3 Key Takeaways From CDW Canada’s 2020 Security Study


From ransomware to third-party partner vulnerabilities, here’s what CDW Canada’s 2020 Security Study revealed about the security of Canadian organizations

Our 2020 Cyber Resilience: An Evolving Perspective study results are finally live and confirm that, both in terms of cost and number of cyberattacks, the threat landscape continues to increase at a rapid pace in Canada. Our nation-wide, cross-industry study surveyed 524 IT security and risk compliance professionals to examine the evolving nature of cybersecurity threats, determine what makes Canadian businesses vulnerable and provide insights on how businesses can protect themselves against attacks.

Unsurprisingly, the number of attacks and the cost of breaches continues to rise significantly. Organizations surveyed reported an average of 514 attacks per organization per year, up from 440 attacks in 2019. The average total cost per organization of responding to, and recovering from, cybersecurity incidents increased to a range of $5.7 million to $8.4 million, up from last year’s range of $4.8 million to $5.8 million. On average, organizations spent $1.1 million in direct dollars addressing cyberattacks. Here’s a quick recap of the survey’s key findings:

AI tools increase cybersecurity effectiveness.

AI tools can be intimidating for many organizations, but 75 percent of surveyed organizations agree that these tools increase cybersecurity effectiveness.

Despite the positive outlook on the effectiveness of AI tools, 66 percent of respondents felt that the tools are challenging to configure and use correctly. Smaller and medium organizations (250-4,999 employees) also reported to have stronger adoption of these tools compared to large-scale organizations (5,000 or more employees).

Key learning: AI tools are still a long way from replacing skilled analysts who need more training to fully understand how AI tools can benefit their organizations.

Ransomware is becoming more frequent and more damaging.

Twenty percent of the organizations surveyed stated they had been the target of a ransomware attack. Of those organizations who were victims of ransomware, a surprising 80 percent reported experiencing subsequent attacks after “recovering” from the initial incident.

All it takes is one vulnerable device for an attacker to penetrate the entire network. In general, the more devices are connected to the network, the higher the probability an attacker can leverage the vulnerability of one of the devices. Organizations that fell victim to ransomware had larger than average attack surfaces, including 37.2 percent more servers and 20.3 percent more PCs. Organizations that have a bring-your-own-device policy are also more susceptible to attacks. Key learning: Employee training needs to include cybersecurity protocol education to decrease vulnerability and increase awareness of cybersecurity.

Third-party partners are a major source of cybersecurity incidents.

Canadian organizations are working with dozens of third-party partners and suppliers for tactical processes and strategic initiatives. The study revealed that small organizations (15-249 employees) usually partner with an average of 13 third-party partners, while enterprise organizations (5,000+ employees) work with an average of 82. Nearly 100 percent of the organizations surveyed said they allow third-party partners to handle or access customer data and proprietary business information, and less than 40 percent consider including relationships with third-party partners in their security planning, with enterprise-level organizations being the worst offender.

Key learning: Third-party partnerships need to be considered in the security planning process. This is especially true for enterprise organizations.

So, how can organizations mitigate and prevent cybersecurity attacks?

There are three major areas of focus when considering mitigating and preventing attacks:

  1. Review the third-party partner ecosystem. Make sure to understand what data is being accessed by third parties and have effective technology controls in place to limit access to sensitive data.  Performing routine threat risk assessments and periodic questionnaires can provide better visibility into the security of your partners.  
  2. Be aware of who and what is on your network. Organizations should have controls in place that provides visibility into who is accessing services and data, and what actions are taken. For organizations with bring-your-own-devices, employees should also be trained on proper device hygiene such as the importance of patching, using proper security controls like biometrics and passwords, and limiting device usage in public places and outside work hours.
  3. Create a comprehensive recovery plan. Ensure that the organization is positioned to return to a trusted state after a cybersecurity incident by creating a plan that recovery plan that includes metrics for recovery time objectives and recover point objectives. Organizations should also actively rehearse recovery situations and measure recovery time and recovery point metrics to compare with objectives.

Interested in learning more? The entire report can be viewed here.