Focus on Canada: Is Lax Cyber Training Making Canada a Target?
 

Canada may be the world’s biggest phishing pond. The country has been inundated by email scams that induce people to reveal passwords, account numbers and other sensitive information, yet only about half of Canadian companies really train their employees to identify and sidestep these attacks.

Canada: The World’s Biggest Phishing Pond

Phishing is the most common type of cyberattack worldwide. It may be used to embed malware on employee devices and company networks, or it can take the form of “business email compromise,” where a trusted source is impersonated and requests payments or access to sensitive information.

This year, Canada was ranked No. 1 worldwide in phishing attacks by a widely followed report on cyber threats. The country, in fact, has held this dubious honor ever since the cybersecurity company RSA began publishing its “Quarterly Fraud Report” in 2017.[1] Moreover, Canada accounts for 59% of all phishing attacks worldwide, according to the 2q20 report. The U.S., the second most frequently targeted country, accounts for only 9%.

News reports have been hard-pressed to explain the huge difference between Canada and other developed countries.[2] Some have cited economic and societal factors. Others ascribe it to a tenacious scam that has used Interac, a payment service provider, to disrupt the Canadian financial services industry for several years running.[3] Still others offer different figures that drop Canada to No. 2 on the list, behind the U.S.[4]

By any measure, though, phishing is a serious threat to Canadian companies. Roughly one out of every four data breaches reported to Canada’s Office of the Privacy Commissioner (OPC) last year involved phishing.[5] And a Canadian company’s average cost of responding to and recovering from a major cybersecurity incident ranges from $5.7 million to $8.4 million, according to a report by IDC Canada and technology solutions provider CDW.[6]

A Lack of Cybersecurity Awareness Training

Mounting damages are leading observers to underscore the need for better cybersecurity awareness training. Recent statistics show that training employees to deflect cyberattacks like phishing is still a low priority at many Canadian companies:

• One out of three Canadian companies remain unconcerned about data breaches, according to an OPC survey, although recognition of this threat is gradually rising.[7]
• Only 27% of Canadian companies consider workforce education to be critical for robust cybersecurity, according to Canada Technology Outlook 2020, a report by the CompTIA industry association.[8]
• Half of Canadian companies provide no formal training to combat phishing, per the IDC/CDW report.

In comparison, Mimecast’s “State of Email Security Report 2020” finds that 79% of U.S. organizations and 75% of organizations worldwide provide cybersecurity awareness training at least once per quarter. Among these are many companies that train their employees on a monthly basis and still others that do so continuously.

COVID-19 Adds Pressure to Change

As the COVID-19 pandemic has forced more employees to work from home, the number of phishing attacks has surged, according to 72% of the companies surveyed for the Mimecast report. In a similar vein, the MIT Sloan Management Review predicts that, “As homebound employees become less vigilant in their cyber hygiene, the volume of successful attacks that result from human error may further increase.”[9]

This unpleasant reality may prod Canadian companies into taking cybersecurity awareness training more seriously. At Canada’s recent MapleSEC virtual cybersecurity conference, for instance, speakers projected that the flood of phishing attacks targeting employees at home could jumpstart cybersecurity awareness training programs in many companies.[10] Other developments pushing Canadian companies to conduct more cybersecurity awareness training include:

• The Canadian Centre for Cyber Security has prioritized cybersecurity awareness training in its current list of Top 10 IT Security Actions. Phishing avoidance exercises are among the recommendations.[11]
• Pressure from Canada’s federal and provincial governments is also expected to induce companies to improve their cybersecurity strategies and the training they provide.
• Prominent Canadian CEOs have recently cited cyberattacks as one of the top threats to their companies’ growth prospects.[12]
• Canada’s public and private sectors came together in October for Cybersecurity Awareness Month, a part of a nationwide effort to spread the word about the importance of cybersecurity including awareness training.
• Public sentiment for greater cybersecurity training is growing. In a recent survey, 71% of Canadians said they want to learn more about protecting themselves from fraud, with nearly as many saying they are more concerned about it than ever before.[13]
• Companies are also facing new pressure from their customers. In a September survey by management consulting firm KPMG, 84% of consumers indicated that they would rethink doing business with any company hit by a data breach.[14]

Now, with remote working exacerbating cybersecurity threats, the MIT Sloan Management Review has advised companies to “recalibrate cyber awareness programs to measure, track and improve the cyber risk culture of your employees, management teams and cybersecurity professionals in the new cyber normal.”

The Takeaway

Canada has been besieged by email phishing attacks — far more than any other country — and lax cybersecurity awareness training may be contributing to the problem. Recent events, however, including shifts in expectations and attitudes, are exerting new pressures on Canadian companies to provide more training for their employees.

[1] “Quarterly Fraud Report: Q2 2020,” RSA

[2] “Email Enigma: Why Is Canada Hit with So Many Phishing Attacks?”, TechTarget

[3] “Phishing Campaign Continues to Mimic Canada’s Biggest Banks Online,” IT World Canada

[4] “These Are the Top Most Targeted Countries by Phishing Attacks,” PhishLabs

[5] “A Full Year of Mandatory Data Breach Reporting: What We’ve Learned and What Businesses Need to Know,” Office of the Privacy Commissioner of Canada

[6] “Cyber Resilience: An Evolving Perspective,” IDC Canada and CDW

[7] “2019-20 Survey of Canadian Businesses on Privacy-Related Issues,” Office of the Privacy Commissioner of Canada

[8] “Canada Technology Outlook 2020,” CompTIA

[9] “Cybersecurity for a Remote Workforce,” MIT Sloan Management Review

[10] “MapleSEC: Try These Tips to Improve Your Security Awareness Program,” IT World Canada

[11] “Top 10 IT Security Actions,” Canadian Centre for Cyber Security

[12] “Canadian CEOs More Optimistic About Growth Prospects,” KPMG

[13] “Six in 10 Canadians Are More Worried About Fraud Today Than Ever Before,” Interac

[14] “Leery of Sharing your Info After a Cyberattack? You're Not Alone. Nine In 10 Canadians Feel the Same Way,” KPMG