Half of Canadian C-suite executives and nearly a quarter of entrepreneurs say their businesses' cybersecurity was breached in the past year, according to a new study from accounting, tax and business consulting firm MNP LLP.
Conducted by Ipsos in January and released Monday, the survey of 100 Canadian executives of medium- and large-sized businesses also polled 1,000 small-business owners. While 93 per cent of the combined groups said they felt their companies effectively protected customer data, nearly three in five of those polled "either suspect or know for certain" they were victims of hacking attempts.
The results follow a rough February for Canadian corporate cybersecurity. Reports of data breaches at Loblaw Cos. Ltd., Canadian Tire Corp. and Quebec's SAQ liquor-store chain prompted Cineplex last Friday to "proactively" ask users to reset their passwords to protect their information. The survey results further hammer down the prevalence of such data breaches – and emphasize the need for strategies and precautions beyond just password resets.
Calling the results "alarming," Greg Draper, MNP's vice-president of valuations, forensics and litigation support, said in an interview that Canadian businesses need to ramp up protections from a "growth industry" of nefarious hackers around the world.
"The big thing to note is the gap between the level of confidence businesses have in thinking they can prevent cyberattacks and their experience is quite different," he said. "The level of overconfidence is quite striking."
Proactively mitigating risks can reduce the likelihood of fraud and legal action while retaining consumer confidence.
Just over half of entrepreneurs and C-suite executives use cybersecurity measures such as firewalls, MNP found. Mr. Draper said this might lead to corporate confidence, but that basic software doesn't represent "an understanding of the fulsome responses needed to address risk these days."
The forensic accountant and former RCMP investigator said that businesses need to consider preventive cybersecurity measures as a necessity, rather than discretionary. "Fraud, at its base, is about telling lies for money," Mr. Draper said. "Changes in technology changed the types of lies people are telling, and the type and number of people who can tell lies to Canadian businesses."
Shifts in Canadian privacy law and expected forthcoming changes will make it difficult to hold back news of such attacks, he continued, suggesting that preventive measures will likely ramp up in the coming months.
Last week, website service Cloudflare announced a large global data breach, though none of the Canadian companies who confirmed cybersecurity problems in February has said it was the direct cause of their problems.
A spokesperson at Quebec's SAQ liquor-store chain said Friday that it had been investigating about 80 cases of data theft from its loyalty program, but that the problems seemed to stem from fraudulent and deceptive e-mails. The provincial Crown corporation is still investigating, including whether the problems are connected with those at other Canadian businesses.
A slight majority of the MNP survey participants said they could be more confident in their overall data protection initiatives. The findings built upon broader fraud data released by MNP last week, which similarly found that respondents were twice as likely to see fraud as an industry problem than a threat to their own company.
Internal fraud protection was also a concern among those polled: Only 42 per cent said they were confident they could prevent fraud from their own employees. Just under half of businesses said their internal prevention tools included pre-employment screening, awareness policies, codes of conduct, regular management oversight or internal audits.
"It starts with awareness, from the boardroom to the warehouse floor, of the risks of cyberfraud and simple steps that can be taken internally to prevent them," Mr. Draper said.