Documente Academic
Documente Profesional
Documente Cultură
of Cyber Crime on
businesses in Canada
Introduction
The International Cyber Security Protection Alliance (ICSPA)
www.icspa.org, has conducted a study on the impact of cyber
crime on businesses in Canada.
The ICSPA is a global not-for-profit organization established
to channel funding, expertise and assistance directly to
assist law enforcement cyber crime units in both domestic
and international markets.
The ICSPA is a business-led organization comprising
large national and multi-national companies who recognize
the need to provide additional resourcing and support to
law enforcement officers around the world, in their fight
against cybercrime. The ICSPA is also supported by law
enforcement partners, such as the Europol, and associated
international organizations whose remit is complementary
to our own.
The study was sponsored by the following ICSPA
Canadian business associates:
Above Security
BlackBerry
Lockheed Martin
McAfee Inc.
Introduction
Executive Summary
Survey Report
Sponsors Contributions
Conclusions
Executive Summary
The following provides a brief overview of the ICSPA Cyber
Crime Study and includes the survey findings and views
of sponsors on cyber crime trends. The study provides
the opportunity for the reader to review both the survey
findings and the sponsor contributions, so that they may
form their own conclusions as to the impact of cyber crime
on business in Canada and the rest of the world. The study
reinforces the need for close collaboration between the
public and private sector in fighting cyber crime through the
pooling of knowledge and resources.
Survey Report
The survey report shows that cyber crime is fairly prevalent
among Canadian businesses, with 69% reporting some
kind of attack within a twelve-month period. The types and
frequency of attack vary depending on the nature and size of
businesses and are crafted to the crime being perpetrated.
Malware and virus attacks are shown to be the most
prevalent with phishing and social engineering coming
second. Certain cyber crimes, while impacting fewer
organizations, occur frequently among them.
These include:
Telecommunication fraud
Sponsors Contributions
Survey Report
Table of contents
I.
Objectives and Methodology 6
II.
Executive Summary 8
A.
Scope of cyber crime in Canada 8
B.
Cyber crime and corporate responsibilities 8
C.
Involvement of external agencies 9
D.
Public Safety Canadas / the RCMPs roles in raising awareness of cyber crime
9
III.
Conclusions and Recommendations 9
IV.
Detailed Findings 10
A.
Security-related responsibilities
10
B.
IT budget allocation toward cyber crime prevention
10
C.
Appropriateness of current spending on IT security/What it should be
10
D.
Main cyber crime threats (as perceived by businesses)
11
E.
Incidence of cyber crime in the past 12 months
12
F.
Types of cyber crime attacks and their impact on businesses
15
G.
Financial costs / losses due to cyber crime
16
H.
Reputation damage as a result of cyber crime attacks
18
I.
Internal versus external cyber attacks
18
J.
Cyber crime impact on various organizational aspects
18
K.
Attitudes toward cyber crime incidents
19
L.
Steps employed to raise awareness of cyber crime
19
M.
Employment of risk assessment process
19
N.
Incidence and frequency of security audits 20
O.
Incidence of formal procedures to deal with cyber crime incidents
20
P.
Individuals responsible for dealing with cyber crime attacks
20
Q.
Familiarity with cyber crime security strategy
21
R.
Involvement of external agencies
21
S.
Involvement / Effectiveness / Expectations of the RCMP and / or other Government
agencies in relation to cyber crime 22
T.
Awareness of Public Safety Canadas/RCMPs roles in raising awareness of cyber
crime/ Sources of awareness 22
International Cyber Security Protection Alliance Ltd.conducted a quantitative study among Canadian businesses to
measure the following characteristics:
A total of 520 telephone surveys were obtained from businesses across Canada, and these included a set of 10 interviews
conducted by senior research staff.
400 surveys in English
120 surveys in French
No quota by industry and business size (revenues) was set, but a reasonable spread, representative of selected
industries and revenues was achieved.
The
Industry
Number of completes
Financial services
(in the report referred to as Financial)
n=148
n=75
n=73
n=66
n=29
Retail
n=129
Revenue size
Number of completes
Under $1 Million
n=22
n=229
n=90
n=61
n=54
n=27
n=37
For the purposes of more meaningful analysis, the revenue sizes were combined into, and examined as
three segments:
Revenue size
Number of completes
n=341
n=115
n=64
Overall, the results are accurate 4.38% nineteen times out of twenty.
The
A note on differences in responses by industry and business size identified throughout the report:
Because the sample sizes within each industry and business sizes are relatively small, the differences of at least 9
percentage points between a particular sub-segment and the total sample responses will be needed to be deemed
statistically significant. The table below specifies what constitutes a statistically significant difference between each segment
and the overall results. For results between small sub-segments to be statistically significant, the differences would have to
be even larger than the ones indicated in the table below. All other differences should be viewed as directional.
Industry
Number of completes
Difference from
total (n=520) that is
statistically significant
Financial
n=148
9 points
Airlines/Shipping
n=75
12 points
Telecom
n=73
12 points
Utilities
n=66
12 points
Aerospace/Defense
n=29
19 points
Retail
n=129
9 points
Revenue size
Number of completes
n=341
6 points
n=115
10 points
n=64
12 points
These include:
Unauthorized access or misuse of corporate websites
(13% affected, 11 attacks per organization)
Misuse of social networks (15% affected, 8 attacks)
Telecommunication fraud (8% affected, 9 attacks)
The average number of attacks (for malware and all other cyber crime
types covered by the survey), was calculated by dividing the total number
of reported incidents by total number of organizations that experienced
them (this calculation excluded organizations that were not affected).
In many surveyed organizations the individuals responsible for IT security also cover a range of other roles - 74% have
three or more responsibilities.
Table 1: Which of the following aspects of security are you responsible for within your organization?
79
IT related security
Risk assessment
69
67
67
61
4
0
10
20
40
60
80
100
Table 2/3: Do you believe this is sufficient to mitigate the threat of Cyber Crime and
if not what should the percentage be?
N=353
20% or more
78
Yes
11
14
6-10%
12
No
What percentage
should it be? N=42
5%
26
19
Under 5%
Dont know/Refused
10
% 0
20
Dont know/Refused
40
60
80
100
29
0
20
40
60
80
100
Table 4: Which of the following represent the greatest Cyber Crime threats for your organization?
75
47
Financial fraud
45
42
40
38
30
Telecommunications fraud
29
25
22
20
40
60
80
100
11
Concerns with financial fraud are more visible in the Retail (52%) and Financial industries (50% each) than in the
Utilities (35%) or Aerospace/Defense (28%) sectors.
As revenues increase, concerns about nearly every form of cyber crime go up, especially for large businesses, e.g.
phishing/social engineering (61% vs. 42% overall), theft of devices with company info (55% vs. 40% overall), denial of
service (47% vs. 30%), or Advanced Persistent Threats (36% vs. 22% overall).
Nearly seven-in-ten organizations (69%) experienced some type of cyber attack over a 12 month period. Overall,
520 surveyed businesses reported a total of 5,866 cyber crime incidents, or on average 16.4 attacks per
affected organization.
The average number of attacks is higher in the Financial and Retail sectors (20 and 18 respectively), and lowest in Aerospace/
Defense, at 11 attacks (details in Table 7a overleaf).
Table 5: Approximately how many times have any of the incidents I just read occurred in your
organization in the last 12 months?
100
80
40
31
23
20
0
None
1 to 2
3 to 5
6 to 10
Over 10
The
23
The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of
reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected).
12
Table 6: Incidence of various cyber crime attacks within the last 12 months
(proportion of those who experienced each attack) and frequency of each attack
Total #
of attacks
51
1,701
18
1,478
15
578
Financial fraud
14
294
13
745
13
212
10
219
Telecommunications fraud
414
98
Denial of Service
69
58
20
40
60
80
100
13
Table 7: Average number of cyber crime attacks within the last 12 months as a proportion
of affected organizations (mean excl. 0) and overall (mean incl. 0)
17.2
2.8
11.1
1.4
9.4
Telecommunications fraud
0.8
1.1
Mean (excl.0)
7.9
Mean (incl.0)
6.6
3.3
4.5
Denial of Service
0.4
Financial fraud
0.6
0.1
0.1
0.4
0.2
4.3
4.1
3.6
3.2
2.5
Mean 0
10
20
30
40
50
Table 7a: Average number of cyber crime attacks within the last 12 months as a proportion
of affected organizations
20
Financial
18
Retail
Airlines/Shipping
14
Telecom
14
Utilities/Critical Infrastructure
14
11
Aerospace/Defense
%
14
20
40
60
80
100
The
Table 8: Impact of cyber crime attacks on organizations (measured on a scale of 1 to 10 where 1 means
negligible impact and 10 means major impact).
26
Financial fraud
11
18
14
18
24
15
Denial of Service
16
15
Telecommunications fraud
14
13
10
13
25
13
12
10
19
19
11
12
11
12
10
% 0
(9-10) Major Impact
20
20
20
18
30
21
20
31
44
40
20
16
36
24
15
20
22
35
25
20
32
37
19
40
40
24
10
24
47
60
(1-2) Negligible Impact
80
100
Dont Know/Refused
15
Total Cost /
Loss
{A+B+C}
Average
cost per
attack*
$575,100
$1,892,683
$6,438
$361,800
$271,999
$849,499
$4,007
$283,475
$456,259
$32,203
$771,937
$454
Sabotage of data
or networks
$347,499
$104,300
$131,499
$583,298
$5,952
Telecommunications fraud
$178,200
$169,300
$153,000
$500,500
$1,209
Denial of Service
$50,000
$172,050
$11,700
$233,750
$1,067
$123,135
$11,455
$17,445
$152,035
$103
Unauthorized access or
misuse of website
$40,510
$50,599
$28,599
$119,708
$161
$-
$100,300
$-
$100,300
$1,454
$ 39,299
$9,999
$16,098
$65,396
$113
$42,300
$17,510
$-
$59,810
$1,031
Total Cost/Loss
$2,482,671
$1,608,602
$1,237,643
$5,328,916
Fianancial
Loss
{A}
Cost of
Recovery
{B}
Loss of
business
{C}
Fiancial fraud
$1,162,553
$155,030
$215,700
* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type.
16
Total
Table 10: Total costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers) by industry and
revenue size.
Industry
Fianancial
Loss
{A}
Cost of
Recovery
{B}
Loss of
business
Total Cost
/
{C}
Loss
Number
of total
incidents
per industry
Average
cost per
attack
Telecom Technology
$943,724
$547,299
$391,097
$1,882,120
796
$2,364
Airlines / Shipping
$492,755
$263,410
$524,509
$1,280,674
765
$1,674
Financial
$388,437
$257,248
$263,642
$909,327
2039
$446
Utilities / Critical
Infrastructure
$154,599
$403,349
$11,199
$569,147
625
$911
Retail
$398,556
$70,096
$45,396
$514,048
1424
$361
$104,600
$67,200
$1,800
$173,600
217
$800
$2,482,671
$1,608,602
$1,237,643
$5,328,916
Fianancial
Cost of
Loss of
Loss
{A}
Recovery
{B}
business
{C}
Total Cost
/Loss
Number
of total
incidents
per industry
Average
cost per
attack
$1,140,316
$501,842
$432,943
$2,075,101
2,800
$741
$726,550
$609,860
$577,500
$1,913,910
1,931
$991
$615,805
$496,900
$227,200
$1,339,905
1,135
$1,181
$2,482,671
$1,608,602
$1,237,643
$5,328,916
* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type
Outlier is a value that is numerically distant from, or is outside the rest of the data (e.g., an extreme value). In larger samplings of data, a small number
of extreme data points (outliers) are expected. Extreme outliers have been eliminated from the analysis in order to produce results that are not distorted.*
17
Cyber crime does not significantly affect organizational reputation (Table 11). On average, 17% of cyber attacks (any
form) cause some (13%) or significant (5%) reputational damage.
Sabotage of data and networks cause relatively more reputational harm than any other attacks, at 30% (15%
significant and 15% some reputational damage).
Because of small base sizes, the data for individual forms of attacks cannot be analyzed by industry or
revenue range.
15
Financial fraud
18
15
18
15
Some
13
20
Telecommunications fraud
14
13
3 8
3 6
Over half (56%) say that more than 60% of incidents were
external, 10% believe that fewer than 30% were external,
and 13% say that 31%-60% were external. As many as
41% believe that 100% of incidents were external.
Telecom reports the highest proportion of exclusively
external attacks 65% say 100% of attacks were
external, followed by Aerospace/Defense 47%, and
Utilities 44%.
Nearly half (48%) of small businesses say that 100%
of incidents were external, while it is only the case for
a third of medium and large businesses.
There are no other discernible patterns by business size.
18
Significant
20
40
60
80
100
The
59
19
17
Awareness seminars
Posters
Other
Dont know/refused
% 0
10
12
19
20
40
60
80
100
19
The
20
50
51
CEO/Senior Management
IT / IS Manager
27
9
21
21
11
7
Other
Other Security
Network Manager
Financial Director Or Equivalent
Human Resources
Dont Know
Legal / Counsel
Facilities / Group Manager
16
3
2
3
1
3
2
2
1
2
2
1
1
1
1
% 0
17
20
40
100
80
60
21
The
The
22
While surveyed organizations indicate that events and media coverage would likely be the most effective form
of building awareness of Public Safety Canadas/the RCMPs roles in combating cyber crime, a range of other
communication avenues could be just as effective in educating businesses.
Table 14: Communication strategies to employ by Public Safety Canada / the RCMP to improve building awareness
of their capabilities among Canadian Business
69
61
Publications
56
Large businesses - 66%
52
Conferences
51
% 0
48
Case studies
Aerospace - 66%
Telecom - 45%
38
Airlines/Shipping - 45%
Large businesses - 58%
5
20
40
60
80
100
23
24
Bibliography
British-North American Committee (2007) Cyber Attack: A Risk Management Primer for CEOs and Directors.
CERT (2009) Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition Version 3.1.
CNN (2013) Report: Chinese military engaged in extensive cyber espionage campaign [online] Available at:
http://security.blogs.cnn.com/2013/02/19/report-chinese-military-engaged-in-extensive-cyber-espionagecampaign/?iref=allsearch. Accessed: 5 March 2013.
CSI (2009) 14th Annual CSI Computer Crime and Security Survey. Comprehensive Edition.
Deloitte Touche Tohmatsu (2009a) Cybersecurity: Everybodys Imperative. Protecting our economies, governments, and citizens.
Deloitte Touche Tohmatsu (2009b) Protecting what matters. The 6th Annual Global Security Survey.
INTERPOL (2013) Tackling cyber security threats focus of INTERPOL workshop [online] Available at:
http://www.interpol.int/News-and-media/News-media-releases/2011/N20110707. Accessed: 27 February 2013.
Ponemon Institute (2012) The Impact of Cybercrime on Business. Studies of IT practitioners in the United States, United
Kingdom, Germany, Hong Kong and Brazil.
PricewaterhouseCoopers (2012) Changing the game. Key findings from The Global State of Information Security Survey 2013.
The Washington Post (2012) Cybersecurity experts needed to meet growing demand. [online] Available at:
http://articles.washingtonpost.com/2012-05-29/business/35458606_1_cybersecurity-college-students-visit-colleges.
Accessed: 6 March 2013.
26
27
28
28
28
29
30
Michael K. Brown
Vice President
BlackBerry Security Product
Management and Research
27
28
29
Legal Notice
30
31
Bob Eastman
Vice President
Lockheed Martin IS&GS-National,
Global Solutions
32
Global Cybercrime
As a global security company Lockheed Martin has firsthand experience defending against the most sophisticated
threats facing businesses today. We have been defending
the highly sensitive (and heavily attacked) networks of
both Lockheed Martin and its government and commercial
customers against advanced persistent threats for more
than 10 years. Increasingly, the motivation behind cyber
attacks is cybercrime. Whether its attempting to disable
mission critical networks, gain access to classified
information, or steal corporate intellectual property, our
adversaries are becoming more agile, more persistent
and more sophisticated. These are challenges we all face
as our adversaries are not constrained by geographic,
political or national boundaries. It is imperative that,
through activities such as this cybercrime study, we find
ways to share tools, techniques and best practices to build
a stronger, truly global cyber defense.
33
Reconnaissance
Weaponisation
Delivery
Delivering weaponised bundle to the victim via email, web, USB, etc.
Exploitation
Installation
Actions on Objectives
34
http://bit.ly/killchain
Luc Villeneuve
Vice President
Canada, McAfee, Inc.
35
5
McAfee State of Security Report,
March 2012
Know what data you have, who has access to it and how
it is being used. By prioritizing this information, its easier
to know what needs to be protected.
37
Conclusion
In this study, the Survey Report identified the significant
extent and impact of cyber crime on Canadian businesses
and the need for greater preparedness to mitigate the
threat. The survey demonstrates that across business
communities, there is a general lack of strategy,
procedures and trained personnel to combat cyber crime.
In addition, there is a need for improved communications
and education as to the threats, their effect and what
actions to take. It is also clear, that awareness and
education needs to be improved not only within businesses
but in messaging from government to the business
community. Those surveyed believe that Public Safety
Canada and the RCMP are the appropriate Department
and agency for this role.
The sponsors contributions have provided a view of the
emerging threats from the adoption of new technology and
techniques; highlighting mobile communications and cloud
services as todays new targets for the cyber criminal.
The distribution of application-based malware for mobile
devices using cloud based services for both personal and
business use will become a new threat vector of the future.
38
39
www.icspa.org
email: info@icspa.org
Tel: +44-1494-798-160
Copsham House,
53 Broad Street,
Chesham,
Buckinghamshire HP5 3EA
United Kingdom
Twitter: @cyberprotection