cyberincident for a Canadian organization is 7.1 days. It took more than a week for approximately 29 percent of Canadian organizations to detect a cyberincident, and 57 percent of organizations took more than a week to respond to an attack. The overall average response time is 14.9 days, while the average time to recover is 25.6 days. Canadian organizations’ average incident management time is approximately 48 days, which puts many organizations at risk for regulatory fines and loss of customer trust and potentially increases the cost of recovering from security incidents. Intelligence-based threat detection and automated and orchestrated response mechanisms are necessary to help security teams tip the scales in their favour.

• The growth of the hybrid workforce and cloud adoption has expanded potential attack surfaces.
• When users, data, devices and services are spread across multiple locations, perimeter-based security architectures are limited in their ability to protect critical systems from cyberattack.
• Rising cyberattacks are a grave concern for Canadian organizations and a top driver of zero-trust architecture adoption.

How to get the full benefit of zero trust

While Canadian companies clearly see the merit in zero-trust architectures, they generally prioritize identity and access management (IAM). However, the assumption of breach is an equally important principle, one that focuses on rapid threat detection and response instead of just threat prevention.

To proactively defuse threats before they appear, Canadian companies should consider increasing their investments beyond identity and access management to add telemetry-based threat detection; security analytics and artificial intelligence (AI)/machine learning (ML) use cases; threat hunting; and security orchestration and automation.

The payoff is a digitally resilient organization

Inherent trust is never granted automatically in a zero-trust environment, and scalable architectures can be readily extended to devices and networks, enhancing visibility and control to improve threat detection and response. Canadian organizations are looking to zero-trust architectures in an effort to reduce the number of security incidents and make their organizations digitally resilient.

• The average incident management time for Canadian organizations is approximately 48 days, which gives cyberattackers significant time to access valuable enterprise resources.
• Delays in detection and response related to cyberattacks put organizations at higher risk for regulatory fines and loss of customer trust and potentially increase the cost of recovering from security incidents — often at the expense of investments that could be made toward IT growth initiatives that support business goals.

In the era of cloud, traditional security responses are no longer enough

The proliferation of cloud services has further complicated the ability of Canadian organizations to detect and respond to threats. Traditional log-based threat detection and manual response methods can only go so far. Without intelligence-based threat detection and automated and orchestrated response mechanisms, Canadian security teams will find it difficult to tip the scales back in their favour.

However, it takes more than security solutions to reverse high dwell times. An incident response plan that outlines the policies and procedures to evaluate, contain and recover from a security incident is a good place to start.

• Public cloud environments are the IT components most directly impacted by security incidents.
• Two out of five organizations that store highly restricted data such as personally identifiable information (PII) and protected health information (PHI) in the cloud say they have been a victim of a security incident.
• 35 percent of Canadian organizations report that public cloud did not meet their initial security expectations.

The cloud is under attack, and organizations are at risk

Cloud environments have become the most attacked IT components, and the gap between cloud adoption and proportionate cloud security investment has become a top cyber risk for many Canadian organizations.

It’s time to close the gap

The study showed that Canadian organizations spend, on average, only 13 percent of their security budget on securing cloud environments. To close the gap, determining the sensitivity of data in the cloud; identifying and assessing potential risks; and gaining an understanding of the shared responsibility model are all necessary steps to prioritize investments and address skill acquisition and development.

• Canadian security teams view security automation as key to improving security team productivity and generating desired security outcomes for organizations.
• Many Canadian organizations have turned to security automation to enable high-fidelity detection, faster incident response and security agility.
• For 63 percent of Canadian organizations, increased cyberattacks were a leading driver of security automation adoption.

Manual security processes are still commonplace

Although most Canadian organizations have scrutinized and documented their security workflows to identify areas that can be automated, 62 percent of Canadian organizations still rely on manual security processes. Why? Budgetary constraints remain the greatest hurdle, followed by a lack of necessary automation tools.

Despite these and other challenges, organizations should strive to create a strategic plan for security modernization and measure the quantifiable improvements made to their security posture.

Internal applications rank as the IT component most affected by cyberattacks aside from public cloud. Collectively, this places “secured application development” among the top security concerns of Canadian organizations.

• 32 percent of Canadian organizations have adopted DevOps as their standard software development methodology.
• A siloed approach to application security can cause delays in development and work against the objective of DevOps.
• DevSecOps, with its collaboration between security teams and developers, ensures that security is “baked in” to application development.

Building security into application development from end to end requires more than just new development tools; DevSecOps requires a fundamental change in the organizational mindset. This may demand modernization of the entire development environment, including source code repositories, container registries, continuous integration (CI)/continuous delivery (CD) pipeline, API management, operations management and monitoring.

Despite these challenges, DevSecOps significantly improves security outcomes. According to the study, organizations using DevOps that have also invested in DevSecOps report less frequent data breaches over time compared with those that have not yet begun their DevSecOps journey.

• 48 percent of Canadian organizations believe a looming recession and rising inflation will have the greatest impact on their security spending for 2023.
• More than 60 percent of Canadian organizations say the IT security skills gap has reduced their ability to prevent security incidents.

Macroeconomic triggers are a significant hurdle facing organizations that are seeking to improve their cybersecurity defences. Thirty-one percent of Canadian organizations have turned to external security service partners to maintain and improve their security posture to combat the impact of macroeconomic triggers on security spending.

For years, Canadian organizations have managed cybersecurity in silos, and this siloed approach works against an organization when it is facing a cyberattack. Orchestration is the glue that makes an organization’s entire security ecosystem work as a single unit, paving the way for automation. To drive successful security orchestration and automation, it is necessary to:

• Create repeatable security workflows and document them
• Facilitate continuous asset monitoring and threat detection through frameworks such as ATT&CK
• Automate processes to achieve the speed and agility needed for complex environments
• Invest in solutions such as XDR that offer out-of-the-box integration with popular security technologies or come pre-integrated with a security stack from the same vendor

Zero trust requires a change of mindset across the entire organization. All stakeholders — including executive leadership, IT teams and users — should acknowledge that cyberthreats exist both inside and outside their IT environment and that users, devices and network components cannot be trusted implicitly based on their location within the network. Zero-trust security architectures should be able to prevent, detect and contain security incidents effectively. Remember, zero trust is only as good as the underlying security policies.

Cloud has become a focal point of all IT innovation. Unfortunately, the pandemic pushed organizations to “adopt first, secure later,” without comprehensively assessing the unique privacy and security requirements of cloud. To migrate to cloud securely, Canadian organizations should identify and classify the types of data that will be used by cloud applications based on their sensitivity and governance requirements. Organizations should also identify the specialized tools needed for cloud security and for securing endpoints, networks and cloud applications.

In a world of cyberthreats, security and development teams can no longer afford to work separately. An important cultural aspect to DevSecOps and software supply chain security is to ensure that development, operations and security teams work together in a collective effort to release software faster and more securely. DevSecOps is built on the idea that security is everybody’s responsibility: To achieve the goal of secured application development, security decisions must be distributed across the security, development and operational teams at speed and at scale — and automated wherever possible.