ICSPA Canada Cyber Crime Study Report

Study of the Impact
of Cyber Crime on
businesses in Canada
Introduction
The International Cyber Security Protection Alliance (ICSPA)
www.icspa.org, has conducted a study on the impact of cyber
crime on businesses in Canada.
The ICSPA is a global not-for-profit organization established
to channel funding, expertise and assistance directly to
assist law enforcement cyber crime units in both domestic
and international markets.
The ICSPA is a business-led organization comprising
large national and multi-national companies who recognize
the need to provide additional resourcing and support to
law enforcement officers around the world, in their fight
against cybercrime. The ICSPA is also supported by law
enforcement partners, such as the Europol, and associated
international organizations whose remit is complementary
to our own.
The study was sponsored by the following ICSPA
Canadian business associates:
Above Security
BlackBerry
CGI Group Inc.
Lockheed Martin
McAfee Inc.
The purpose of the study is to provide business leaders

and government officials with independent and credible
data relating to the impact of cyber crime on businesses in
Canada.
The study is one of a series of studies planned by the
ICSPA that will form a view of cyber crime in different parts
of the world.
The study comprises a survey of businesses in Canada
and includes commentary from the sponsors providing
their perspectives on cyber criminality.
The survey was conducted across 520 small, medium and
large Canadian businesses in the Finance, Airline/Shipping,
Telecommunications, Utilities, Aerospace & Defense
and Retail sectors.
Each business was asked a series of questions to

establish the:
Prevalence of cyber crime
Cyber crime impact on their business operations
Organizational preparedness against cyber crime
Involvement/Effectiveness/Expectations of the RCMP

and/or other Government Agencies in relation to cyber crime
Awareness of the RCMP and Public Safety Canadas

roles in cyber crime education and prevention.
To compliment the survey and provide independent

views of cyber crime from leading Canadian businesses,
sponsors of the study were asked to provide papers
covering the following:
The
nature of cybercrime in Canada today including

threats and their impact on Industry and Business
New and emerging cybercrime threats that may

impact Canada over the next 5 years and those
sectors most at risk
Effective deterrents, responses and practices in

fighting cybercrime
Global cybercrime threats and the potential impact

on Canada
Measures needed to combat cybercrime in Canada.
This study report consists of:
Introduction
Executive Summary
Survey Report
Sponsors Contributions
Conclusions
Executive Summary
The following provides a brief overview of the ICSPA Cyber
Crime Study and includes the survey findings and views
of sponsors on cyber crime trends. The study provides
the opportunity for the reader to review both the survey
findings and the sponsor contributions, so that they may
form their own conclusions as to the impact of cyber crime
on business in Canada and the rest of the world. The study
reinforces the need for close collaboration between the
public and private sector in fighting cyber crime through the
pooling of knowledge and resources.
Survey Report
The survey report shows that cyber crime is fairly prevalent
among Canadian businesses, with 69% reporting some
kind of attack within a twelve-month period. The types and
frequency of attack vary depending on the nature and size of
businesses and are crafted to the crime being perpetrated.
Malware and virus attacks are shown to be the most
prevalent with phishing and social engineering coming
second. Certain cyber crimes, while impacting fewer
organizations, occur frequently among them.
These include:
Unauthorized access or misuse of corporate websites
Misuse of social networks
Telecommunication fraud
About a quarter (26%) of those interviewed say that attacks

had a considerable impact on their business both in terms
of financial loss and reputational damage with financial
fraud being the biggest threat. The total cost of cyber crime
increases with revenues, which is reflected in the survey
findings between Large, Medium and Small businesses.
The majority of respondents (64%) say that senior management
takes cyber crime threats seriously. However, there are
considerable gaps in Canadian businesses preparedness
against cyber crime. Large businesses are somewhat better
prepared than medium and small ones, but still much
remains to be done to prevent and deal with such attacks.
The help of external agencies to assist with cyber crime
incidents is reported by 44% of affected organizations, with
private agencies far more likely to be engaged than those from
government. This preference of private versus government
involvement appears common to all businesses irrespective of
size and type. Overall, few organizations (11%) ever involved
the RCMP or other government agencies in relation to cyber
crime and the survey shows the need for greater awareness
and information to business from Government bodies.
4
Sponsors Contributions
Emphasizes the changes to information storage and the

trend to use cloud services. They describe various threats,
especially DOS and DDOS attacks and their effects. They
also promote awareness and education as a key tool in
the fight against cyber crime and identify the need for
governments to strengthen legal and regulatory systems
to address cyber crime. They also promote improved
business/government collaboration.
Highlights the growing security risks to mobile users and

the shift from social engineering of computer malware
to the distribution of third party app based malware via
provider app stores. They also demonstrate the need for
collaboration between communications providers and
cyber security companies to provide a safe and trusted
environment for users.
Explains how Advanced Persistent Threats (APTs) pose

a major risk to the Canadian economy through the theft
of intellectual property. They describe the intelligence-driven
approach they have taken to provide their analysts with
the necessary information to combat the threat, through
the disruption of the Cyber Kill Chain. Lockheed Martin
advocates public and private sector collaboration and the
sharing of information on threats and mitigation techniques.
Provides an insight into the current Canadian cyber

crime landscape and the wider global threats that impact
everyone. They give an insight into new and emerging
cyber crime threats that will be prevalent in 2013 with an
emphasis on mobile communications and the increase in
malware, mobile worms and the targeting of Near Field
Communications (NFC) transactions. Their contribution
provides a seven point good practice list to safeguard
against cyber crime attacks.
Survey Report
Table of contents
I.
Objectives and Methodology 6
II.
Executive Summary 8

A.
Scope of cyber crime in Canada 8
B.
Cyber crime and corporate responsibilities 8
C.
Involvement of external agencies 9

D.
Public Safety Canadas / the RCMPs roles in raising awareness of cyber crime
9
III.
Conclusions and Recommendations 9
IV.
Detailed Findings 10

A.
Security-related responsibilities
10

B.
IT budget allocation toward cyber crime prevention
10

C.
Appropriateness of current spending on IT security/What it should be
10

D.
Main cyber crime threats (as perceived by businesses)
11

E.
Incidence of cyber crime in the past 12 months
12

F.
Types of cyber crime attacks and their impact on businesses
15

G.
Financial costs / losses due to cyber crime
16

H.
Reputation damage as a result of cyber crime attacks
18

I.
Internal versus external cyber attacks
18

J.
Cyber crime impact on various organizational aspects
18

K.
Attitudes toward cyber crime incidents
19

L.
Steps employed to raise awareness of cyber crime
19

M.
Employment of risk assessment process
19
N.
Incidence and frequency of security audits 20

O.
Incidence of formal procedures to deal with cyber crime incidents
20

P.
Individuals responsible for dealing with cyber crime attacks
20

Q.
Familiarity with cyber crime security strategy
21

R.
Involvement of external agencies
21

S.
Involvement / Effectiveness / Expectations of the RCMP and / or other Government
agencies in relation to cyber crime 22

T.
Awareness of Public Safety Canadas/RCMPs roles in raising awareness of cyber
crime/ Sources of awareness 22
I. Objectives and Methodology

The
International Cyber Security Protection Alliance Ltd.conducted a quantitative study among Canadian businesses to
measure the following characteristics:
Prevalence of cyber crime

Cyber crime impact on organizations
Organizational preparedness against cyber crime
Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime
Awareness of the RCMP and Public Safety Canadas roles in cyber crime education and prevention
A total of 520 telephone surveys were obtained from businesses across Canada, and these included a set of 10 interviews
conducted by senior research staff.
400 surveys in English
120 surveys in French
No quota by industry and business size (revenues) was set, but a reasonable spread, representative of selected
industries and revenues was achieved.
The
study covered the following 6 sectors and completes per sector:
Industry
Number of completes
Financial services
(in the report referred to as Financial)
n=148
Airlines, shipping, transportation (Airlines/Shipping)
n=75
Telecommunications Technology (Telecom)
n=73
Utilities and critical infrastructure (Utilities)
n=66
Aerospace and Defense (Aerospace/Defence)
n=29
Retail
n=129
A representative spread of businesses by revenue size was also reached:
Revenue size
Number of completes
Under $1 Million
n=22
$1 Million to under $5 Million
n=229
n=90
n=61
n=54
n=27
$100 Million or more
n=37
For the purposes of more meaningful analysis, the revenue sizes were combined into, and examined as
three segments:
Revenue size
Number of completes
Small: revenues under $10 Million
n=341
Medium: revenues of $10 Million to under $50 Million
n=115
Large: revenues of $50 Million or more
n=64
Overall, the results are accurate 4.38% nineteen times out of twenty.
The
survey was conducted between November 15 and December 15, 2012
A note on differences in responses by industry and business size identified throughout the report:
Because the sample sizes within each industry and business sizes are relatively small, the differences of at least 9
percentage points between a particular sub-segment and the total sample responses will be needed to be deemed
statistically significant. The table below specifies what constitutes a statistically significant difference between each segment
and the overall results. For results between small sub-segments to be statistically significant, the differences would have to
be even larger than the ones indicated in the table below. All other differences should be viewed as directional.
Industry
Number of completes
Difference from
total (n=520) that is
statistically significant
Financial
n=148
9 points
Airlines/Shipping
n=75
12 points
Telecom
n=73
12 points
Utilities
n=66
12 points
Aerospace/Defense
n=29
19 points
Retail
n=129
9 points
Revenue size
Number of completes
Difference from total (n=520)

that is statistically significant
Small: revenues under

$10 Million
n=341
6 points
Medium: revenues of $10

Million to under $50 Million
n=115
10 points
Large: revenues of $50 Million

or more
n=64
12 points
II. Executive Summary

A. Scope of cyber crime in Canada
Because of high incidence among businesses,

malware and virus attacks represent the third highest
cost overall, at $771,937, but the average loss per
incident is relatively low, at $454.
Overall, cyber crime is fairly prevalent among Canadian

businesses, with 69% reporting some kind of attack
within a twelve-month period. A total of 5,866 attacks
were reported or 16.5 attacks per affected business.
However, for the most part, each form of cyber crime
does not have high incidence among businesses, with
malware/virus attacks being an exception as they
occurred among 51% of businesses (6.6 attacks per
business). Phishing and social engineering attacks are a
distant second, at 18%. Although reported by a relatively
low number of organizations, the frequency of phishing/
social engineering attacks within these organizations is
very high (17.2 attacks). All other forms of attacks are
reported among 15% or fewer organizations, however, it
is noteworthy that certain cyber crimes, while impacting
fewer organizations, occur frequently among them.
Sabotage of data and networks is 4th in terms of

incurred costs, with $583,298 in losses, but the
average cost per incident is 2nd highest, $5,952.
Total cost due to cyber crime attacks increases
with revenues: on average, an incident costs large
organizations $1,181, compared to $991 in medium,
and $741 in small ones.
Over half (56%) of affected businesses say that more

than 60% of incidents were external and 41% believe
that 100% were external.
Only 21% of respondents believe that over 60% of
incidents were internal, and fewer (12%) believe that
100% of incidents are attributed to internal attacks.
These include:
(13% affected, 11 attacks per organization)
Misuse of social networks (15% affected, 8 attacks)
Telecommunication fraud (8% affected, 9 attacks)
Cyber crimes do not result in far-reaching negative

consequences to organizations. Among those affected,
only about a quarter (26%) say the attacks had a
considerable impact (severity of 7 to 10 on a 10 point
scale) on their business. They also do not significantly
affect organizational reputation. On average, only
17% of cyber attacks cause between some (13%) to
significant (5%) reputational damage.
Cyber crime attacks conducted over the past 12
months resulted in total financial losses of
approximately $5,328,916, or $14,844 per affected
organization, on average.
Of this sum, financial fraud accounts for the largest
portion (36%, $1,892,683, or $6,438 per attack).
Theft of devices containing company information is
a distant second source of costs (16%, or $849,499,
$4,007 per attack).
The average number of attacks (for malware and all other cyber crime
types covered by the survey), was calculated by dividing the total number
of reported incidents by total number of organizations that experienced
them (this calculation excluded organizations that were not affected).
Cyber crime attacks tend to be viewed as originating

outside rather than within the organizations.
B. Cyber crime and corporate responsibilities
Although a majority of respondents (64%) say that senior

management takes cyber crime threats seriously, there are
considerable gaps in Canadian businesses preparedness
against cyber crime. Large businesses are somewhat
better prepared than medium and small ones, but still much
remains to be done to prevent and deal with such attacks.
A majority (64%) employs just one or two ways to
raise awareness of cyber crime in organizations,
mostly through emails (59%) and corporate
guidelines/ manuals (54%). Nearly one-in-five (19%)
organizations do nothing to raise awareness of
cyber crime, and this is more frequent among small
organizations than medium and large ones.
Risk assessment processes are not common among
surveyed businesses; only 22% employ them, and
77% do not. This behaviour holds across industries.
Likelihood of employing such processes increases
with revenues.
Few organizations (6%) report accreditation of IT
security standards, and this percentage is equally low
across industries and revenue levels.
Of those without accreditation, just over half (56%)
say they carry out regular security audits. Regular
audits also increase with revenues.
Most organizations (69%) do not have formal

procedures in place to follow in the event of a cyber
crime; only 28% do. Again, such procedures are
more common in large businesses than in medium or
small ones.
Similarly, only about a third (28%) has a trained
crisis management team, and it is somewhat higher
only among organizations with the largest revenues
($100 million or more), at 41%. Typically, senior
management and senior/key IT security personnel
(e.g., head of IT, CIO, IT director) would deal with any
type of cyber crime incident. The same individuals
would most likely make a decision to involve external
agencies in the case of cyber crime attacks.
Canadian businesses have minimal awareness of the
2010 Cyber crime security strategy (7%).
A plurality (46%) would not know who to contact,

but other more often cited top-of-mind mentions
include government, not private organizations: 23%
mentioned the RCMP, 20% police, and only 8%
mentioned other (private) organizations.
D. Public Safety Canadas/the RCMPs roles in raising

awareness of cyber crime
Awareness of cyber crime prevention campaigns is low, at

12% (comparatively higher among large businesses, at 19%).
Overall, 39% of businesses are aware that at least one

of the two organizations has a role in combating cyber
crime, and a majority (67%) of those aware view this
responsibility as relevant.
Organizations expect the RCMP and other government

agencies to primarily build awareness of cyber crime
and its prevention (45%), with active prevention,
investigation and prosecution at a distant second (17%).
Media (TV, news, newspapers, internet) should be the

key element in the awareness building strategy, given
that it is the main driver of awareness (76%), with all
other methods trailing behind (under 10% each).
C. Involvement of external agencies
Involvement of external agencies in relation to cyber

crime is reported by 44% of affected organizations, with
private agencies far more likely to be engaged than
government ones (63% and 21% respectively).
In general, this preference of private versus government

involvement appears to hold among all businesses: A
fourth (39%) of all surveyed businesses say they would
first engage a private organization and 29% would first
reach to a government agency.
Overall, few organizations (11%) ever involved the RCMP or

other government agencies in relation to cyber crime, and of
those, two thirds (62%) felt that the organizations effectively
handled the situation, while 30% were dissatisfied.
But businesses indicate that a range of other means

of educating/promotion would also be effective
in raising awareness of cyber crime, with events/
media coverage (69%), internet presence (62%) and
publications (61%) being the top three suggestions.
However, when asked to specify which organizations

these would be, some confusion exists among
businesses as to which external agencies they would
be likely contact in the event of a cyber crime attack.
III. Conclusions and Recommendations
There are multiple gaps in cyber crime preparedness

among Canadian businesses, from a lack of trained
personnel to a lack of strategies and procedures that
could mitigate such attacks.
Two factors could be responsible for this situation:

The damage (financial or reputational) caused by
cyber attacks have not been significant to merit shifts
in attitudes and behaviour, and/or
Organizations do not have enough awareness
and knowledge of what strategies they should be
implementing to minimize their vulnerability against
such attacks.
A widespread need for information and education on

the subject is needed and Public Safety Canada and
the RCMP are the appropriate organizations to fulfill
this need by serving as the main sources of awareness,
knowledge, and support in building awareness of cyber
crime. Businesses expect these two organizations to be
more visible in fulfilling these roles.
Mainstream media appears to be an effective choice

for initial awareness building; however communication
and outreach to businesses should go beyond mass
media, reaching them with more targeted publications
and messages.
IV. Detailed Findings

A. Security-related responsibilities
In many surveyed organizations the individuals responsible for IT security also cover a range of other roles - 74% have
three or more responsibilities.
Generally a similar pattern holds across industries and revenue sizes.
Table 1: Which of the following aspects of security are you responsible for within your organization?
79
IT related security
Risk assessment
69
Business continuity and resilience
67
Development of security policy
67
61
Physical security of personnel & property

39
Other aspects of security

Dont know/refused
%
4
0
B. IT budget allocation toward cyber crime prevention
10
Across industries and business sizes, a majority of

organizations (51%) allocate 1-5% of their IT budget to
cyber crime prevention.
20
40
60
80
100
C. Appropriateness of current spending on IT security/

What it should be
A majority of respondents (78%) find the budget

allocation sufficient, and 12% disagree.
About 6% dont apportion any amount to cyber crime

prevention, 8% allocate 6%-25%, 2% apportion over
25% and a third (32%) does not know if anything is
allocated for this purpose, or how much.
The response pattern is the same across all industries.
These proportions generally hold across industries

and business sizes, although small businesses
are slightly more likely than large and medium
size businesses not to allocate any of its IT budget
to cyber crime prevention (9% vs. 2% and 3%
respectively).
Among those who feel the allocation is inappropriate,

opinions are split: 45% say it should be 5% or less,
25% believe it should be over 5%, and 29% do not
know what it should be.
The only significant difference in views is among large

businesses, as 28% believe that the budget allocated
to cyber crime prevention is insufficient.
The small base size (n=42) doesnt allow for further

reliable breakdown, but there does not appear to be
any underlying pattern.
Table 2/3: Do you believe this is sufficient to mitigate the threat of Cyber Crime and
if not what should the percentage be?
N=353
20% or more
78
Yes
11
14
6-10%
12
No
What percentage
should it be? N=42
5%
26
19
Under 5%
Dont know/Refused
10
% 0
20
Dont know/Refused
40
60
80
100
D. Main cyber crime threats (as perceived by businesses)
Malware and virus attacks are by far the highest

concern among Canadian businesses (75%),
regardless of size and industry.
29
0
20
40
60
80
100
Sabotage of data network is more pronounced in the

Utilities (59%), Aerospace/Defense (55%), and the
Financial sector (51%), than in Retail (36%) or
Airlines/Shipping (43%).
Table 4: Which of the following represent the greatest Cyber Crime threats for your organization?
Malware, such as Trojans, worms and virus attacks
75
Sabotage of data or networks
47
Financial fraud
45
42
Phishing, spear phishing, social engineering
40
Theft of laptop(s)... devices with company info
38
Unauthorized access or misuse of website

34
Misuse of social networks by employees

Denial of service
30
Telecommunications fraud
29
25
Theft of other hardware
22
Advanced Persistent Threats (APTs)

%
20
40
60
80
100
11
Concerns with financial fraud are more visible in the Retail (52%) and Financial industries (50% each) than in the
Utilities (35%) or Aerospace/Defense (28%) sectors.
As revenues increase, concerns about nearly every form of cyber crime go up, especially for large businesses, e.g.
phishing/social engineering (61% vs. 42% overall), theft of devices with company info (55% vs. 40% overall), denial of
service (47% vs. 30%), or Advanced Persistent Threats (36% vs. 22% overall).
E. Incidence of cyber crime in the past 12 months
Nearly seven-in-ten organizations (69%) experienced some type of cyber attack over a 12 month period. Overall,
520 surveyed businesses reported a total of 5,866 cyber crime incidents, or on average 16.4 attacks per
affected organization.
The average number of attacks is higher in the Financial and Retail sectors (20 and 18 respectively), and lowest in Aerospace/
Defense, at 11 attacks (details in Table 7a overleaf).
Table 5: Approximately how many times have any of the incidents I just read occurred in your
organization in the last 12 months?
100
80
Mean number of attacks: 16.4

60
%
40
31
23
20
0
None
1 to 2
3 to 5
6 to 10
Over 10
proportion of attacks is higher between medium and

large organizations (22-23 attacks compared to 13 in
small businesses).
Respondents reported 1,701 malware and virus

attacks. This represents 6.6 attacks per affected
business.
As Table 6 below shows, malware and virus attacks are

the most common form of cyber crime. Over a 12 month
period, half (51%) of organizations experienced them.
This pattern holds across industries and business sizes.
Medium and large businesses reported the highest

average number of such attacks, at 11 and 9,
compared to 5 attacks among small businesses.
Across industries, the Financial and Telecom sectors
reported the highest number of such attacks, at 8 each.
The
23
The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of
reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected).
12
Phishing, Spear Phishing and Social Engineering

are the second most frequently experienced types of
cyber crime attacks, although among considerably
fewer organizations than malware.

experienced only by 13% organizations, but those
few report a large number of such incidents: 745,
or 11 per organization, on average. This form of
attacks is most prevalent in Retail, with 25 incidents
on average, followed by the Financial industry, at 14
attacks. It is also more frequent among medium and
large businesses, at 17 and 18 attacks respectively,
compared to 6 in small organizations.
Over a 12 month period, fewer than one-in-five (18%)

of organizations experienced them, but they reported
1,478 such incidents, or 17.2 attacks per organization,
making it the most persistent form of all measured
cyber crimes.
Financial fraud (at 14% incidence, 294 incidents)

is more common in the Retail industry, at 7 attacks,
with Telecom a distant second at 4 attacks. It is more
prevalent among large businesses, at 9 attacks
compared to 3 and 4 between medium and small
businesses.
Medium and small businesses were more likely to

be targeted, each reporting 18 attacks on average,
compared to 13 among large businesses. Across
industries, the Airlines/Shipping and Financial
sectors had the highest average number of such
attacks, at 28 and 24 respectively.
Telecommunications fraud (at 8% incidence, 414

incidents) is more common in the Financial and Retail
industries, at 13 and 11 incidents respectively, and
much more prevalent among large businesses, at 21
attacks compared to 7 and 8 between medium and
small businesses.
Other noteworthy differences by industries and business

sizes include:
Table 6: Incidence of various cyber crime attacks within the last 12 months
(proportion of those who experienced each attack) and frequency of each attack
Total #
of attacks
51
1,701
18
Phishing, Spear Phishing, Social Engineering
1,478
15
578
Financial fraud
14
294
13
745
Theft of laptop(s), smart phones, tablets and other

devices containing company information
13
212
10
219
414
98
Denial of Service
69
58
20
40
60
80
100
13
Table 7: Average number of cyber crime attacks within the last 12 months as a proportion
of affected organizations (mean excl. 0) and overall (mean incl. 0)
17.2
2.8
11.1
1.4
9.4
0.8
1.1
Mean (excl.0)
7.9
Mean (incl.0)
6.6
Malware, such as Trojans, Worms and Virus attacks
3.3
4.5
Denial of Service
0.4
Financial fraud
0.6
0.1
0.1

0.4
0.2
4.3
4.1
3.6
3.2
2.5
Mean 0
10
20
30
40
50
Table 7a: Average number of cyber crime attacks within the last 12 months as a proportion
of affected organizations
20
Financial
18
Retail
Airlines/Shipping
14
Telecom
14
Utilities/Critical Infrastructure
14
11
Aerospace/Defense
%
14
Calculation: Total number of

incidents per industry divided
by total affected per industry
20
40
60
80
100
There is some fluctuation in incidence of various

cyber crimes by industry, with the following showing
the highest dispersion:
Financial fraud more common in the Retail and

Financial industries (19% and 16% respectively), and
lowest in Aerospace/Defense and Utilities (5% and
3% respectively).
By comparison, incidents of high prevalence, such

as malware and virus attacks and phishing/social
engineering have very negative impact on relatively
fewer organizations: 23% and 22% respectively rate
the impact as considerable (7-10 out of 10).
Unauthorized access to websites more common

in the Airlines/Shipping and Telecom (20% and 19%
respectively), and lowest in Aerospace/Defense (7%).
Denial of service more common in Telecom (19%),
and lowest in Retail (5%).
The
severity of impact of cyber crime types varies by

industry (not so much by size), with the following being
most affected (severity of 7-10 out of 10):
Unauthorized access to websites more common

in the Airlines/Shipping and Telecom (20% and 19%
respectively), and lowest in Aerospace/Defense (7%).
Sabotage of data networks Telecom 63%
Denial of service more common in Telecom (19%),

and lowest in Retail (5%).
Financial fraud Airlines/Shipping 60%, Telecom 50%

Advanced Persistent Threats (ATPs) Aerospace/
Defense 50%, large businesses 50%
F. Types of cyber crime attacks and their impact on businesses
On average about a quarter of organizations (26%) say

the attacks had a considerable impact (rated 7 or more
on a 10 point scale) on their organizations. The top
three such cyber crimes are relatively low incidence and
frequency: financial fraud (37% considerable impact),
sabotage of data or networks and denial of service (36%
each). Table 8 below provides more details.
Phishing/social engineering Aerospace/Defense 50%.
On average, of the 69% of organizations affected by

some form of cyber crime, 46% say that the incident(s)
have had at least some impact (severity of 5 or more on
a 10 point scale) on their businesses.
Table 8: Impact of cyber crime attacks on organizations (measured on a scale of 1 to 10 where 1 means
negligible impact and 10 means major impact).
26
Financial fraud
11
18
14
18
24
15
Denial of Service
16
15
14
13
10
13
25
13
12
10
19
19
Theft of devices containing company information
11
12
Malware, such as Trojans, Worms and Virus attacks
11
12
10
% 0
(9-10) Major Impact
(7-8) Considerable Impact
(5-6) Some Impact
20
20
20
18
30
21
20
31
44
40
20
16
36
24
15
20
22
35
25
20
32
(3-4) Minor Impact
37
19
40
40
24
10
24
47
60
(1-2) Negligible Impact
80
100
Dont Know/Refused
15
G. Financial costs/losses due to cyber crime
Theft of devices containing company information is

the second largest source of cost, at $849,499 or
16% of the total cost. Each incident cost companies
$4,007 on average.
Cyber crime attacks conducted over the past 12

months cost businesses a total of approximately
$5,328,916. This translates to an average of $14,844
per affected business.
Because of the high incidence among businesses,

malware and virus attacks account for the third
highest cost overall, at $771,937, but the average
loss per incident is relatively low, at $454.
Financial fraud accounts for the largest proportion

of total cost (36%), at $1,892,683. With 294 reported
financial fraud attacks, the average cost per attack
is $6,438.
Sabotage of data and networks is 4th in terms of

incurred costs, with $583,298 in losses, but the
average cost per incident is 2nd highest, $5,952.
Table 9: Costs incurred by businesses due to cyber crime

attacks (excluding $0 and outliers4)
More details can be found in Table 9 below.

Sum
Total Cost /
Loss
{A+B+C}
Average
cost per
attack*
$575,100
$1,892,683
$6,438
$361,800
$271,999
$849,499
$4,007
$283,475
$456,259
$32,203
$771,937
$454
Sabotage of data
or networks
$347,499
$104,300
$131,499
$583,298
$5,952
$178,200
$169,300
$153,000
$500,500
$1,209
Denial of Service
$50,000
$172,050
$11,700
$233,750
$1,067
Phishing, Spear Phising and

Social Engineering
$123,135
$11,455
$17,445
$152,035
$103
Unauthorized access or
misuse of website
$40,510
$50,599
$28,599
$119,708
$161
Advanced Persistent Threats

(APTs)
$-
$100,300
$-
$100,300
$1,454
Misuse of social networks by

employees
$ 39,299
$9,999
$16,098
$65,396
$113
$42,300
$17,510
$-
$59,810
$1,031
Total Cost/Loss
$2,482,671
$1,608,602
$1,237,643
$5,328,916
Fianancial
Loss
{A}
Cost of
Recovery
{B}
Loss of
business
{C}
Fiancial fraud
$1,162,553
$155,030
Theft of devices containing

company information
$215,700
Malware, such as Trojans,

Worms and Virus attacks
* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type.
16
Costs incurred by cyber crime attacks are comparatively

higher in the Telecom and Airline/Shipping industries
(Table 10 below) with the average cost per incident also
higher in these sectors: about $2,364 per incident in
Telecom and $1,674 in Airline/Shipping.
Total
cost due to cyber attacks increases with revenue

size: on average, an incident in large organizations
costs $1,181, compared to $991 in medium size
businesses and $741 in small ones.
Table 10: Total costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers) by industry and
revenue size.
Industry
Fianancial
Loss
{A}
Cost of
Recovery
{B}
Loss of
business
Total Cost
/
{C}
Loss
Number
of total
incidents
per industry
Average
cost per
attack
Telecom Technology
$943,724
$547,299
$391,097
$1,882,120
796
$2,364
Airlines / Shipping
$492,755
$263,410
$524,509
$1,280,674
765
$1,674
Financial
$388,437
$257,248
$263,642
$909,327
2039
$446
Utilities / Critical
Infrastructure
$154,599
$403,349
$11,199
$569,147
625
$911
Retail
$398,556
$70,096
$45,396
$514,048
1424
$361
Aerospace and Defense
$104,600
$67,200
$1,800
$173,600
217
$800
Total Loss / Cost
$2,482,671
$1,608,602
$1,237,643
$5,328,916
Fianancial
Cost of
Loss of
Business Size (revenues)
Loss
{A}
Recovery
{B}
business
{C}
Total Cost
/Loss
Number
of total
incidents
per industry
Average
cost per
attack
Under $10 Million
$1,140,316
$501,842
$432,943
$2,075,101
2,800
$741
$10 Million to under

$50 Million
$726,550
$609,860
$577,500
$1,913,910
1,931
$991
$50 Million or More
$615,805
$496,900
$227,200
$1,339,905
1,135
$1,181
Total Loss / Cost
$2,482,671
$1,608,602
$1,237,643
$5,328,916
* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type
Outlier is a value that is numerically distant from, or is outside the rest of the data (e.g., an extreme value). In larger samplings of data, a small number
of extreme data points (outliers) are expected. Extreme outliers have been eliminated from the analysis in order to produce results that are not distorted.*
17
H. Reputation damage as a result of cyber crime attacks
Cyber crime does not significantly affect organizational reputation (Table 11). On average, 17% of cyber attacks (any
form) cause some (13%) or significant (5%) reputational damage.
Sabotage of data and networks cause relatively more reputational harm than any other attacks, at 30% (15%
significant and 15% some reputational damage).
Because of small base sizes, the data for individual forms of attacks cannot be analyzed by industry or
revenue range.
Table 11: Reputation damage as a result of cyber attacks.
15

Attacks such as Denial of Service
Financial fraud
18
15
18
15
Some
13
20

5
14
13

3 8
3 6
Attacks including Phishing, Spear Phishing 4 3

and Social Engineering
% 0
I. Internal versus external cyber attacks
Cyber crime incidents tend to be originating outside

companies.
Over half (56%) say that more than 60% of incidents were
external, 10% believe that fewer than 30% were external,
and 13% say that 31%-60% were external. As many as
41% believe that 100% of incidents were external.
Telecom reports the highest proportion of exclusively
external attacks 65% say 100% of attacks were
external, followed by Aerospace/Defense 47%, and
Utilities 44%.
Nearly half (48%) of small businesses say that 100%
of incidents were external, while it is only the case for
a third of medium and large businesses.
There are no other discernible patterns by business size.
18
Significant
20
40
60
80
100
Only 21% of respondents report that over 60% of

incidents were internal, 17% say fewer than 30% were
internal, and 13% say that 31-60% were internal.
Only 12% believe that 100% of incidents are
attributed to internal attacks.
There are no patterns in data by industry or business
size.
J. Cyber crime impact on various organizational aspects
Generally, businesses ability to operate is the most often

mentioned concern (64%) associated with cyber crime
across industries and business sizes, but other aspects
closely tight to businesses wellbeing, such as doing
business with customers, company finances and public
image are not far behind in importance (52%-59%).
Public image and reputation are more of a concern

in the Utilities, Telecom, and the Financial sectors
(around 60% each), compared to about 40% for the
remaining industries.
L. Steps employed to raise awareness of cyber crime
K. Attitudes toward cyber crime incidents

Two-thirds
(64%) believe that senior management treats

cyber crime incidents with serious to considerable
interest (scores 7 to 10 out of 10).
Small organizations are more likely to provide no

information to their employees (25%) than medium
and large ones (7% and 8% respectively).
The
perceived level of concern about cyber crime

among employees is lower, with 43% giving it 7 to 10
out of 10 on the interest scale.
Large businesses tend to offer more opportunities

for building awareness about cyber crime 28%
employ five or more methods (compared to 14%
in medium-sized and 8% in small organizations;
vs. 13% overall).
Given that individuals in senior/management positions

answered the survey, the results for the above
question may be biased toward management.
Level of concern among senior management is roughly
the same across industries, although its intensity (score
9, 10 out of 10) is higher in Telecom and Airlines/Shipping
(49% and 47% respectively) than in Retail or Utilities (33%
and 26% respectively).
A plurality of businesses (42%) employs only one or

two approaches in raising awareness of cyber crime,
and these are mostly emails (59%), and corporate
guidelines and manuals (54%). A quarter (26%) employs
3 or four steps, and 13% use five or more. Nearly
one-in-five organizations (19%) do not do anything to
raise awareness of cyber threats.
M. Employment of risk assessment process
Employees are viewed to be less concerned about

cyber crime across industries. Slightly more concern
among employees is reported in Telecom and Utilities
businesses (54% and 51% respectively), and lowest
in Retail (32%).
Overall only 22% employ risk assessment processes for

cyber crime; 77% do not, and 1% dont know.
This is true across industries. Telecom tops the list,
with 33% organizations reporting such processes,
and only 11% of Retail organizations do so (lowest
proportion among surveyed industries).
Table 12: Steps employed to raise awareness of cyber crime
59
Send e-mails round / reminding / updating

54
Corporate guidelines / manuals

31
Information on your intranet

21
Formal activities to raise awareness
19
Formal security training courses
17
Awareness seminars
Posters
Other
Dont know/refused
% 0
10
12
19
20
40
60
80
100
19
Likelihood of employing risk assessment processes

increases with revenues: 45% of large businesses
do so, compared to 23% among medium, and 17%
among small businesses.
O. Incidence of formal procedures to deal with cyber

crime incidents
Few organizations (6%) report accreditation of IT

security standards. This percentage is equally low
across industries and revenue levels.
It is somewhat higher in the Aerospace/Defence,

Telecom, and Financial industries (34%, 33%
respectively), and lower in Airlines/Shipping and
Retail (25%, and 24% respectively), with Utilities on
par with the average, at 27%.
In this small group, 1% each is accredited to ISO27001,

National IT Security Standard, International IT Security
Standard, and 3% report other accreditations.
It is also higher in large businesses, at 47% (particularly

those with revenues $100 Million or more: 57%),
compared to 29% in medium, and 25% in small ones.
N. Incidence and frequency of security audits
Of those not accredited to national or international IT

security standards (94% of surveyed organizations), over
half (56%) say that they carry out regular security audits.
In all but one industry, over half conduct regular

audits. Its highest for the Utilities organizations (68%).
In Retail, only 42% do so.
Also only about a third of organizations (28%) have a

trained crisis management team to respond to cyber
crime incidents.
It is higher in Aerospace/Defense, Telecom, and
Financial industries (38%, 36%, and 34%), and lower
in Retail and Airlines/Shipping (19% and 17%), with
Utilities at 27%, on par with the average.
Incidence of regular security audits increases with

revenues: 84% of large businesses say they conduct
regular audits, compared to 66% among medium,
and 49% among small organizations.
A plurality (38%) conduct audits at least monthly,
17% do so every three to four months, 9% every
six months, 21% annually, and 7% do so at other
frequency. Eight per cent do not know.
A majority (69%) of organizations do not have formal

procedures that have to be followed when cyber crime
is identified; only about a third of organizations (28%) do.
Presence of trained crisis management teams is

considerably higher only in the largest revenue
segment ($100 Million or more), at 41%.
P. Individuals responsible for dealing with cyber crime attacks
Senior management and individuals responsible for IT/

Information security are the key decision-makers and
response teams, regardless of industry and revenue size.
The
same individuals are also most likely to decide

whether an external agency should be involved in cyber
crime attacks.
20
Table 13: Decision-makers in cyber crime attacks
50
51
CEO/Senior Management
IT / IS Manager
27
9
21
21
Head of IT / IT Director / CIO / CISO

General Manager/Operations...
11
7
Other
Other Security
Network Manager
Financial Director Or Equivalent
Human Resources
Dont Know
Legal / Counsel
Facilities / Group Manager
16
3
2
3
1
3
2
2
1
2
2
1
1
Decision maker in cyber crime attacks

Decision maker re: involvement of external agencies
1
1
% 0
Q. Familiarity with cyber crime security strategy
17
Awareness of the 2010 Canadian Cyber security

strategy is very small, at 7%, and it holds across
industries and revenue sizes.
20
40
In a scenario where involvement of external agencies was

necessary, a plurality (39%) of all surveyed organizations say
they would opt to first engage private organizations, and 29%
would first turn to government organizations, with 6% saying it
would depend on the type of incident, 2% would contact both,
15% wouldnt know, 9% provided other comments.
Retail and Financial organizations would be more
likely to first contact private agencies (47% and 45%
respectively), while Aerospace/Defense, Airlines/
Shipping, and Utilities would first reach to government
organizations (38%, 35% and 34% respectively).
Although familiarity with the strategy is minimal, higher

awareness has potential to drive positive change in IT
security among Canadian businesses.
Given the small base size, the results should be used

with caution, for directional purposes only.
R. Involvement of external agencies
Over half (56%) of the organizations that experienced

cyber crime attacks did not involve any external agencies,
and 44% did (this represents 30% of all respondents).
100
Of those who did, a majority (63%) engaged private and

21% government agencies.
It is also comparatively higher in large businesses

(14%), than in medium (10%), and small ones (5%).
A quarter (26%, n=10) of those aware say it

influenced their companys approach to cyber crime
security: 80% increased IT security investments, 50%
changed policies, and 20% introduced cyber crime
awareness training.
80
It is slightly higher in Aerospace/Defense (10%) and

Utilities (9%) and lowest in Retail and Telecom (6%
and 5% respectively).
60
Business size has no influence on the type of agencies

that would be contacted: all have a somewhat stronger
preference for private organizations.
While businesses initially show preference toward private

agencies, when asked to specify what organizations
would be contacted following a cyber crime attack,
private organizations are not top-of-mind. A plurality
(46%) would not know who to contact, with most other
respondents citing a government organizations/agencies:
23% the RCMP, 20% local/provincial police, 6% some
other government organization. Only 8% would contact
other organizations. These views are uniform across
industries and business sizes.
21
S. Involvement / Effectiveness / Expectations of the

RCMP and/or other Government agencies in relation
to cyber crime.
T. Awareness of Public Safety Canadas/RCMPs roles in

raising awareness of cyber crime/ Sources of awareness
Awareness of cyber crime prevention campaigns is low,

at 12%. It is only comparatively higher in the Utilities
industry, at 18% and among large organizations, at 19%.
Overall, 39% of businesses are aware that at least one

of the two organizations has a role in combating cyber
crime.
The
incidence of ever involving the RCMP or other

government agencies is small overall (11%, n=57).
The
RCMP and/or government agencies are primarily

contacted to report an incidence/crime (59%), and 24%
do so as part of legal obligations.
The top two occurrences involved financial fraud and

general fraud/theft (29% each).
22% are aware of only the RCMPs role, 17% are

aware of the roles of both organizations, but none are
aware of Public Safetys role only.
Of the small proportion of incidents (11%), most

(61%) were recent (this is a low base of n=34 or 6%
of all respondents and results should be used with
caution, for directional purposes only).
Half (53%) occurred within the current year, 29%
within 1 to 5 years, and 15% earlier than that.
Of the few businesses that had recently involved the

RCMP or government agencies (6%, n=34), a majority
(62%) agreed that the organizations effectively handled
the situation, and 30% felt that it was not addressed
effectively.
But overall, virtually all businesses (90%) who have not dealt
with the RCMP or other government agency do not know on
what basis to determine the effectiveness of the RCMP or
government agencies in dealing with cyber crime.
3% each list general media feedback, personal
experience, and success rate, with 1% mentioning
speed of response.
Building awareness of cyber crime and its prevention

is by far the most often mentioned expectation from
the RCMP and government agencies (45%), with
prevention, investigation and prosecution at 17%. Other
expectations, such as direct assistance, streamlining of
resources are mentioned by 5% to 6% each.
Need for more prevention, investigation, and
prosecution is slightly more often mentioned among
large businesses (23%) and the Aerospace/Defense
industry (21%).
22
This pattern generally holds across industries and

business sizes, with the exception of Utilities, where
awareness of both organizations roles is higher, at 30%.
Among those aware, two thirds (67%) view it as relevant,

especially the Telecom industry (82%) and large
businesses (75%).
Media (news, TV, newspapers, internet) plays a pivotal

role in building awareness of Public Safety Canadas
and RCMPs roles in combating cyber crime: 76% of
those aware say they learned about it through media. All
other methods trail behind (under 10% each).
This holds true across industries and business sizes,
with one exception: conferences are a source of
awareness for 14% of large businesses, but the use of
this channel is minimal in medium and small businesses
(4% and 2% respectively).
While surveyed organizations indicate that events and media coverage would likely be the most effective form
of building awareness of Public Safety Canadas/the RCMPs roles in combating cyber crime, a range of other
communication avenues could be just as effective in educating businesses.
Table 14: Communication strategies to employ by Public Safety Canada / the RCMP to improve building awareness
of their capabilities among Canadian Business
69
Events / Media coverage

62
Presence on specific web sites
61
Publications
Utilities / critical infrastructure - 61%
Advertising in trade publications
56
Large businesses - 66%
Involvement in specific professional associations
52
Conferences
51
Personal briefings with agency staff
% 0
48
Case studies
Dont know / Refused
Aerospace - 66%
Telecom - 45%
38
Airlines/Shipping - 45%
5
20
40
60
80
100
23
Above Security Sponsor Commentary

CEO Forward
Worldwide communication and nearly limitless online
transaction capabilities are a great benefit to society
and to the way businesses function. However, these
technological advancements bring about new challenges
that organizations and individuals must face, the most
troubling of which are the evolving and expanding risks
associated with cybercrime.
As one of the worlds leading IT security service providers
responsible for monitoring vast client networks on a daily
basis, we see firsthand how cybercrime jeopardizes the
safety of information and the normal flow of business. The
harsh realization that cyberculture is growing faster than
cybersecurity, so everything that depends on cyberspace
is at risk (Deloitte, 2009: p. 2) places greater emphasis
and urgency on implementing systems and procedures
that protect business infrastructures, and more specifically,
the most critical and sensitive IT assets that enable
businesses to operate effectively.
The rise of cybercrime is more than just our raison dtre
as an IT security service provider. It is a phenomenon
that affects and concerns all of us every day, be it in our
professional or in our personal environments. Ultimately,
we must acknowledge that each and every one of us is a
potential target for cybercriminals, for the simple reason
that we are all connected via the Internet. The fight against
cybercriminal activity through risk mitigation strategies and
education is a cause that we believe in strongly and that
we are proud to fully endorse within the framework of this
study and beyond.
24
Through the following commentary, we wish to leverage

the expertise we have gained from nearly 15 years in the
field in order to provide meaningful perspectives on IT
security and risk management. We will share our view of
current cybercrime threats and their impact on industries
and businesses, new and emerging threats that can be
expected in the next few years and effective strategies and
practices to consider for combating cybercrime in Canada
and globally. We hope that our viewpoints will serve as an
interesting and resourceful complement to the findings of
the study.
On behalf of the entire Above Security team, I would like to
express my gratitude and appreciation to the ICSPA and to
everyone involved in the creation of this research project.
May this study help raise awareness within the business
community and garner widespread support, which will be
crucial to successfully prevent the spread of cybercrime in
Canada and around the world.
Ray George Chehata

President and CEO
Above Security
Company view of cybercrime in Canada today including

threats and their impact on Industry and Business
Cybercriminal activity has increased dramatically in recent years

and can now be considered an omnipresent, even global menace
that will continue to affect each and every one of us. Hardly a
day goes by without cyber-related incidents hitting the headlines
of Canadas most renowned newspapers, magazines and
blogs. According to INTERPOL (2013), cybercrime is one of the
fastest growing areas of crime and has adopted many carefullycrafted disguises to damage information systems. The most
commonly-known threats include, but are not limited to, Denial of
Service (DoS) and Distributed Denial of Service (DDoS) attacks,
SPAM, phishing emails, penetration of online financial services,
virus deployment, social engineering, identity theft and theft of
intellectual property. Although all of these threats should be treated
with equal importance, DDoS attacks have become especially
worrisome recently due to their destructive nature and an ability
to affect the networks of high-profile Canadian governmental
organizations and financial institutions with relative ease.
With regards to its impact, cybercrime is known to
cause both tangible and intangible damages. In its 2012
research report on The Impact of Cybercrime on Business,
the Ponemon Institute found that data breaches cost
on average $7.2 million per incident, with the cost per
malicious attack exceeding $10 million in many cases, thus
making financial losses the most severe of cybercrimes
numerous impacts. In addition, businesses that have
become victims of cybercriminal activity frequently report
substantial losses among previously loyal clientele, a
strong decline in productivity, severe disruptions of their
services and operations, massive losses of proprietary and
sensitive information, as well as immeasurable damages to
their brand, corporate image and reputation.
Company view of Global cybercrime threats and the

potential impact on Canada
As recently as several years ago, the global cybercrime

landscape was very clearly divided, with a great majority
of cyberattacks originating from Russia, Eastern Europe,
China, Southeast Asia, North Korea and Brazil. As we
have entered the second decade of the new millennium,
cybercrime has become an increasingly pervasive threat
that cannot easily be linked to only a handful of regions.
As INTERPOL (2013) correctly noted, cybercrime has no
borders. Not only have cybercriminals developed more
sophisticated attack strategies, they have also learned how
to blur their traces effectively and complicate the work of
those seeking to track them down.
Compounding matters even more is the fact that securityrelated laws and regulations vary from country to country
(sometimes even from province to province), and thus it
comes as no surprise that regions with less strict legislation
are prone to a higher degree of cybercrime. Even foreign
governments are now exhibiting unethical practices, as in the

recent case of the Chinese military that allegedly engaged
in an extensive cyber espionage campaign (CNN, 2013).
Regardless of the geographical origin of cybercriminal
activity, each individual attack potentially threatens Canadas
national security and represents a substantial risk for the
Canadian economy a risk that needs to be acknowledged,
investigated and mitigated at all costs.
Company view of new and emerging cybercrime threats

that may impact Canada over the next 5 years and
those sectors most at risk
With regards to new and emerging cybercrime threats

that may impact Canada over the next 5 years, we are
witnessing the evolvement of DoS and DDoS attacks into
increasingly sophisticated schemes that use several attack
vectors in an attempt to hide further nefarious activity.
By intentionally misusing bandwidth resources in order
to bring down sites, networks and applications, these
attacks ultimately cause substantial business impacts
such as: loss of revenues, diminished brand reputation
and potentially long-term service interruptions. Another
emerging trend that is already a strongly debated issue
across the globe is the rise of cloud computing offerings.
Although cloud computing is a much more convenient
alternative to traditional data storage and handling, it
provides a greater surface of attack that is much more
complex to control. When it comes to the origin of threats,
one of the most astonishing trends we have noticed is
that businesses may even be attacked by their national
competitors and not exclusively by international hackers.
No matter how the global cybercrime landscape evolves
in coming years, organizations that store large amounts
of sensitive data and are required to comply with strict
standards, laws or regulations remain the primary targets
of cybercriminals. This relates mostly to governmental
organizations and financial institutions, but can also extend to
organizations that are often considered to be devoid of major
risk, such as manufacturing companies. Especially in the
manufacturing sector, the theft of intellectual property can result
in colossal damages. Although certain sectors are traditionally
more at risk than others, it needs to be emphasized that no
business, government, nongovernmental, or other organization
of whatever size is invulnerable to cyber attacks (British-North
American Committee, 2007: p. 3).
Company view of effective deterrents, responses and

practices in fighting cybercrime + Company view of
measures needed to combat cybercrime in Canada
In a 2012 Washington Post article, Alec Ross, senior adviser

for innovation at the State Department was quoted as saying
If any college student asked me what career would most
assure 30 years of steady, well-paying employment, Ross
said, I would respond, cybersecurity. The simple reasoning
25
behind this is the growing number of cyber-related crimes.

As such, companies now need to improve the quality of
protections they have in place as legislative compliance
requirements increase, security environments age, resources
become scarce and internal IT security costs continueto rise.
Fighting cybercrime begins with raising the awareness level
of both the business community and the general public. This
can be achieved by large-scale research initiatives, such as
the ICSPA study, as well as through education campaigns
originating from public and private organizations. In addition,
everyone who connects to cyberspace, a space that is
expanding at the speed of light, should learn as much as
they can about the threats that they are exposed to and their
potential impact. Only if individuals and organizations alike
fully comprehend the extent to which cybercriminal attacks
can expose information and impair business operations,
can adequate measures be taken to manage and mitigate
the risk associated with cybercrime (British-North American
Committee, 2007).
Organizations can strengthen their defenses by employing
tactics that have already proved successful, such as
allocating a budget specifically to IT security, establishing
clear policies and controls, performing regular IT security
audits, assessing current security measures in place and,
most importantly, developing a concise risk mitigation
and incident response plan (CERT, 2009; Deloitte, 2009a;
PricewaterhouseCoopers, 2013). Moreover, by following an
organized plan for IT security and risk management that
includes partnerships with cybersecurity specialists and
obtaining sound recommendations from third-party experts,
organizations can stay on the leading edge and ensure

that their security posture remains solid and stable.
Lastly, governments and regulatory organizations must
continue to prioritize, strengthen and assess cybercrimerelated laws and regulations on a regular basis. Laws
have barely caught up with todays reality and must be
amended to better protect corporations and individuals
from the disastrous effects of cybercrime. To put it simply, it
is much easier to find a remedy after a physical corporate
asset such as a car or a machine has been stolen than
to take action against data theft and virus deployments.
Canadian businesses must adopt best practices and make
information security an integral part of their corporate
culture (British-North American Committee, 2007). In our
opinion, Canada has already taken initiative and is in a
position to be a leader in establishing legal precedents to
protect organizations, which can ultimately be emulated
throughout the world.
In conclusion, with continued, timely exposure to the
issues and growing public awareness, organizations and
individuals need to take the next step and join forces, so
they can work together to wage a persistent and formidable
battle against cybercrime.
Bibliography
British-North American Committee (2007) Cyber Attack: A Risk Management Primer for CEOs and Directors.
CERT (2009) Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition Version 3.1.
CNN (2013) Report: Chinese military engaged in extensive cyber espionage campaign [online] Available at:
http://security.blogs.cnn.com/2013/02/19/report-chinese-military-engaged-in-extensive-cyber-espionagecampaign/?iref=allsearch. Accessed: 5 March 2013.
CSI (2009) 14th Annual CSI Computer Crime and Security Survey. Comprehensive Edition.
Deloitte Touche Tohmatsu (2009a) Cybersecurity: Everybodys Imperative. Protecting our economies, governments, and citizens.
Deloitte Touche Tohmatsu (2009b) Protecting what matters. The 6th Annual Global Security Survey.
INTERPOL (2013) Tackling cyber security threats focus of INTERPOL workshop [online] Available at:
http://www.interpol.int/News-and-media/News-media-releases/2011/N20110707. Accessed: 27 February 2013.
Ponemon Institute (2012) The Impact of Cybercrime on Business. Studies of IT practitioners in the United States, United
Kingdom, Germany, Hong Kong and Brazil.
PricewaterhouseCoopers (2012) Changing the game. Key findings from The Global State of Information Security Survey 2013.
The Washington Post (2012) Cybersecurity experts needed to meet growing demand. [online] Available at:
http://articles.washingtonpost.com/2012-05-29/business/35458606_1_cybersecurity-college-students-visit-colleges.
Accessed: 6 March 2013.
26
BlackBerry Sponsor Commentary

How safe is your smartphone
The BlackBerry Focus on Cyber Security.
Contents
A.
An Introduction from Michael K. Brown, Vice-President, BlackBerry Security Product Management & Research
B.
Executive Overview on Anti-Malware Security Approach
C.
Todays Mobile Landscape Safeguarding Security and Privacy
D.
A Significant Threat Malware on Mobile Devices
F.
Combating Mobile Malware and Privacy Implications Associated with Third-Party Apps
G.
Legal notice
27
28
28
28
29
30
An Introduction from Michael K. Brown, Vice-President, BlackBerry Security Product

Management and Research.
Security was built into the heart of the BlackBerry secure infrastructure from the very beginning. From the battlefield to
the boardroom, our customers have come to rely upon the unique level of protection BlackBerry offers through its layered
approach to security. Nothing is more secure than a BlackBerry device running on the BlackBerry platform.
Over the past decade, this has evolved from our first Mobile Device Management (MDM) controls to let administrators
manage the new thing called mobile, to more advanced technologies like process separation, stack cookies, and ASLR.
Were very excited to keep pushing the envelope and providing an enjoyable experience along the way.
BlackBerry is committed to partnering with industry leading organizations to deepen the importance of data responsibility and
secure infrastructure practices. 90% of Fortune 500 companies and countless government agencies rely on BlackBerry products
and services each day because of our embedded security practices. This level of trust is something we take very seriously.
At BlackBerry, we have more security certifications than any other smartphone on the market. BlackBerry has always built
security into everything we do from silicon to software. Our industry leading encryption, networking and data security
practices are recognized world-wide for their robust abilities to keep customer data safe and secure.
For more information on BlackBerry security, visit www.blackberry.com/security, and if you have a security issue you would
like to discuss with us, please email us at secure@blackberry.com.
Warm regards,
Michael K. Brown
Vice President
BlackBerry Security Product
Management and Research
27
Executive Overview on AntiMalware Security Approach

Maintaining a leadership position in mobile security
requires deep integration of security at the product
development stage, but it also requires listening to the
needs of customers, and working collaboratively across
the industry. At BlackBerry, these are some of the core
tenets that have led to the unique level of security the
BlackBerry solution delivers and that our customers
depend upon. BlackBerry anti-malware strategy is built
upon five core pillars that focus on our smartphones
built-in protections, analyzing third-party applications,
transparent customer communications, educating
developers and having an anti-malware team embedded
in the security response group. By developing an
anti-malware strategy based on five, key pillars of security,
we provide BlackBerry customers an unparalleled level of
protection from emerging security and privacy issues.
Todays Mobile Landscape

Safeguarding Security and
Privacy
Today, mobile devices have similar capabilities and
characteristics of modern desktop computers, with
one exception the amount of personal data on the
device. Unlike computers, applications downloaded on
mobile phones and tablets have the ability to broadcast
your location, private conversations, pictures, banking
information and other sensitive data, even when these
mobile devices are not in use. Just as mobile customers
expectations vary widely about privacy and security, so do
the approaches that mobile vendors take in safeguarding
customers security and privacy.
28
With the increased prevalence of smartphones and tablets

becoming a common part of how we share information with our
family, friends and co-workers, there is a growing potential for
increased risks related to data security and privacy. This isnt
the first time weve watched the computing threat landscape
evolve. Over the last decade, as more users leveraged the
power of personal computers, attackers began focusing on
ways to steal users data and take control of their computers.
Their methods included using vulnerabilities in the software
and creating malicious software, known as malware, which is
designed to trick a user into installing these programs in order
for the attacker to gain control of a users system. Now, as we
move toward a mobile computing society, were seeing that
same trend happening across the mobile industry.
A Significant Threat Malware

on Mobile Devices
At BlackBerry, were committed to protecting customers
and their data, and also to providing greater transparency
into the unique level of protection we offer customers. We
recognize that customers want and need access to apps
that do not infringe on their privacy or impact their security.
With such a significant challenge facing the mobile industry,
we determined adding additional layers of protection are
crucial to helping protect BlackBerry customers.
One of the significant security concerns facing the mobile
industry is how to address the skyrocketing amount of
malware on mobile devices. This concern is especially
challenging because instead of attackers trying to trick
computer users to install malware, attackers have shifted
their focus and tactics by offering what appear to be
safe apps. They are placing their malicious apps within
smartphone app stores and bypassing protections that
these app store vendors may have in place to help
prevent malware. While most smartphone users have
heard of malware, and know about its potential to harm
their devices, they dont expect that any app downloaded
from their smartphones app store is malicious. As a result,
smartphone users may not be as careful or discerning
when deciding which third-party apps to download, and
these choices can lead to users being vulnerable to
potential security and privacy implications associated with
these apps. In order to bolster our own internal, proprietary
application analyzing system, we are incorporating Trend
MicroTMs industry-leading anti-malware technology into
our app vetting process. This collaboration will help ensure

BlackBerry customers have access to apps that do not
infringe on their privacy or impact their security.
Combating Mobile Malware and

Privacy Implications Associated
with Third-Party Apps
Given that both malware and privacy concerns span
across the breadth of the mobile industry, its not practical
to believe that any one company can thoroughly address
these issues on their own. By working with an industry
leader, such as Trend Micro, were establishing a unique
level of protection for BlackBerry customers, and we
believe the rest of the industry should also consider
working collaboratively in order to address the significant
increase in mobile malware and privacy implications
associated with third-party apps.
As part of our comprehensive approach, BlackBerry is
incorporating Trend Micros industry-leading anti-malware
technology with our current internal, proprietary system for
analyzing apps. BlackBerry is working with Trend Micro to
implement a more robust approach for addressing privacy
and security concerns related to third-party applications,
said Adrian Stone, Director, BlackBerry Security Response
and Threat Analysis at BlackBerry. By incorporating Trend
Micros advanced mobile scanning and detection capabilities
with our own internal, proprietary application analyzing
system, we can provide another layer of protection and
assurance for BlackBerry customers. Together, BlackBerry
and Trend Micro are developing an innovative and
comprehensive solution for protecting BlackBerry customers
against emerging mobile security concerns. Through this
collaboration, BlackBerry will use Trend Micros suite of
app scanning technology to help enhance anti-malware
capabilities, including industry-leading app analyzing
techniques and built-in permission settings on BlackBerry
devices. By vetting apps against Trend Micros extensive
library of known malicious software, we will help ensure both
current and new apps submitted to the BlackBerry World
storefront are scanned for potential malicious behavior.
The volume of malicious and high-risk mobile apps

are on the rise across the industry, which is why we
applaud BlackBerrys commitment to protecting their
customers against these emerging mobile threats, said
Kevin Simzer, Vice President of Corporate Development
and Alliances, Trend Micro. With the speed that
cybercriminals are targeting new platforms and
applications, Trend Micro and BlackBerrys strategic
collaboration is natural and timely for the security of end
users. Together, the two companies can further secure
and enhance BlackBerry customers mobile experience.
Trend Micro has scanned and evaluated over 2 million
mobile applications. Mobile Application Reputation
Service is Trend Micros next generation cloud-based
technology for mobile operating systems that analyzes
application code and behavior to identify risks from
malware and data leaks. It also detects the abuse of
battery, memory, and data resources. This service
leverages the Trend Micro Smart Protection Network
infrastructure to provide meaningful mobile app reputation
ratings. The Smart Protection Network is built upon
unique in-the-cloud, technologies that naturally fit with
cloud-based security services like the Mobile Application
Reputation Service. By checking URLs, emails, files, and
applications against continuously updated and correlated
threat databases, customers always have immediate
access to the latest protection.
Every smartphone and tablet vendor uses a different
strategy for protecting customers from both malware and
privacy concerns, and customers do not typically have
insight into how they may or may not be protected from
these issues. BlackBerry is taking an innovative approach
for enhancing third-party app security, which is recognized
as one of the fastest growing security concerns for the
mobile industry.
29
Legal Notice
2013 Research In Motion Limited. All rights reserved. BlackBerry,

RIM, Research In Motion, and related trademarks, names, and logos
are the property of Research In Motion Limited and are registered
and/or used in the U.S. and countries around the world.
All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by
reference herein such as documentation provided or made available
at www.blackberry.com/go/docs is provided or made accessible
AS IS and AS AVAILABLE and without condition, endorsement,
guarantee, representation, or warranty of any kind by Research
In Motion Limited and its affiliated companies (RIM) and RIM
assumes no responsibility for any typographical, technical, or other
inaccuracies, errors, or omissions in this documentation. In order
to protect RIM proprietary and confidential information and/or trade
secrets, this documentation may describe some aspects of RIM
technology in generalized terms. RIM reserves the right to periodically
change information that is contained in this documentation; however,
RIM makes no commitment to provide any such changes, updates,
enhancements, or other additions to this documentation to you in a
timely manner or at all.
This documentation might contain references to third-party sources
of information, hardware or software, products or services including
components and content such as content protected by copyright
and/or third-party websites (collectively the Third Party Products
and Services). RIM does not control, and is not responsible for, any
Third Party Products and Services including, without limitation the
content, accuracy, copyright compliance, compatibility, performance,
trustworthiness, legality, decency, links, or any other aspect of Third
Party Products and Services. The inclusion of a reference to Third
Party Products and Services in this documentation does not imply
endorsement by RIM of the Third Party Products and Services or the
third party in any way.
EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY
APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS,
ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR
WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS,
GUARANTEES, REPRESENTATIONS OR WARRANTIES OF
DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NONINFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING
FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR
USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION
OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF
ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY
PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY
EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY
STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW
THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND
CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED
WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION
TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE,
BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS
FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR
THE ITEM THAT IS THE SUBJECT OF THE CLAIM.
30
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN

YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR
ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION
OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF
ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY
PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING
WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES:
DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT,
SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES
FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE
ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF
BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY,
OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT
OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY
APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS
OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM
PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY
AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF
COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER
SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES
WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN
YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION,
DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR
OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE
OR STRICT LIABILITY.
THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN
SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE
OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT
NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT,
STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL
SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE
FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT
OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND
ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS,
AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS),
AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME
SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS,
EMPLOYEES, AND INDEPENDENT CONTRACTORS.
IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT
ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT,
DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM
OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM
OR RELATED TO THE DOCUMENTATION.
Prior to subscribing for, installing, or using any Third Party
Products and Services, it is your responsibility to ensure that your
airtime service provider has agreed to support all of their features.
Some airtime service providers might not offer Internet browsing
functionality with a subscription to the BlackBerry Internet
Service. Check with your service provider for availability, roaming
arrangements, service plans and features. Installation or use of Third
Party Products and Services with RIMs products and services may
require one or more patent, trademark, copyright, or other licenses
in order to avoid infringement or violation of third party rights. You
are solely responsible for determining whether to use Third Party

Products and Services and if any third party licenses are required
to do so. If required you are responsible for acquiring them. You
should not install or use Third Party Products and Services until all
necessary licenses have been acquired. Any Third Party Products
and Services that are provided with RIMs products and services
are provided as a convenience to you and are provided AS IS
with no express or implied conditions, endorsements, guarantees,
representations, or warranties of any kind by RIM and RIM assumes
no liability whatsoever, in relation thereto. Your use of Third Party
Products and Services shall be governed by and subject to you
agreeing to the terms of separate licenses and other agreements
applicable thereto with third parties, except to the extent expressly
covered by a license or other agreement with RIM.
Certain features outlined in this documentation require a minimum version
of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or
BlackBerry Device Software.
The terms of use of any RIM product or service are set out in a
separate license or other agreement with RIM applicable thereto.
NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE
ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES
PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR
SERVICE OTHER THAN THIS DOCUMENTATION.
Research In Motion Limited

295 Phillip Street
Waterloo, ON N2L 3W8
Canada
Research In Motion UK Limited
200 Bath Road
Slough, Berkshire SL1 3XE
United Kingdom
Published in Canada
31
Lockheed Martin Sponsor Commentary

In a world that is becoming more connected by the minute,
the opportunity for cybercrime increases exponentially.
Canada is a prime target, where in recent years there has
been a disturbing increase in cyber security events impacting
not only government and private industry but also individual
citizens. Complicating this is an expectation for Canadian
businesses to operate securely in an era focused on mobility
solutions, bring your own device (BYOD) policies, and ever
expanding social media. It is critical that steps are taken to
increase cyber security awareness and support an increasing
uplift in capability across government and industry. Trusted
partnerships, actionable intelligence and advanced tradecraft
will be the key to success moving forward.
Lockheed Martin greatly appreciates the opportunity that
ICSPA has provided to be a sponsor and contributor to this
cybercrime study. Understanding the threats the Canadian
industry is facing is a critical step to increasing the ability
of all companies to not only defend themselves, but extend
those security services to government and critical national
infrastructure. Once these threats are better understood,
forming the partnerships required to share information about
emerging threats and potential mitigations becomes critical.
There is no one magic answer to help businesses address
the potential threat that cybercrime poses to operations and
corporate reputation. It takes a coordinated and intelligent
approach to addressing these challenges the ensure
success against all aspects of cyber adversaries.
Bob Eastman
Vice President
Lockheed Martin IS&GS-National,
Global Solutions
32
Global Cybercrime
As a global security company Lockheed Martin has firsthand experience defending against the most sophisticated
threats facing businesses today. We have been defending
the highly sensitive (and heavily attacked) networks of
both Lockheed Martin and its government and commercial
customers against advanced persistent threats for more
than 10 years. Increasingly, the motivation behind cyber
attacks is cybercrime. Whether its attempting to disable
mission critical networks, gain access to classified
information, or steal corporate intellectual property, our
adversaries are becoming more agile, more persistent
and more sophisticated. These are challenges we all face
as our adversaries are not constrained by geographic,
political or national boundaries. It is imperative that,
through activities such as this cybercrime study, we find
ways to share tools, techniques and best practices to build
a stronger, truly global cyber defense.
Cyber Security Threats and

Potential Impacts
Businesses today face a myriad of threats from different,
and often times coordinated, actors and vectors. Beyond
the external threat, companies increasingly face threats
from within. Whether intentional or not, a business
employees are both the first line of defense and the
first risk companies face. Without proper education,
employees can open attachments, click links and take
other adverse actions that give threat actors access to
corporate networks. Through education efforts, businesses
can turn potential weaknesses into strengths as we have
in Lockheed Martin. Our employee campaigns have
increased employee reported security events significantly
over the past three years; each employee has become an
additional sensor in our network.
Canadian businesses are now facing the disrupting threats
of hacktivists such as Anonymous and Lulzsec. To combat
these types of actors, businesses have to employ a
combination of open source analysis and denial of service
attack defenses. These activists can deface websites,
cause disruptions to operations and inflict reputational
damage to Canadian companies if not adequately
defended against. Their use of open source/social media
platforms for communications is both a challenge and
a benefit for defenders. Using targeted intelligence
development techniques, companies are able to anticipate
attacks by using this open source information against the
adversary and get ahead of the attacks.
Like many nations, the most challenging adversary
facing Canadian business is what is typically referred to
as advanced persistent threats or APTs. These are well
educated, well-resourced adversaries whose focus on
the theft of secrets including intellectual property poses
significant threats to Canadian businesses. Numerous global
companies have been targeted by APT attacks over the past
three years causing high-visibility, high-impact cyber events
for these companies. It is imperative that Canadian industry
take the steps necessary to defend themselves from APT
threats. This includes using the persistent nature of these
actors against them to develop the intelligence required to
anticipate and mitigate their attacks.
Effective deterrents, responses

and practices in fighting
cybercrime
Lockheed Martin is a major target for APT actors due to
our global security work in the US, Canada and abroad.
Lockheed Martins approach to countering APT uses an
intelligence focused approach that we call IntelligenceDriven Defense. This approach features implementation
of advanced processes, tools and techniques aimed at
increasing the situational awareness of security operators
and executive decision makers by providing early
actionable intelligence. Recognizing the ever-evolving and
adaptive nature of APT, we found that only through better
intelligence capabilities could we, in fact, move beyond a
reactive Computer Network Defense (CND) capability to a
more predictive one.
At each of Lockheed Martins three global Security
Intelligence Centers, advanced techniques such as the Cyber
Kill Chain (described overleaf) are employed to counter APT.
Advanced capabilities that analyze and correlate security
events help to characterize APT actors and track their
campaigns over time, giving our security operation
predictive insight into evolving APT methods and patterns.
Advanced technologies such as Open Source Intelligence
tools, data analytics, and highly specialized APT network
sensors provide another layer of situational awareness
and actionable intelligence. Finally, and perhaps most
importantly, this is where the Lockheed Martin cyber
intelligence analysts hone their experience and tradecraft
in identifying and countering APT.
33
Table 14: Cyber Kill Chain
Reconnaissance
Harvesting email addresses, conference information, etc.
Weaponisation
Coupling exploit with backdoor into deliverable payload
Delivery
Delivering weaponised bundle to the victim via email, web, USB, etc.
Exploitation
Exploiting a vulnerability to execute code on victim system
Installation
Installing malware on the asset
Command & Control
Command channel for remote manipulation of victim
Actions on Objectives
With Hands on Keyboard access, intruders accomplish their original goals
A key element of our Intelligence-driven approach is

employing tools and techniques that give our analysts
better insight into our adversaries, and provide a
framework to track those adversaries over time. One
such capability is referred to as the Cyber Kill Chain.
Summarized in the graphic , the Cyber Kill Chain is an
innovative analytic process that identifies seven unique
steps an attacker needs to successfully accomplish in
order to realize the objective. Interrupting an attack at
any of these steps not only protects the enterprise, it also
exposes the attackers specific techniques (patterns over
time), and provides actionable intelligence to the security
analyst. Contrary to the common belief that the attacker
only has to be right once but we have to be right every
time, an adversary must be successful at every step
in the Cyber Kill Chain, whereas the defender has to be
positioned to disrupt them at only one. By analyzing each
APT attack against the Cyber Kill Chain, we also have
an effective framework for measuring our own defensive
capabilities (e.g., defense-in-depth and resilience
measured as ability to defend at multiple levels.)1 This
provides an effective basis to identify gaps, risks and
34
vulnerabilities, and inform future investment prioritization,

particularly as APT technologies and tactics continue to
evolve.
Incorporating all of these concepts into a comprehensive
cyber security program will help our fellow Canadian
businesses to protect themselves from cybercrime. Whether
it is the loss of intellectual property, disruption to operations
or reputational damage, the impact that cybercrime can
have on a company is swift and far reaching.
For more information on the Cyber Kill Chain please visit:
http://bit.ly/killchain
McAfee Sponsor Commentary

CEO Foreward: A Message From
Luc Villeneuve, Vide President, Canada, McAfee, Inc
Here at McAfee, our mission is to protect governments, enterprises, small to medium-sized businesses and consumers
and their proprietary information from the dangers of cybercrime. While McAfee initially began as a vendor of antivirus
software, we soon expanded our expertise and capabilities to keep pace with the evolving cyber threat landscape to
better serve our customers. McAfee has evolved over the years through a combination of strategic acquisitions and
organic growth. As a wholly owned subsidiary of Intel, McAfee is able to take security beyond the operating system to
deliver advanced protection against targeted attacks, while also providing security at the hardware level.
Cybercrime attacks are a serious and growing problem that needs to be addressed by the security industry as a whole.
Information security is everyones job, which is why technology companies such as McAfee must partner with each other as
well as businesses, academia, government and associations. We need to work together to stay on top of the evolving threat
landscape and combat malicious activity, because as our company tagline goes, Safe Never Sleeps.
In addition to McAfees dedication to our Security Connected strategy to provide comprehensive, end-to-end security
solutions to meet all industry needs, we are also committed to educating our communities. Through our various partnerships,
such as with the International Cyber Security Protection Alliance (ICSPA), we aim to deliver and make available to the
industry and Internet users, relevant information, resources and tools to help combat cybercrime.
The study you are about to read is a collective effort made by the ICSPA, McAfee Canada and several other Canadian
companies. It examines the nature and impact of cybercrime on Canadian businesses in several industries and sheds
light on this growing and serious issue.
A safer, more secure world is possible and we will endeavour to do whatever we can to ensure this happens.
Sincerely Yours,
Luc Villeneuve
Vice President
Canada, McAfee, Inc.
35
The Cybercrime Landscape and Future:

A McAfee Perspective
The advent of the Internet and the adoption and evolution
of new technologies and products have made it easier for
organizations, businesses and consumers to operate on a
broader scale, while also enabling groups and individuals
to be active participants in the global economy.
Technology offers us plenty of conveniences, but it
also opens the door to potential security risks, threats
and cybercrime a growing concern that needs to be
addressed by the global community at large. With new
attack vectors, methods and targets, the risk of data loss
and theft is high.
Cybercriminal activity is motivated by any number of
factors. Profiteering is just one of the various motivations.
According to a McAfee Labs white paper titled,
Cybercrime and Hacktivism, 1 other objectives may
include the following:
Playing the game: Some hackers are attracted to

cybercrime because its exciting.
Gathering information: The Internet is used for industrial

espionage.
Promoting ideology: Patriot groups, whether acting in

good faith or are being manipulated, conduct criminal
activities against institutions they believe are related to
the enemy.
Behaving foolishly: Individuals sometimes make bad

choices for poor or unclear reasons.
Cybercriminals and the underground economy are

thriving. Technology companies like McAfee must continue
to cooperate and partner with each other as well as
businesses, academia, government and associations
in order to fully understand the threats existing and
emerging so that we can effectively protect and secure
against the threats of the future.
1
McAfee Labs White Paper, Cybercrime and Hacktivism, Franois Paget
Global Cybercrime Landscape

and Potential Impact on Canada
Operation High Roller Expands
Financial gain remains a huge motivator behind cybercrime.
In June 2012, McAfee and Guardian Analytics discovered
a highly sophisticated multi-tiered, global financial fraud
ring dubbed Operation High Roller. It targets commercial
financial accounts and high net-worth individuals using
active and passive automated transfer systems to steal
high-value transactions from high-balance bank accounts.
36
Malware is installed onto a victims computer using phishing

and drive-by downloads. It waits for the victim to log onto
online banking and sends the login credentials and account
information to the fraudsters server. Once this data is obtained,
the malware automatically logs in and initiates transactions that
transfer money from the victims account to a mule one.
This operation has affected and continues to impact
financial institutions globally. McAfee does not expect
Operation High Roller activity to cease anytime soon.
Mobile Threats
In recent years, we have seen mobile malware emerge
as the new frontier for cybercrime. The explosion of
mobile devices at home and in the workplace has led to
the growing trend of mobile workers and road warriors.
Additionally, the availability of free public Wi-Fi has made it
easier than ever for people to stay connected. However, any
time users connect to an unsecured public Wi-Fi network,
they are putting themselves and their devices, which often
contain proprietary and sensitive information, at risk.
In the McAfee Threats Report: Fourth Quarter 2012,
McAfee Labs found the number of mobile malware
samples was 44 times the number found in 2011
meaning that 95 per cent of all mobile malware samples
appeared in the last year alone. Furthermore, the Android
platform has recently become by far the most popular
platform for attack, with an 85 per cent increase of new
Android-based malware samples in the fourth quarter. With
mobile users around the world, everyone is susceptible to
these threats.
Ransomware
Recently, cybercriminals have turned to ransomware
attacks that use malicious software to infiltrate a computer
to lock down the data. By holding the data and access to
the device hostage, victims are pressured into providing a
ransom in exchange for their information however there
is no guarantee that after a ransom is paid, access to
the device would be granted. As we saw in the McAfee
Threats Report: Fourth Quarter 2012, ransomware has
become a growing problem during the last couple of
quarters, with the number of new, unique samples
reaching more than 200,000.
Current Canadian Cybercrime Landscape and Impacts

The Canadian cybercrime landscape is not much different
from those threats and attacks seen around the world. Threats
to mobile devices continue to be cause for concern, especially
for organizations that have implemented a bring-your-owndevice (BYOD) policy. Whenever a new device enters the
corporate network, an element of risk is involved, which is why
security policies and best practices must be implemented and
enforced in the workplace and by its employees.
According to McAfees 2012 Online/Mobile Shopping
Habits & Security Concerns survey, 85 per cent of
Canadians own and use at least one smartphone and/or
tablet device. Furthermore, 41 per cent of Canadians
said they leave their phone open and unprotected without
a password.
Additionally, as we found in our recent McAfee State of
Security Report, 25 per cent of organizations worldwide do
not have security solutions to protect their mobile devices .
2
McAfee Threats Report: Fourth Quarter 2012,
McAfee Labs
3
McAfee 2012 Online/Mobile Shopping Habits & Security Concerns,
September 2012
4
McAfee Canada 2013 Love, Relationships and Technology Survey,
January 2013
5
McAfee State of Security Report,
March 2012
While these statistics are illustrative of Canadas adoption

of a mobile culture, without adequate security solutions
and measures for these devices in place, organizations
and individuals put themselves at risk.
Best Practices to Combat Cybercrime
There are certain best practices that consumers and
businesses should follow to help protect the sensitive
information and identities of citizens and organizations.
To help safeguard against cybercrime attacks, McAfee
recommends the following best practices:
Encrypt and back up all personal and sensitive

information and files living on devices such as
computers, smartphones, tablets and USB sticks.
Ensure all employees are aware of and trained on

effective security measures when handling customer,
company and other sensitive data.
Do not open emails, attachments or click on URLs from

an unknown or suspicious source.
Use strong authentication methods to password protect

devices. Use different passwords across accounts and
change them often to avoid theft and exposure to
other accounts.
Whenever connecting to a public Wi-Fi network,

exercise caution and avoid carrying out
financial transactions.
Know what data you have, who has access to it and how
it is being used. By prioritizing this information, its easier
to know what needs to be protected.
Implement and enforce a BYOD security policy to

ensure data stays safe. Consider remote wipe solutions
in the event of device loss or theft, encrypt data on
device, and ensure strong password use.
New and Emerging Cybercrime Threats and Industries at Risk

As we look at the cybercrime landscape in the months
ahead, we expect many of the same threats to continue.
Cybercriminals will expand their efforts to strengthen and
evolve their techniques to do whatever it takes to breach
privacy in businesses, financial institutions and homes.
In our 2013 Threats Predictions Report 6, McAfee Labs
forecasted several new threats to enter the marketplace
this year. They include mobile worms on victims machines
that will buy malicious apps, malware targeting mobile
devices with near-field communications (NFC) capabilities
to steal money via the tap-and-pay method, malware
that blocks security updates to mobile phones, largescale attacks like Stuxnet that will attempt to destroy
infrastructure instead of attempting to steal money, and
many more.
At McAfee, we realize the importance of being able to
effectively protect and fight against cybercrime. Thats
why we have several awareness partnerships with industry
associations, and have created a Multipoint Strategy
to Fight Cybercrime. Part of this strategy includes our
Cybersafety Resource Portal which is accessible to anyone
with Internet access. Our strategy is a three-pronged
approach that encompasses technology and innovation,
education and legal frameworks.
While we remain confident in our ongoing research and
efforts to bring to market resources and solutions that
will protect consumers and businesses from existing,
emerging and future threats, the security industry must
also work together to stay ahead of cybercriminals and
threats to make the world we live in, a safer, more
secure place.
6
McAfee 2013 Threats Predictions Report, McAfee Labs,
37
Conclusion
In this study, the Survey Report identified the significant
extent and impact of cyber crime on Canadian businesses
and the need for greater preparedness to mitigate the
threat. The survey demonstrates that across business
communities, there is a general lack of strategy,
procedures and trained personnel to combat cyber crime.
In addition, there is a need for improved communications
and education as to the threats, their effect and what
actions to take. It is also clear, that awareness and
education needs to be improved not only within businesses
but in messaging from government to the business
community. Those surveyed believe that Public Safety
Canada and the RCMP are the appropriate Department
and agency for this role.
The sponsors contributions have provided a view of the
emerging threats from the adoption of new technology and
techniques; highlighting mobile communications and cloud
services as todays new targets for the cyber criminal.
The distribution of application-based malware for mobile
devices using cloud based services for both personal and
business use will become a new threat vector of the future.
38
The cyber crime environment is dynamic and fast moving

and requires continuous vigilance to provide timely,
appropriate information and measures to safeguard
Internet users. Therefore, all nations require clear
strategies, procedures and processes to mitigate the threat
of cyber crime through a combination of education and
defensive actions. The ICSPA believes this needs to be
coordinated with international partners from Government,
law enforcement, business and academia, in order to
tackle the borderless nature of cyber crime and determine
a more cohesive and collaborative response.
Also, in order to truly address the issue of global cyber
security, all users need to agree upon a level of acceptable
cyber behavior and understand the repercussions and
stigma attached if not adhered too.
39
www.icspa.org
email: info@icspa.org
Tel: +44-1494-798-160
Copsham House,
53 Broad Street,
Chesham,
Buckinghamshire HP5 3EA
United Kingdom
Twitter: @cyberprotection

ICSPA Canada Cyber Crime Study Report

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ICSPA Canada Cyber Crime Study Report

Încărcat de

Drepturi de autor:

Formate disponibile

Study of the Impact

CGI Group Inc.

The purpose of the study is to provide business leaders

Each business was asked a series of questions to

Prevalence of cyber crime

Cyber crime impact on their business operations

Organizational preparedness against cyber crime

Involvement/Effectiveness/Expectations of the RCMP

Awareness of the RCMP and Public Safety Canadas

To compliment the survey and provide independent

nature of cybercrime in Canada today including

New and emerging cybercrime threats that may

Effective deterrents, responses and practices in

Global cybercrime threats and the potential impact

Measures needed to combat cybercrime in Canada.

This study report consists of:

Unauthorized access or misuse of corporate websites

Misuse of social networks

About a quarter (26%) of those interviewed say that attacks

Emphasizes the changes to information storage and the

Highlights the growing security risks to mobile users and

Explains how Advanced Persistent Threats (APTs) pose

Provides an insight into the current Canadian cyber

I. Objectives and Methodology

Prevalence of cyber crime

study covered the following 6 sectors and completes per sector:

Airlines, shipping, transportation (Airlines/Shipping)

Telecommunications Technology (Telecom)

Utilities and critical infrastructure (Utilities)

Aerospace and Defense (Aerospace/Defence)

A representative spread of businesses by revenue size was also reached:

$1 Million to under $5 Million

$5 Million to under $10 Million

$10 Million to under $20 Million

$20 Million to under $50 Million

$50 Million to under $100 Million

$100 Million or more

Small: revenues under $10 Million

Medium: revenues of $10 Million to under $50 Million

Large: revenues of $50 Million or more

survey was conducted between November 15 and December 15, 2012

Difference from total (n=520)

Small: revenues under

Medium: revenues of $10

Large: revenues of $50 Million

II. Executive Summary

Because of high incidence among businesses,

Overall, cyber crime is fairly prevalent among Canadian

Sabotage of data and networks is 4th in terms of

Over half (56%) of affected businesses say that more

Cyber crimes do not result in far-reaching negative

Cyber crime attacks tend to be viewed as originating

B. Cyber crime and corporate responsibilities

Although a majority of respondents (64%) say that senior

Most organizations (69%) do not have formal

A plurality (46%) would not know who to contact,

D. Public Safety Canadas/the RCMPs roles in raising

Awareness of cyber crime prevention campaigns is low, at

Overall, 39% of businesses are aware that at least one

Organizations expect the RCMP and other government

Media (TV, news, newspapers, internet) should be the

C. Involvement of external agencies

Involvement of external agencies in relation to cyber

In general, this preference of private versus government