Canadian cybersecurity defenses stressed by COVID-19: VMware study

VMware Carbon Black has released their third annual cybersecurity threat report, a global report, which has a separate Canadian component, and the results are a decidedly mixed bag.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black

VMware – specifically Carbon Black, the company VMware acquired last year for their EDR [Endpoint Detection and Response] and next-gen endpoint technology –  has released the results of their third Canada-focused cybersecurity threat report. The report, “Extended Enterprise Under Threat,” is part of a broader global study, and the Canadian data is based on a survey of 251 Canadian CIOs, CTOs and CISO, using data compiled by research firm Opinion Matters on behalf of VMware Carbon Black

The report really has two components. One is a review of the general threat landscape, while the other focuses specifically on the impact of COVID-19 in Canada.

The findings around the basic threat landscape will come as so surprise, because they continue themes that have been consistent for several years.

“The volume of attacks is increasing, as is their sophistication,” said Rick McElroy, Cyber Security Strategist at VMware Carbon Black. 99% of Canadian respondents said that attack volume has increased during the past 12 months, the highest (along with France) of all the countries surveyed. 86% said that attacks have become more sophisticated. 100% said their business has suffered a security breach in the last 12 months, with the average organization  experiencing 1.1 breaches during this time.

McElroy said these numbers are a mixed bag of both positive and negative.

“The fact that 100% of companies say they have been breached is good in a way even though it seems alarming because it shows awareness of the problem,” he stated. “There is better technology now to diagnose the problem. Teams pay more attention to breaches, with the positive impacts of CCPA and GDPR being reflected in this. The number of how many organizations have been breached multiple times has gone down, which is also a good sign.”

McElroy also noted that the Mitre Attack Framework, which was introduced in 2018, is becoming more broadly recognized – and used – in Canada.

“77% are aware of it, and 58% are using it,” he said. “This means teams are able to better focus prevention and detection and better align to respond. It will mean better red team testing, meaning that the number of breaches should come up initially, and then go down.”

On the other hand, the constant refrain of the presence of these dangers can make many execs desensitized to their importance.

“Breach fatigue is real, but this is the reality we are in,” McElroy said. “More people know how to do breaches today, and the data is a big business on the Dark Web. The World Economic Forum now says the DarkWeb is the third largest economy in the world. As a vendor we are clearly interested in baking things in to respond to this.”

The survey indicated that almost all Canadian respondents – 98% — said they plan to increase cyber defense spending in the coming year. They are already using an average of nine different security technologies in these defenses.

Web application attacks and OS vulnerabilities were the leading cause of breaches, according to the survey, followed by third party application attacks. Island hopping – targeting the weaker elements of the supply chain to gain access to ones with stronger defenses – was only cited by 2% of respondents as the most common attack type experienced, but was the source of 10% of breaches, making it a growing threat,” McElroy said.

“Companies and the channel partners who serve them really need to pay attention to this phenomenon, which is part of a new wave of API-based attacks,” he stated.

The numbers also showed an explicit threat presence stemming from COVID-19. 92% of respondents said they had been targeted by COVID-19-related malware, with 89% saying Internet of Things exposure risk has increased.

The survey found that the inability to institute multifactor authentication [MFA] was the biggest security threat during COVID-19.

“COVID exacerbates already existing conditions in implementing MFA, like varying technologies which make it hard to cover the entire environment, and existing cultural barriers,” McElroy said. “The way you onboard changes, where you have to call the user, who will not be on site, and walk them through it all manually. It means that things take longer, and there are always some risks in self-enrolment. Red testers have found that self on-boarding is an easy way to get into a company.”

The survey also found COVID makes disaster planning more difficult. 84% said there were gaps in disaster planning around communications with external parties including customers, prospects, and partners, and 48% said those gaps were significant. 87% said they had uncovered gaps in IT operations. 85% said they encountered problems enabling a remote workforce. 84% said they had experienced difficulty communicating with external parties, and 78% said they had  experienced challenges communicating with employees.

“Disaster planning is disrupted because with many companies, their security around this was around where users sat in a building and the groups they belonged to,” McElroy said. “For organizations who didn’t plan to ever send this many employees home, it broke their model. Our view at VMware Carbon Black is that there is no perimeter, and we already treated all users as remote, but we were surprised how many were not doing this and had built security around the office premises. You have companies who never even used remote video tools before because it wasn’t part of the culture of the organization.”

Despite the mixed messages from the Canadian numbers, McElroy said that the state of cybersecurity in Canada has advanced greatly in recent years.

“We work with incident response partners and agencies up there, and I would say compared to four or five years ago, I’m actually encouraged, both in terms of doing things like putting in hunting teams, and especially by the contribution back by the Canadian cybersecurity community in terms of doing things like hosting events, sharing intelligence, and taking more of a leadership role,” he commented. “I would like to see CISOs being more independent in terms of reporting direct to C level, rather than reporting to the CIO.”