As published in the Financial Post:
Businesses in Canada will soon have a new network to guard against cyber crime, which is costing them more than $3 billion a year.
Nine major Canadian companies, including the big telcos and some of the Big Five banks, along with the Canadian Council of Chief Executives on Friday announced they are forming the Canadian Cyber Threat Exchange (CCTX), a non-profit organization that will allow firms to share information amongst themselves, government and research institutes about cyber attacks.
“Overall, it’s a very positive initiative,” said Saj Nair, a partner and cybersecurity consulting leader at PwC Canada. “It will make (Canadian businesses) more resilient.”
The effect of cyber crime on Canadian GDP is lower than in the U.S. (0.17 per cent versus 0.64 per cent), but the reason for this gap may be underreporting and a lack of data, according to a Fraser Institute report.
The lack of data is because companies do not want to admit that they were victim to a hack, particularly because of the perceived liability, said Ray Boisvert, president of I-Sec Integrated Strategies and a former assistant director of the Canadian Security Intelligence Service.
Cyber attackers know this too and use this vulnerability to their advantage, and since companies aren’t sharing information with competitors or others, others fall victim to similar attacks. “Adversaries and attackers are extremely good at collaborating,” Nair said. “The defending organizations are not as great,” he says.
That’s why a key tool in the fight against cyber attacks is information sharing.
“If one organization notices an incident, if they can quickly pass that information on to other organizations, then we will help a lot of other organizations from falling victim to the same breach,” Nair said.
There have been some very high-profile cyber attacks recently. For example, a group of hackers in November 2014 got into Sony Pictures Entertainment’s systems, wreaking an unprecedented amount of havoc. The personal information of 47,000 employees and actors was leaked, including details such as social security numbers and salary information.
The hack revealed that female actors such as Jennifer Lawrence were making significantly less than their male peers and that emails from studio heads and producers were less than complimentary about their stars. One producer’s email called Angelina Jolie “a minimally talented spoiled brat.”
Beyond revealing the colourful inner workings of Hollywood, the hack cost Sony millions. And it created an international relations debacle, causing President Barack Obama to place sanctions on North Korea, the presumed home of the hackers.
This hack and many others, such as ones at eBay Inc. in 2014 and Target Corp. in 2013, show the extent to which even huge global companies can be ill equipped to protect themselves.
The founding members of the CCTX are Air Canada, Bell Canada, Canadian National Railway Co., Hydro One Networks Inc., Manulife Financial Corp., Royal Bank of Canada, Telus Corp., Toronto-Dominion Bank and TransCanada Corp. Executives from these organizations that hold titles such as chief information security officer will represent their respective companies.
But the creation of the threat exchange also speaks to the seriousness of the problem, which comes in many guises.
One popular method is spear phishing attacks, where a phony email, purporting to be from a legitimate person or company, asks the receiver to click on a link or open an attachment that will allow a virus to operate undetected on the victim’s computer and network system. Or the email could ask for personal information, such as bank account or credit card numbers.
Five out of every six big companies (2,500 or more employees) around the world were victims of spear phishing attacks in 2014, an increase of 40 per cent over the previous year, according to Symantec Corp.’s 2015 Internet security threat report. Small and medium-sized enterprises experienced increases in attacks too, 26 and 30 per cent, respectively.
Security incidents against Canadian firms have increased 160 per cent in the last year, according to a recent PwC study. This is in part due to an increase in the number of attacks.
As organizations have significantly increased investment in their detection capabilities, Nair said, they know more about what is going on in their systems. Spending on cybersecurity has risen 82 per cent in the past year in Canada, with Canadian companies spending an average of five per cent of their overall IT budget on security.
“We should all accept that breaches will happen,” Nair said. “And it will happen more and more as our economy and our society gets more and more digitized. It’s not a matter of if; it’s a matter of when.”
The Canadian threat exchange will become operational in early 2016. CCTX members will fund the organization through membership fees starting at $5,000, increasing based on the size of the company and the level of service.
Once the group is launched, the founding members, which also will constitute the board, will choose an executive director. They will also hire an outside vendor to provide the technical platform to allow the sharing of information. RiskView, an IT security services firm based in Toronto, has done some of the early work, including setting up the group’s website.
The threat exchange will “enhance cybersecurity collaboration among private and public sector partners, strengthening their ability to protect critical infrastructure, sensitive or proprietary data, and customer information,” a news release announcing the group said.
Although information will also be shared with government, it’s only for the prevention and protection against attacks, and will not include personally identifiable information that would be subject to privacy concerns.
“The nature of what (they’re) sharing shouldn’t include any personal information,” I-Sec’s Boisvert said. “It shouldn’t include the latest business strategies.”
The CCTX also wants to expand its membership in order to increase the amount and quality of information being shared. The group will actively start recruiting more companies to join in 2016.
The idea of a threat exchange is not new. The U.S. has had a series of threat exchanges for more than a decade, organized by sector. Financial services has its own group, as does the retail sector, which counts companies such as Gap Inc., J. C. Penney Company Inc., Lowe’s Cos. Inc. and Walgreen Co. as members.
“Given our size [in Canada], it doesn’t make sense to split it that way,” Nair said. “I think it’s great that, across all industry sectors, we are coming together and we are collaborating.”
But threat exchanges are not a silver bullet, cautions David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations, an independent think tank in the U.S. “Their effectiveness is mixed.”
That’s partly because when it comes to prevention against future attacks, “bad guys evolve too,” he adds. “They find ways around strategies used to block attacks.”
There is also the human factor to consider since the biggest source of security incidents is from employees.
In 2015, just over a third of all security incidents companies faced came from current employees, and 29 per cent came from former employees, according to PwC’s Global State of Information Survey 2016. As a result, companies investing in cybersecurity must also put some money toward employee training.
“There is a lot of room for improvement in this space,” PwC’s Nair said. “But when we go through the data, there is reason for optimism. We are improving year over year. Are we there yet? No. But I think we should take comfort in that we are making progress.”
Sarah Reid is a journalism fellow at the Munk School of Global Affairs in Toronto.