Two-thirds of Canadian corporations (66%) state that current or recently departed employees are the main source of cybersecurity incidents, according to a new report from PricewaterhouseCoopers LLP (PwC) released on Wednesday.
The consulting firm’s 2016 Global State of Information Security report polls companies throughout the world on their cybersecurity strategies. The report’s release coincided with the launch of PwC’s new gamification program, Game of Threats in Toronto on Wednesday. The game simulates the speed and complexity of real-world cyber breaches to help educate senior executives to the challenges they face in this area.
PwC’s global survey results, which are broken down by sector, found that 34% of financial services firms stated that current employees were the main source of cyber breaches in 2015; 30% of these survey participants said this was the case for former employees.
Social engineering, defined as a hacker’s ability to permeate an organization through an employee, is one of the greatest vulnerabilities for an organization and hackers know this, said Richard Wilson, partner, cybersecurity and privacy practice, PwC Canada, on Wednesday.
There are several innocent ways that an employee can become involved in a cyber attack. For example, there is technology that can easily copy the information on an employee’s office key card, thereby allowing that stranger physical access into that firm. All the cyber criminal needs to do is stand close enough to the employee so that technology can scan the employee’s key card to create an illegitimate version.
“That technology used to cost thousands of dollars and now it costs hundreds of dollars,” Wilson said. “It’s accessible.”
Wilson also suggested that professionals avoid taking free USB memory keys that are often available at events and conferences as they may contain programming that can access sensitive company information once inserted into a computer used for professional purposes.
The data in the PwC report suggests that employee training on the topic of cybersecurity should be increased. Currently, just more than half (57%) of Canadian companies state they have a program in place, according to the results of the survey.
The good news is that the financial services sector is generally ahead of other sectors in understanding the importance of developing a cybersecurity strategy. This lesson came as a result of financial services institutions being some of the early targets of cybersecurity breaches.
“[The financial services sector] understood the reputational damage related to any breach and immediate confidence loss from their customer base and so [it] simply cannot allow that to happen from a financial standpoint or a reputational standpoint,” Wilson said.
Another advantage the financial services sector has is the presence of a strong regulatory framework that prescribes a certain level of vigilance, said Wilson.
One of the issues with companies that are lacking strength on this front is that they fail to understand that cybersecurity is an overall business problem that will affect their financial performance and reputation, Wilson said. In other words, it is not limited to being a technology problem.
This is why PwC is targeting its gamification program to senior executives within the private and public sectors as opposed to information technology professionals.
PwC’s report is based on a survey of 10,000 companies, which include 157 Canadian companies. It was conducted between May 7, 2015 and June 12, 2015.