2. Introduction
The purpose of this research was to study how Canadian organizations are responding to cyber security threats
and what technologies and tactics lead to organizations obtaining a stronger security posture.
We surveyed 623 IT and IT security practitioners in Canada. Eligible participants play a role in direction the IT
function, improving IT security in their organizations, setting IT priorities, and managing budgets. Respondents
work in a wide variety of industries, and over half work at organizations with an employee count between 250
and 5,000. Independently conducted by Ponemon Institute, survey responses were captured in November 2014.
KEY FINDINGS OF OUR RESEARCH INCLUDE:
Only 41 percent of respondents believe they are winning the cyber security war. The primary challenge
respondents reported is a lack of in-house expertise. Other challenges are a lack of collaboration with other
functions, insufficient personnel, and a lack of clear leadership. Almost half (49 percent) of respondents
believe they do not have a sufficient number of in-house personnel who have such critical qualifications as job
experience, professional certifications, and specialized training.
Additionally, cyber crimes are believed by the majority of respondents to be increasing in frequency,
sophistication, and severity. Given the recent spate of attacks on retailers and entertainment companies, it
appears the likelihood of experiencing a major attack is not as remote as many once believed.
On average, organizations in this study have had 34 cyber attacks in the past 12 months—almost one attack
per week. Almost half (46 percent) of respondents experienced an attack in the last year that involved the loss
or exposure of sensitive information.
Restoring reputation and marketplace image is the most costly consequence of a cyber attack. Cyber
security compromises are costly and the average spent on each incident was approximately $208,432
on the following: clean up or remediation ($19,883), lost user productivity ($29,035), disruption to normal
operations ($38,310), damage or theft of IT assets and infrastructure ($45,117), and damage to reputation and
marketplace image ($76,087).
The loss of intellectual property can affect an organization’s competitiveness and bottom line. Thirty-
five percent of respondents say their firm experienced a loss of intellectual property or other commercially
sensitive business information due to cyber attacks within the past 12 months. Thirty-two percent of these
respondents believe that this theft caused a loss of competitive advantage. However, 38 percent were not able
to determine if the loss affected their organizations’ competitiveness.
However, it’s not all bad news. Our research also found that organizations can take definitive steps to
achieve a stronger security posture. We identified certain organizations represented in this study that self-
report that they have achieved a more effective cyber security posture and are better able to mitigate risks,
vulnerabilities, and attacks. We refer to these as “high performing” organizations, and they represent 48% of
the sample size. We contrasted their priorities, budgets, and behaviours with the remaining 52% of the sample,
referred to as “low performing” organizations, to help understand the steps Canadian organizations can take to
achieve a stronger security posture.
The high-performing organizations achieving the greatest cyber readiness have a greater awareness of the
threat landscape, receive a higher proportion of the total IT budget dedicated to IT security (12 percent
versus 8 percent among the low performers), are more likely to invest in cutting-edge technologies based
on ROI, and have a cyber security strategy that is aligned with their business objectives and missions.
THE CYBER SECURITY READINESS OF CANADIAN ORGANIZATIONS
2
3. Results of the 2015 Scalar Security Study
3
As a result of the above behaviours, high-performing organizations are more likely to believe they are winning
the cyber security war (46 percent versus 36 percent of the low performers), and see fewer instances where
cyber attacks have evaded their intrusion detection systems (IDS) and/or anti-virus (AV) solutions. They are
also 28 percent less likely to have experienced an attack in the last year that involved the loss or exposure
of sensitive information (38 percent of high performers experienced such a breach versus 53 percent of low
performers).
Looking to the year ahead, the technologies with the highest ROI for both high and low performers are security
information and event management (SIEM), identity management and authentication, and network traffic
surveillance. Organizations in this study expect to see an increase in budget allocation for these technologies,
as well as for big data analytics.
Conclusion
The practices of high-performing organizations provide guidance on how organizations can improve their cyber
security effectiveness. Overall, high-performing organizations are more likely to PREPARE (they have a
greater awareness of the threat landscape and align their security strategy with their business objectives and
mission), better able to DEFEND (they receive higher proportions of overall IT budget, and they invest it in
cutting-edge technologies which they measure the ROI of), and better able to RESPOND (they are 28 percent
less likely to have experienced an incident involving the loss or exposure of sensitive information in the last 12
months) to today’s cyber security attacks. Some specific strategies and tactics organizations should consider to
better prepare, defend, and respond are:
Understand your current security posture and gaps in your strategy today. Consider investing in a security
audit to help you do so
Proactively recruit experts to help lead the organization’s cyber security team. Ensure the necessary in-house
expertise exists and have specialized training for IT and IT security practitioners on staff. For organizations
where in-house recruitment and training is cost or time prohibitive, consider looking to a trusted third-party
provider who can manage and monitor your environment for you, and provide skilled, trained, and experienced
staff of their own.
Align the cyber security strategy with the overall mission of the organization. Secure adequate resources for
investment in practices and technologies determined to be critical to achieving a strong cyber security posture.
Invest in cutting-edge technologies such as SIEM, network intelligence, IDS with reputation feeds, big data
analytics, dynamic and static scanning of applications, and endpoint security tools (including mobile device
management, active sync controls, and secure container solutions), and measure the ROI of these technologies.
If you have any questions on any of the findings of this study, or would like to better understand where your
organization is on the high/low-performing scale, reach out to your local Scalar office.
To download a copy of the full report, visit scalar.ca/security-study-2015
4. TORONTO
280 King St. East
4th Floor
Toronto, ON
M5A 1K7
416.202.0020
VANCOUVER
1100 Melville St.
Suite 750
Vancouver, BC
V6E 4A6
604.320.6950
MONTRÉAL
4560-B Blvd. St-Laurent
Suite 203
Montréal, QC
H2T 1R3
514.285.1717
S.W. ONTARIO
140 Ann St.
Suite 103
London, ON
N6A 1R3
519.432.1180
CALGARY
605 - 5th Ave. SW
Suite 1020
Calgary, AB
T2P 3H5
403.351.3640
OTTAWA
1600 Scott St.
Suite 620
Ottawa, ON
K1Y 4N7
613.691.1693
1.866.364.5588 | scalar.ca