ICSPA Canada Cyber Crime Study Report

Study of the Impact of cyber crIme on buSIneSSeS In canada

3

Introduction The International Cyber Security Protection Alliance (ICSPA) www.icspa.org, has conducted a study on the impact of cyber crime on businesses in Canada.

The ICSPA is a global not-for-profit organization established to channel funding, expertise and assistance directly to assist law enforcement cyber crime units in both domestic and international markets.

The ICSPA is a business-led organization comprising large national and multi-national companies who recognize the need to provide additional resourcing and support to law enforcement officers around the world, in their fight against cybercrime. The ICSPA is also supported by law enforcement partners, such as the Europol, and associated international organizations whose remit is complementary to our own.

The study was sponsored by the following ICSPA Canadian business associates:

Above Security

BlackBerry

CGI Group Inc.

Lockheed Martin

McAfee Inc.

The purpose of the study is to provide business leaders and government officials with independent and credible data relating to the impact of cyber crime on businesses in Canada.

The study is one of a series of studies planned by the ICSPA that will form a view of cyber crime in different parts of the world.

The study comprises a survey of businesses in Canada and includes commentary from the sponsors providing their perspectives on cyber criminality.

The survey was conducted across 520 small, medium and large Canadian businesses in the Finance, Airline/Shipping, Telecommunications, Utilities, Aerospace & Defense and Retail sectors.

Each business was asked a series of questions to establish the:

Prevalence of cyber crime

Cyber crime impact on their business operations

Organizational preparedness against cyber crime

Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime

Awareness of the RCMP and Public Safety Canadas roles in cyber crime education and prevention.

To compliment the survey and provide independent views of cyber crime from leading Canadian businesses, sponsors of the study were asked to provide papers covering the following:

The nature of cybercrime in Canada today including threats and their impact on Industry and Business

New and emerging cybercrime threats that may impact Canada over the next 5 years and those sectors most at risk

Effective deterrents, responses and practices in fighting cybercrime

Global cybercrime threats and the potential impact on Canada

Measures needed to combat cybercrime in Canada.

This study report consists of: Introduction

Executive Summary

Survey Report

Sponsors Contributions

Conclusions

4

executive SummaryThe following provides a brief overview of the ICSPA Cyber Crime Study and includes the survey findings and views of sponsors on cyber crime trends. The study provides the opportunity for the reader to review both the survey findings and the sponsor contributions, so that they may form their own conclusions as to the impact of cyber crime on business in Canada and the rest of the world. The study reinforces the need for close collaboration between the public and private sector in fighting cyber crime through the pooling of knowledge and resources.

Survey reportThe survey report shows that cyber crime is fairly prevalent among Canadian businesses, with 69% reporting some kind of attack within a twelve-month period. The types and frequency of attack vary depending on the nature and size of businesses and are crafted to the crime being perpetrated.

Malware and virus attacks are shown to be the most prevalent with phishing and social engineering coming second. Certain cyber crimes, while impacting fewer organizations, occur frequently among them.

These include: Unauthorized access or misuse of corporate websites

Misuse of social networks

Telecommunication fraud

About a quarter (26%) of those interviewed say that attacks had a considerable impact on their business both in terms of financial loss and reputational damage with financial fraud being the biggest threat. The total cost of cyber crime increases with revenues, which is reflected in the survey findings between Large, Medium and Small businesses.

The majority of respondents (64%) say that senior management takes cyber crime threats seriously. However, there are considerable gaps in Canadian businesses preparedness against cyber crime. Large businesses are somewhat better prepared than medium and small ones, but still much remains to be done to prevent and deal with such attacks.

The help of external agencies to assist with cyber crime incidents is reported by 44% of affected organizations, with private agencies far more likely to be engaged than those from government. This preference of private versus government involvement appears common to all businesses irrespective of size and type. Overall, few organizations (11%) ever involved the RCMP or other government agencies in relation to cyber crime and the survey shows the need for greater awareness and information to business from Government bodies.

Sponsors contributions

Emphasizes the changes to information storage and the trend to use cloud services. They describe various threats, especially DOS and DDOS attacks and their effects. They also promote awareness and education as a key tool in the fight against cyber crime and identify the need for governments to strengthen legal and regulatory systems to address cyber crime. They also promote improved business/government collaboration.

Highlights the growing security risks to mobile users and the shift from social engineering of computer malware to the distribution of third party app based malware via provider app stores. They also demonstrate the need for collaboration between communications providers and cyber security companies to provide a safe and trusted environment for users.

Explains how Advanced Persistent Threats (APTs) pose a major risk to the Canadian economy through the theft of intellectual property. They describe the intelligence-driven approach they have taken to provide their analysts with the necessary information to combat the threat, through the disruption of the Cyber Kill Chain. Lockheed Martin advocates public and private sector collaboration and the sharing of information on threats and mitigation techniques.

Provides an insight into the current Canadian cyber crime landscape and the wider global threats that impact everyone. They give an insight into new and emerging cyber crime threats that will be prevalent in 2013 with an emphasis on mobile communications and the increase in malware, mobile worms and the targeting of Near Field Communications (NFC) transactions. Their contribution provides a seven point good practice list to safeguard against cyber crime attacks.

5

Survey report

table of contents

I. Objectives and Methodology 6II. Executive Summary 8 A. Scope of cyber crime in Canada 8 B. Cyber crime and corporate responsibilities 8 C. Involvement of external agencies 9 D. Public Safety Canadas / the RCMPs roles in raising awareness of cyber crime 9

III. Conclusions and Recommendations 9IV. Detailed Findings 10 A. Security-related responsibilities 10 B. IT budget allocation toward cyber crime prevention 10 C. Appropriateness of current spending on IT security/What it should be 10 D. Main cyber crime threats (as perceived by businesses) 11 E. Incidence of cyber crime in the past 12 months 12 F. Types of cyber crime attacks and their impact on businesses 15 G. Financial costs / losses due to cyber crime 16 H. Reputation damage as a result of cyber crime attacks 18 I. Internal versus external cyber attacks 18 J. Cyber crime impact on various organizational aspects 18 K. Attitudes toward cyber crime incidents 19 L. Steps employed to raise awareness of cyber crime 19 M. Employment of risk assessment process 19 N. Incidence and frequency of security audits 20 O. Incidence of formal procedures to deal with cyber crime incidents 20 P. Individuals responsible for dealing with cyber crime attacks 20 Q. Familiarity with cyber crime security strategy 21 R. Involvement of external agencies 21 S. Involvement / Effectiveness / Expectations of the RCMP and / or other Government agencies in relation to cyber crime 22 T. Awareness of Public Safety Canadas/RCMPs roles in raising awareness of cyber crime/ Sources of awareness 22

6

Industry number of completes

Financial services (in the report referred to as Financial)

n=148

Airlines, shipping, transportation (Airlines/Shipping) n=75

Telecommunications Technology (Telecom) n=73

Utilities and critical infrastructure (Utilities) n=66

Aerospace and Defense (Aerospace/Defence) n=29

Retail n=129

A representative spread of businesses by revenue size was also reached:

revenue size number of completesUnder $1 Million n=22

$1 Million to under $5 Million n=229





$100 Million or more n=37

I. objectives and methodology The International Cyber Security Protection Alliance Ltd.conducted a quantitative study among Canadian businesses to measure the following characteristics:

Prevalence of cyber crime Cyber crime impact on organizations Organizational preparedness against cyber crime Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime Awareness of the RCMP and Public Safety Canadas roles in cyber crime education and prevention

A total of 520 telephone surveys were obtained from businesses across Canada, and these included a set of 10 interviews conducted by senior research staff.

400 surveys in English 120 surveys in French

No quota by industry and business size (revenues) was set, but a reasonable spread, representative of selected industries and revenues was achieved.

The study covered the following 6 sectors and completes per sector:

7

For the purposes of more meaningful analysis, the revenue sizes were combined into, and examined as three segments:

revenue size number of completes

Small: revenues under $10 Million n=341

Medium: revenues of $10 Million to under $50 Million n=115

Large: revenues of $50 Million or more n=64

Overall, the results are accurate 4.38% nineteen times out of twenty.

The survey was conducted between November 15 and December 15, 2012

A note on differences in responses by industry and business size identified throughout the report:

Because the sample sizes within each industry and business sizes are relatively small, the differences of at least 9 percentage points between a particular sub-segment and the total sample responses will be needed to be deemed statistically significant. The table below specifies what constitutes a statistically significant difference between each segment and the overall results. For results between small sub-segments to be statistically significant, the differences would have to be even larger than the ones indicated in the table below. All other differences should be viewed as directional.

Industry number of completesdifference from

total (n=520) that isstatistically significant

Financial n=148 9 points

Airlines/Shipping n=75 12 points

Telecom n=73 12 points

Utilities n=66 12 points

Aerospace/Defense n=29 19 points

Retail n=129 9 points

revenue size number of completes difference from total (n=520) that is statistically significant

Small: revenues under $10 Million n=341 6 points

Medium: revenues of $10 Million to under $50 Million n=115 10 points

Large: revenues of $50 Million or more n=64 12 points

8

II. executive SummaryA. Scope of cyber crime in Canada

Overall, cyber crime is fairly prevalent among Canadian businesses, with 69% reporting some kind of attack within a twelve-month period. A total of 5,866 attacks were reported or 16.5 attacks per affected business.

However, for the most part, each form of cyber crime does not have high incidence among businesses, with malware/virus attacks being an exception as they occurred among 51% of businesses (6.6 attacks per business). Phishing and social engineering attacks are a distant second, at 18%. Although reported by a relatively low number of organizations, the frequency of phishing/social engineering attacks within these organizations is very high (17.2 attacks). All other forms of attacks are reported among 15% or fewer organizations, however, it is noteworthy that certain cyber crimes, while impacting fewer organizations, occur frequently among them. These include:

Unauthorized access or misuse of corporate websites (13% affected, 11 attacks per organization)

Misuse of social networks (15% affected, 8 attacks) Telecommunication fraud (8% affected, 9 attacks)

Cyber crimes do not result in far-reaching negative consequences to organizations. Among those affected, only about a quarter (26%) say the attacks had a considerable impact (severity of 7 to 10 on a 10 point scale) on their business. They also do not significantly affect organizational reputation. On average, only 17% of cyber attacks cause between some (13%) to significant (5%) reputational damage.

Cyber crime attacks conducted over the past 12 months resulted in total financial losses of approximately $5,328,916, or $14,844 per affected organization, on average.

Of this sum, financial fraud accounts for the largest portion (36%, $1,892,683, or $6,438 per attack).

Theft of devices containing company information is a distant second source of costs (16%, or $849,499, $4,007 per attack).

1 The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected).

Because of high incidence among businesses, malware and virus attacks represent the third highest cost overall, at $771,937, but the average loss per incident is relatively low, at $454.

Sabotage of data and networks is 4th in terms of incurred costs, with $583,298 in losses, but the average cost per incident is 2nd highest, $5,952.

Total cost due to cyber crime attacks increases with revenues: on average, an incident costs large organizations $1,181, compared to $991 in medium, and $741 in small ones.

Cyber crime attacks tend to be viewed as originating outside rather than within the organizations.

Over half (56%) of affected businesses say that more than 60% of incidents were external and 41% believe that 100% were external.

Only 21% of respondents believe that over 60% of incidents were internal, and fewer (12%) believe that 100% of incidents are attributed to internal attacks.

B. Cyber crime and corporate responsibilities

Although a majority of respondents (64%) say that senior management takes cyber crime threats seriously, there are considerable gaps in Canadian businesses preparedness against cyber crime. Large businesses are somewhat better prepared than medium and small ones, but still much remains to be done to prevent and deal with such attacks.

A majority (64%) employs just one or two ways to raise awareness of cyber crime in organizations, mostly through emails (59%) and corporate guidelines/ manuals (54%). Nearly one-in-five (19%) organizations do nothing to raise awareness of cyber crime, and this is more frequent among small organizations than medium and large ones.

Risk assessment processes are not common among surveyed businesses; only 22% employ them, and 77% do not. This behaviour holds across industries. Likelihood of employing such processes increases with revenues.

Few organizations (6%) report accreditation of IT security standards, and this percentage is equally low across industries and revenue levels.

Of those without accreditation, just over half (56%) say they carry out regular security audits. Regular audits also increase with revenues.

9

Most organizations (69%) do not have formal procedures in place to follow in the event of a cyber crime; only 28% do. Again, such procedures are more common in large businesses than in medium or small ones.

Similarly, only about a third (28%) has a trained crisis management team, and it is somewhat higher only among organizations with the largest revenues ($100 million or more), at 41%. Typically, senior management and senior/key IT security personnel (e.g., head of IT, CIO, IT director) would deal with any type of cyber crime incident. The same individuals would most likely make a decision to involve external agencies in the case of cyber crime attacks.

Canadian businesses have minimal awareness of the 2010 Cyber crime security strategy (7%).

C. Involvement of external agencies

Involvement of external agencies in relation to cyber crime is reported by 44% of affected organizations, with private agencies far more likely to be engaged than government ones (63% and 21% respectively).

In general, this preference of private versus government involvement appears to hold among all businesses: A fourth (39%) of all surveyed businesses say they would first engage a private organization and 29% would first reach to a government agency.

However, when asked to specify which organizations these would be, some confusion exists among businesses as to which external agencies they would be likely contact in the event of a cyber crime attack.

A plurality (46%) would not know who to contact, but other more often cited top-of-mind mentions include government, not private organizations: 23% mentioned the RCMP, 20% police, and only 8% mentioned other (private) organizations.

Overall, few organizations (11%) ever involved the RCMP or other government agencies in relation to cyber crime, and of those, two thirds (62%) felt that the organizations effectively handled the situation, while 30% were dissatisfied.

D. Public Safety Canadas/the RCMPs roles in raising awareness of cyber crime

Awareness of cyber crime prevention campaigns is low, at 12% (comparatively higher among large businesses, at 19%).

Overall, 39% of businesses are aware that at least one of the two organizations has a role in combating cyber crime, and a majority (67%) of those aware view this responsibility as relevant.

Organizations expect the RCMP and other government agencies to primarily build awareness of cyber crime and its prevention (45%), with active prevention, investigation and prosecution at a distant second (17%).

Media (TV, news, newspapers, internet) should be the key element in the awareness building strategy, given that it is the main driver of awareness (76%), with all other methods trailing behind (under 10% each).

But businesses indicate that a range of other means of educating/promotion would also be effective in raising awareness of cyber crime, with events/media coverage (69%), internet presence (62%) and publications (61%) being the top three suggestions.

There are multiple gaps in cyber crime preparedness among Canadian businesses, from a lack of trained personnel to a lack of strategies and procedures that could mitigate such attacks.

Two factors could be responsible for this situation:

The damage (financial or reputational) caused by cyber attacks have not been significant to merit shifts in attitudes and behaviour, and/or

Organizations do not have enough awareness and knowledge of what strategies they should be implementing to minimize their vulnerability against such attacks.

A widespread need for information and education on the subject is needed and Public Safety Canada and the RCMP are the appropriate organizations to fulfill this need by serving as the main sources of awareness, knowledge, and support in building awareness of cyber crime. Businesses expect these two organizations to be more visible in fulfilling these roles.

Mainstream media appears to be an effective choice for initial awareness building; however communication and outreach to businesses should go beyond mass media, reaching them with more targeted publications and messages.

III. conclusions and recommendations

10

IV. detailed findingsA. Security-related responsibilities

In many surveyed organizations the individuals responsible for IT security also cover a range of other roles - 74% have three or more responsibilities.

Generally a similar pattern holds across industries and revenue sizes.

0 20 40 60 80 100

table 1: Which of the following aspects of security are you responsible for within your organization?

IT related security

Risk assessment

Business continuity and resilience

Development of security policy

Physical security of personnel & property

Other aspects of security

Dont know/refused

79

69

67

67

61

39

4

%

B. IT budget allocation toward cyber crime prevention

Across industries and business sizes, a majority of organizations (51%) allocate 1-5% of their IT budget to cyber crime prevention.

About 6% dont apportion any amount to cyber crime prevention, 8% allocate 6%-25%, 2% apportion over 25% and a third (32%) does not know if anything is allocated for this purpose, or how much.

These proportions generally hold across industries and business sizes, although small businesses are slightly more likely than large and medium size businesses not to allocate any of its IT budget to cyber crime prevention (9% vs. 2% and 3% respectively).

C. Appropriateness of current spending on IT security/ What it should be

A majority of respondents (78%) find the budget allocation sufficient, and 12% disagree.

The response pattern is the same across all industries. The only significant difference in views is among large businesses, as 28% believe that the budget allocated to cyber crime prevention is insufficient.

Among those who feel the allocation is inappropriate, opinions are split: 45% say it should be 5% or less, 25% believe it should be over 5%, and 29% do not know what it should be.

The small base size (n=42) doesnt allow for further reliable breakdown, but there does not appear to be any underlying pattern.

11

D. Main cyber crime threats (as perceived by businesses)

Malware and virus attacks are by far the highest concern among Canadian businesses (75%), regardless of size and industry.

Sabotage of data network is more pronounced in the Utilities (59%), Aerospace/Defense (55%), and the Financial sector (51%), than in Retail (36%) or Airlines/Shipping (43%).

0 20 40 60 80 1000 20 40 60 80 100

table 2/3: Do you believe this is sufficient to mitigate the threat of Cyber Crime and if not what should the percentage be? N=353

Yes

No

Dont know/Refused

%

20% or more

6-10%

5%

Under 5%

Dont know/Refused

%

78

12

10

11

14

26

19

29

What percentage should it be? N=42

table 4: Which of the following represent the greatest Cyber Crime threats for your organization?

Malware, such as Trojans, worms and virus attacks

Sabotage of data or networks

Financial fraud

Phishing, spear phishing, social engineering

Theft of laptop(s)... devices with company info

Unauthorized access or misuse of website

Misuse of social networks by employees

Denial of service

Telecommunications fraud

Theft of other hardware

Advanced Persistent Threats (APTs)

% 0 20 40 60 80 100

75

47

45

42

40

38

34

30

29

25

22

12

Concerns with financial fraud are more visible in the Retail (52%) and Financial industries (50% each) than in the Utilities (35%) or Aerospace/Defense (28%) sectors.

As revenues increase, concerns about nearly every form of cyber crime go up, especially for large businesses, e.g. phishing/social engineering (61% vs. 42% overall), theft of devices with company info (55% vs. 40% overall), denial of service (47% vs. 30%), or Advanced Persistent Threats (36% vs. 22% overall).

E. Incidence of cyber crime in the past 12 months

Nearly seven-in-ten organizations (69%) experienced some type of cyber attack over a 12 month period. Overall, 520 surveyed businesses reported a total of 5,866 cyber crime incidents, or on average 16.4 attacks per affected organization.

The average number of attacks is higher in the Financial and Retail sectors (20 and 18 respectively), and lowest in Aerospace/Defense, at 11 attacks (details in table 7a overleaf).

table 5: Approximately how many times have any of the incidents I just read occurred in your organization in the last 12 months?

%

0

20

40

60

80

100

None 1 to 2 3 to 5 6 to 10 Over 10

31

23

1 1

23

Mean number of attacks: 16.4

The proportion of attacks is higher between medium and large organizations (22-23 attacks compared to 13 in small businesses).

As table 6 below shows, malware and virus attacks are the most common form of cyber crime. Over a 12 month period, half (51%) of organizations experienced them. This pattern holds across industries and business sizes.

Respondents reported 1,701 malware and virus attacks. This represents 6.6 attacks per affected business.

Medium and large businesses reported the highest average number of such attacks, at 11 and 9, compared to 5 attacks among small businesses. Across industries, the Financial and Telecom sectors reported the highest number of such attacks, at 8 each.

2 The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected).

13

Phishing, Spear Phishing and Social Engineering are the second most frequently experienced types of cyber crime attacks, although among considerably fewer organizations than malware.

Over a 12 month period, fewer than one-in-five (18%) of organizations experienced them, but they reported 1,478 such incidents, or 17.2 attacks per organization, making it the most persistent form of all measured cyber crimes.

Medium and small businesses were more likely to be targeted, each reporting 18 attacks on average, compared to 13 among large businesses. Across industries, the Airlines/Shipping and Financial sectors had the highest average number of such attacks, at 28 and 24 respectively.

Other noteworthy differences by industries and business sizes include:

Unauthorized access or misuse of corporate websites experienced only by 13% organizations, but those few report a large number of such incidents: 745, or 11 per organization, on average. This form of attacks is most prevalent in Retail, with 25 incidents on average, followed by the Financial industry, at 14 attacks. It is also more frequent among medium and large businesses, at 17 and 18 attacks respectively, compared to 6 in small organizations.

Financial fraud (at 14% incidence, 294 incidents) is more common in the Retail industry, at 7 attacks, with Telecom a distant second at 4 attacks. It is more prevalent among large businesses, at 9 attacks compared to 3 and 4 between medium and small businesses.

Telecommunications fraud (at 8% incidence, 414 incidents) is more common in the Financial and Retail industries, at 13 and 11 incidents respectively, and much more prevalent among large businesses, at 21 attacks compared to 7 and 8 between medium and small businesses.

table 6: Incidence of various cyber crime attacks within the last 12 months (proportion of those who experienced each attack) and frequency of each attack


Phishing, Spear Phishing, Social Engineering


Financial fraud


Theft of laptop(s), smart phones, tablets and other devices containing company information

Denial of Service





%

Total #of attacks

0 20 40 60 80 100

1,701

1,478

578

294

745

212

219

414

98

69

58

51

18

15

14

13

13

10

8

8

4

3

14

table 7: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations (mean excl. 0) and overall (mean incl. 0)

0 10 20 30 40 50





Malware, such as Trojans, Worms and Virus attacks

Denial of Service

Financial fraud





17.22.8

11.11.4

9.40.8

7.91.1

6.63.3

4.50.4

4.30.6

4.10.1

3.60.1

3.20.4

2.50.2

Mean (excl.0)

Mean (incl.0)

Mean

table 7a: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations

Financial

Retail

Airlines/Shipping

Telecom

Utilities/Critical Infrastructure

Aerospace/Defense

% 0 20 40 60 80 100

20

18

14

14

14

11

Calculation: Total number of incidents per industry divided by total affected per industry

15

table 8: Impact of cyber crime attacks on organizations (measured on a scale of 1 to 10 where 1 means negligible impact and 10 means major impact).

Financial fraud


Denial of Service






Theft of devices containing company information

Malware, such as Trojans, Worms and Virus attacks


0 20 40 60 80 100

26

18 18 15 5 40

16 20 24 20 22

15 10 20 35 20

14 7 32 18 30

13 10 25 21 31

13 6 25 13 44

12 10 19 19 40

11 12 20 20 36

11 12 16 24 37

10 9 15 19 47

(9-10) Major Impact (7-8) Considerable Impact (5-6) Some Impact (3-4) Minor Impact (1-2) Negligible Impact Dont Know/Refused

%

11 14 24 24 1

5

2

There is some fluctuation in incidence of various cyber crimes by industry, with the following showing the highest dispersion:

Financial fraud more common in the Retail and Financial industries (19% and 16% respectively), and lowest in Aerospace/Defense and Utilities (5% and 3% respectively).

Unauthorized access to websites more common in the Airlines/Shipping and Telecom (20% and 19% respectively), and lowest in Aerospace/Defense (7%).

Denial of service more common in Telecom (19%), and lowest in Retail (5%).

Unauthorized access to websites more common in the Airlines/Shipping and Telecom (20% and 19% respectively), and lowest in Aerospace/Defense (7%).

Denial of service more common in Telecom (19%), and lowest in Retail (5%).

F. Types of cyber crime attacks and their impact on businesses

On average, of the 69% of organizations affected by some form of cyber crime, 46% say that the incident(s) have had at least some impact (severity of 5 or more on a 10 point scale) on their businesses.

On average about a quarter of organizations (26%) say the attacks had a considerable impact (rated 7 or more on a 10 point scale) on their organizations. The top three such cyber crimes are relatively low incidence and frequency: financial fraud (37% considerable impact), sabotage of data or networks and denial of service (36% each). table 8 below provides more details.

By comparison, incidents of high prevalence, such as malware and virus attacks and phishing/social engineering have very negative impact on relatively fewer organizations: 23% and 22% respectively rate the impact as considerable (7-10 out of 10).

The severity of impact of cyber crime types varies by industry (not so much by size), with the following being most affected (severity of 7-10 out of 10):

Sabotage of data networks Telecom 63% Financial fraud Airlines/Shipping 60%, Telecom 50% Advanced Persistent Threats (ATPs) Aerospace/Defense 50%, large businesses 50%

Phishing/social engineering Aerospace/Defense 50%.

16

Sumtotal cost /

Loss{a+b+c}

averagecost perattack*fianancialLoss

{a}

cost ofrecovery

{b}

Loss ofbusiness

{c}

Fiancial fraud $1,162,553 $155,030 $575,100 $1,892,683 $6,438

Theft of devices containing company information $215,700 $361,800 $271,999 $849,499 $4,007

Malware, such as Trojans, Worms and Virus attacks $283,475 $456,259 $32,203 $771,937 $454

Sabotage of data or networks $347,499 $104,300 $131,499 $583,298 $5,952

Telecommunications fraud $178,200 $169,300 $153,000 $500,500 $1,209

Denial of Service $50,000 $172,050 $11,700 $233,750 $1,067

Phishing, Spear Phising and Social Engineering $123,135 $11,455 $17,445 $152,035 $103

Unauthorized access or misuse of website $40,510 $50,599 $28,599 $119,708 $161

Advanced Persistent Threats (APTs) $ - $100,300 $ - $100,300 $1,454

Misuse of social networks by employees $ 39,299 $9,999 $16,098 $65,396 $113

Theft of other hardware $42,300 $17,510 $ - $59,810 $1,031

total cost/Loss $2,482,671 $1,608,602 $1,237,643 $5,328,916

* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type.

G. Financial costs/losses due to cyber crime

Cyber crime attacks conducted over the past 12 months cost businesses a total of approximately $5,328,916. This translates to an average of $14,844 per affected business.

Financial fraud accounts for the largest proportion of total cost (36%), at $1,892,683. With 294 reported financial fraud attacks, the average cost per attack is $6,438.

Theft of devices containing company information is the second largest source of cost, at $849,499 or 16% of the total cost. Each incident cost companies $4,007 on average.

Because of the high incidence among businesses, malware and virus attacks account for the third highest cost overall, at $771,937, but the average loss per incident is relatively low, at $454.

Sabotage of data and networks is 4th in terms of incurred costs, with $583,298 in losses, but the average cost per incident is 2nd highest, $5,952.

More details can be found in table 9 below.table 9: Costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers4)

17

Costs incurred by cyber crime attacks are comparatively higher in the Telecom and Airline/Shipping industries (table 10 below) with the average cost per incident also higher in these sectors: about $2,364 per incident in Telecom and $1,674 in Airline/Shipping.

Total cost due to cyber attacks increases with revenue size: on average, an incident in large organizations costs $1,181, compared to $991 in medium size businesses and $741 in small ones.

Industryfianancial

Loss{a}

cost ofrecovery

{b}

Loss ofbusiness

{c}

total cost /

Loss

number of total

incidentsper industry

averagecost perattack

Telecom Technology $943,724 $547,299 $391,097 $1,882,120 796 $2,364

Airlines / Shipping $492,755 $263,410 $524,509 $1,280,674 765 $1,674

Financial $388,437 $257,248 $263,642 $909,327 2039 $446

Utilities / CriticalInfrastructure $154,599 $403,349 $11,199 $569,147 625 $911

Retail $398,556 $70,096 $45,396 $514,048 1424 $361

Aerospace and Defense $104,600 $67,200 $1,800 $173,600 217 $800

total Loss / cost $2,482,671 $1,608,602 $1,237,643 $5,328,916

business Size (revenues)fianancial

Loss{a}

cost ofrecovery

{b}

Loss ofbusiness

{c}

total cost/Loss

number of total

incidentsper industry

averagecost perattack

Under $10 Million $1,140,316 $501,842 $432,943 $2,075,101 2,800 $741

$10 Million to under $50 Million

$726,550 $609,860 $577,500 $1,913,910 1,931 $991

$50 Million or More $615,805 $496,900 $227,200 $1,339,905 1,135 $1,181

total Loss / cost $2,482,671 $1,608,602 $1,237,643 $5,328,916

4 Outlier is a value that is numerically distant from, or is outside the rest of the data (e.g., an extreme value). In larger samplings of data, a small number of extreme data points (outliers) are expected. Extreme outliers have been eliminated from the analysis in order to produce results that are not distorted.*

* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type

table 10: Total costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers) by industry and revenue size.

18

H. Reputation damage as a result of cyber crime attacks

Cyber crime does not significantly affect organizational reputation (table 11). On average, 17% of cyber attacks (any form) cause some (13%) or significant (5%) reputational damage.

Sabotage of data and networks cause relatively more reputational harm than any other attacks, at 30% (15% significant and 15% some reputational damage).

Because of small base sizes, the data for individual forms of attacks cannot be analyzed by industry or revenue range.

table 11: Reputation damage as a result of cyber attacks.


Attacks such as Denial of Service

Financial fraud








Attacks including Phishing, Spear Phishing and Social Engineering

0 20 40 60 80 100%

15 15

6 18

6 15

3 18

7 13

20

5 14

13

3 8

3 6

4 3

Significant Some

I. Internal versus external cyber attacks

Cyber crime incidents tend to be originating outside companies.

Over half (56%) say that more than 60% of incidents were external, 10% believe that fewer than 30% were external, and 13% say that 31%-60% were external. As many as 41% believe that 100% of incidents were external.

Telecom reports the highest proportion of exclusively external attacks 65% say 100% of attacks were external, followed by Aerospace/Defense 47%, and Utilities 44%.

Nearly half (48%) of small businesses say that 100% of incidents were external, while it is only the case for a third of medium and large businesses.

There are no other discernible patterns by business size.

Only 21% of respondents report that over 60% of incidents were internal, 17% say fewer than 30% were internal, and 13% say that 31-60% were internal.

Only 12% believe that 100% of incidents are attributed to internal attacks.

There are no patterns in data by industry or business size.

J. Cyber crime impact on various organizational aspects

Generally, businesses ability to operate is the most often mentioned concern (64%) associated with cyber crime across industries and business sizes, but other aspects closely tight to businesses wellbeing, such as doing business with customers, company finances and public image are not far behind in importance (52%-59%).

19

Public image and reputation are more of a concern in the Utilities, Telecom, and the Financial sectors (around 60% each), compared to about 40% for the remaining industries.

K. Attitudes toward cyber crime incidents

Two-thirds (64%) believe that senior management treats cyber crime incidents with serious to considerable interest (scores 7 to 10 out of 10).

The perceived level of concern about cyber crime among employees is lower, with 43% giving it 7 to 10 out of 10 on the interest scale.

Given that individuals in senior/management positions answered the survey, the results for the above question may be biased toward management.

Level of concern among senior management is roughly the same across industries, although its intensity (score 9, 10 out of 10) is higher in Telecom and Airlines/Shipping (49% and 47% respectively) than in Retail or Utilities (33% and 26% respectively).

Employees are viewed to be less concerned about cyber crime across industries. Slightly more concern among employees is reported in Telecom and Utilities businesses (54% and 51% respectively), and lowest in Retail (32%).

L. Steps employed to raise awareness of cyber crime

A plurality of businesses (42%) employs only one or two approaches in raising awareness of cyber crime, and these are mostly emails (59%), and corporate guidelines and manuals (54%). A quarter (26%) employs 3 or four steps, and 13% use five or more. Nearly one-in-five organizations (19%) do not do anything to raise awareness of cyber threats.

Small organizations are more likely to provide no information to their employees (25%) than medium and large ones (7% and 8% respectively).

Large businesses tend to offer more opportunities for building awareness about cyber crime 28% employ five or more methods (compared to 14% in medium-sized and 8% in small organizations; vs. 13% overall).

M. Employment of risk assessment process

Overall only 22% employ risk assessment processes for cyber crime; 77% do not, and 1% dont know.

This is true across industries. Telecom tops the list, with 33% organizations reporting such processes, and only 11% of Retail organizations do so (lowest proportion among surveyed industries).

table 12: Steps employed to raise awareness of cyber crime

0 20 40 60 80 100

Send e-mails round / reminding / updating

Corporate guidelines / manuals

Information on your intranet

Formal activities to raise awareness

Formal security training courses

Awareness seminars

Posters

Other

Dont know/refused

%

59

54

31

21

19

17

10

12

19

20

Likelihood of employing risk assessment processes increases with revenues: 45% of large businesses do so, compared to 23% among medium, and 17% among small businesses.

Few organizations (6%) report accreditation of IT security standards. This percentage is equally low across industries and revenue levels.

In this small group, 1% each is accredited to ISO27001, National IT Security Standard, International IT Security Standard, and 3% report other accreditations.

N. Incidence and frequency of security audits

Of those not accredited to national or international IT security standards (94% of surveyed organizations), over half (56%) say that they carry out regular security audits.

In all but one industry, over half conduct regular audits. Its highest for the Utilities organizations (68%). In Retail, only 42% do so.

Incidence of regular security audits increases with revenues: 84% of large businesses say they conduct regular audits, compared to 66% among medium, and 49% among small organizations.

A plurality (38%) conduct audits at least monthly, 17% do so every three to four months, 9% every six months, 21% annually, and 7% do so at other frequency. Eight per cent do not know.

O. Incidence of formal procedures to deal with cyber crime incidents

A majority (69%) of organizations do not have formal procedures that have to be followed when cyber crime is identified; only about a third of organizations (28%) do.

It is somewhat higher in the Aerospace/Defence, Telecom, and Financial industries (34%, 33% respectively), and lower in Airlines/Shipping and Retail (25%, and 24% respectively), with Utilities on par with the average, at 27%.

It is also higher in large businesses, at 47% (particularly those with revenues $100 Million or more: 57%), compared to 29% in medium, and 25% in small ones.

Also only about a third of organizations (28%) have a trained crisis management team to respond to cyber crime incidents.

It is higher in Aerospace/Defense, Telecom, and Financial industries (38%, 36%, and 34%), and lower in Retail and Airlines/Shipping (19% and 17%), with Utilities at 27%, on par with the average.

Presence of trained crisis management teams is considerably higher only in the largest revenue segment ($100 Million or more), at 41%.

P. Individuals responsible for dealing with cyber crime attacks

Senior management and individuals responsible for IT/Information security are the key decision-makers and response teams, regardless of industry and revenue size.

The same individuals are also most likely to decide whether an external agency should be involved in cyber crime attacks.

21

Q. Familiarity with cyber crime security strategy

Awareness of the 2010 Canadian Cyber security strategy is very small, at 7%, and it holds across industries and revenue sizes.

It is slightly higher in Aerospace/Defense (10%) and Utilities (9%) and lowest in Retail and Telecom (6% and 5% respectively).

It is also comparatively higher in large businesses (14%), than in medium (10%), and small ones (5%).

Although familiarity with the strategy is minimal, higher awareness has potential to drive positive change in IT security among Canadian businesses.

A quarter (26%, n=10) of those aware say it influenced their companys approach to cyber crime security: 80% increased IT security investments, 50% changed policies, and 20% introduced cyber crime awareness training.

Given the small base size, the results should be used with caution, for directional purposes only.

R. Involvement of external agencies

Over half (56%) of the organizations that experienced cyber crime attacks did not involve any external agencies, and 44% did (this represents 30% of all respondents).

Of those who did, a majority (63%) engaged private and 21% government agencies.

In a scenario where involvement of external agencies was necessary, a plurality (39%) of all surveyed organizations say they would opt to first engage private organizations, and 29% would first turn to government organizations, with 6% saying it would depend on the type of incident, 2% would contact both, 15% wouldnt know, 9% provided other comments.

Retail and Financial organizations would be more likely to first contact private agencies (47% and 45% respectively), while Aerospace/Defense, Airlines/Shipping, and Utilities would first reach to government organizations (38%, 35% and 34% respectively).

Business size has no influence on the type of agencies that would be contacted: all have a somewhat stronger preference for private organizations.

While businesses initially show preference toward private agencies, when asked to specify what organizations would be contacted following a cyber crime attack, private organizations are not top-of-mind. A plurality (46%) would not know who to contact, with most other respondents citing a government organizations/agencies: 23% the RCMP, 20% local/provincial police, 6% some other government organization. Only 8% would contact other organizations. These views are uniform across industries and business sizes.

table 13: Decision-makers in cyber crime attacks

%

CEO/Senior Management

IT / IS Manager

Head of IT / IT Director / CIO / CISO

General Manager/Operations...

Other

Other Security

Network Manager

Financial Director Or Equivalent

Human Resources

Dont Know

Legal / Counsel

Facilities / Group Manager

0 20 40 60 80 100

5051

279

2121

1711

716

323

1

322

122

11

11

Decision maker in cyber crime attacksDecision maker re: involvement of external agencies

22

S. Involvement / Effectiveness / Expectations of the RCMP and/or other Government agencies in relation to cyber crime.

The incidence of ever involving the RCMP or other government agencies is small overall (11%, n=57).

The RCMP and/or government agencies are primarily contacted to report an incidence/crime (59%), and 24% do so as part of legal obligations.

The top two occurrences involved financial fraud and general fraud/theft (29% each).

Of the small proportion of incidents (11%), most (61%) were recent (this is a low base of n=34 or 6% of all respondents and results should be used with caution, for directional purposes only).

Half (53%) occurred within the current year, 29% within 1 to 5 years, and 15% earlier than that.

Of the few businesses that had recently involved the RCMP or government agencies (6%, n=34), a majority (62%) agreed that the organizations effectively handled the situation, and 30% felt that it was not addressed effectively.

But overall, virtually all businesses (90%) who have not dealt with the RCMP or other government agency do not know on what basis to determine the effectiveness of the RCMP or government agencies in dealing with cyber crime.

3% each list general media feedback, personal experience, and success rate, with 1% mentioning speed of response.

Building awareness of cyber crime and its prevention is by far the most often mentioned expectation from the RCMP and government agencies (45%), with prevention, investigation and prosecution at 17%. Other expectations, such as direct assistance, streamlining of resources are mentioned by 5% to 6% each.

Need for more prevention, investigation, and prosecution is slightly more often mentioned among large businesses (23%) and the Aerospace/Defense industry (21%).

T. Awareness of Public Safety Canadas/RCMPs roles in raising awareness of cyber crime/ Sources of awareness

Awareness of cyber crime prevention campaigns is low, at 12%. It is only comparatively higher in the Utilities industry, at 18% and among large organizations, at 19%.

Overall, 39% of businesses are aware that at least one of the two organizations has a role in combating cyber crime.

22% are aware of only the RCMPs role, 17% are aware of the roles of both organizations, but none are aware of Public Safetys role only.

This pattern generally holds across industries and business sizes, with the exception of Utilities, where awareness of both organizations roles is higher, at 30%.

Among those aware, two thirds (67%) view it as relevant, especially the Telecom industry (82%) and large businesses (75%).

Media (news, TV, newspapers, internet) plays a pivotal role in building awareness of Public Safety Canadas and RCMPs roles in combating cyber crime: 76% of those aware say they learned about it through media. All other methods trail behind (under 10% each).

This holds true across industries and business sizes, with one exception: conferences are a source of awareness for 14% of large businesses, but the use of this channel is minimal in medium and small businesses (4% and 2% respectively).

23

While surveyed organizations indicate that events and media coverage would likely be the most effective form of building awareness of Public Safety Canadas/the RCMPs roles in combating cyber crime, a range of other communication avenues could be just as effective in educating businesses.

table 14: Communication strategies to employ by Public Safety Canada / the RCMP to improve building awareness of their capabilities among Canadian Business

Events / Media coverage

Presence on specific web sites

Publications

Advertising in trade publications

Involvement in specific professional associations

Conferences

Case studies

Personal briefings with agency staff

Dont know / Refused

% 0 20 40 60 80 100

69

62

61

56

52

51

48

38

5

Large businesses - 66%

Utilities / critical infrastructure - 61%

Aerospace - 66%


Telecom - 45%

Airlines/Shipping - 45%


24

above Security Sponsor commentaryceo forwardWorldwide communication and nearly limitless online transaction capabilities are a great benefit to society and to the way businesses function. However, these technological advancements bring about new challenges that organizations and individuals must face, the most troubling of which are the evolving and expanding risks associated with cybercrime.

As one of the worlds leading IT security service providers responsible for monitoring vast client networks on a daily basis, we see firsthand how cybercrime jeopardizes the safety of information and the normal flow of business. The harsh realization that cyberculture is growing faster than cybersecurity, so everything that depends on cyberspace is at risk (Deloitte, 2009: p. 2) places greater emphasis and urgency on implementing systems and procedures that protect business infrastructures, and more specifically, the most critical and sensitive IT assets that enable businesses to operate effectively.

The rise of cybercrime is more than just our raison dtre as an IT security service provider. It is a phenomenon that affects and concerns all of us every day, be it in our professional or in our personal environments. Ultimately, we must acknowledge that each and every one of us is a potential target for cybercriminals, for the simple reason that we are all connected via the Internet. The fight against cybercriminal activity through risk mitigation strategies and education is a cause that we believe in strongly and that we are proud to fully endorse within the framework of this study and beyond.

Through the following commentary, we wish to leverage the expertise we have gained from nearly 15 years in the field in order to provide meaningful perspectives on IT security and risk management. We will share our view of current cybercrime threats and their impact on industries and businesses, new and emerging threats that can be expected in the next few years and effective strategies and practices to consider for combating cybercrime in Canada and globally. We hope that our viewpoints will serve as an interesting and resourceful complement to the findings of the study.

On behalf of the entire Above Security team, I would like to express my gratitude and appreciation to the ICSPA and to everyone involved in the creation of this research project. May this study help raise awareness within the business community and garner widespread support, which will be crucial to successfully prevent the spread of cybercrime in Canada and around the world.

ray George chehataPresident and CEO Above Security

25

Company view of cybercrime in Canada today including threats and their impact on Industry and Business

Cybercriminal activity has increased dramatically in recent years and can now be considered an omnipresent, even global menace that will continue to affect each and every one of us. Hardly a day goes by without cyber-related incidents hitting the headlines of Canadas most renowned newspapers, magazines and blogs. According to INTERPOL (2013), cybercrime is one of the fastest growing areas of crime and has adopted many carefully-crafted disguises to damage information systems. The most commonly-known threats include, but are not limited to, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, SPAM, phishing emails, penetration of online financial services, virus deployment, social engineering, identity theft and theft of intellectual property. Although all of these threats should be treated with equal importance, DDoS attacks have become especially worrisome recently due to their destructive nature and an ability to affect the networks of high-profile Canadian governmental organizations and financial institutions with relative ease.

With regards to its impact, cybercrime is known to cause both tangible and intangible damages. In its 2012 research report on The Impact of Cybercrime on Business, the Ponemon Institute found that data breaches cost on average $7.2 million per incident, with the cost per malicious attack exceeding $10 million in many cases, thus making financial losses the most severe of cybercrimes numerous impacts. In addition, businesses that have become victims of cybercriminal activity frequently report substantial losses among previously loyal clientele, a strong decline in productivity, severe disruptions of their services and operations, massive losses of proprietary and sensitive information, as well as immeasurable damages to their brand, corporate image and reputation.

Company view of Global cybercrime threats and the potential impact on Canada

As recently as several years ago, the global cybercrime landscape was very clearly divided, with a great majority of cyberattacks originating from Russia, Eastern Europe, China, Southeast Asia, North Korea and Brazil. As we have entered the second decade of the new millennium, cybercrime has become an increasingly pervasive threat that cannot easily be linked to only a handful of regions. As INTERPOL (2013) correctly noted, cybercrime has no borders. Not only have cybercriminals developed more sophisticated attack strategies, they have also learned how to blur their traces effectively and complicate the work of those seeking to track them down.

Compounding matters even more is the fact that security-related laws and regulations vary from country to country (sometimes even from province to province), and thus it comes as no surprise that regions with less strict legislation are prone to a higher degree of cybercrime. Even foreign

governments are now exhibiting unethical practices, as in the recent case of the Chinese military that allegedly engaged in an extensive cyber espionage campaign (CNN, 2013). Regardless of the geographical origin of cybercriminal activity, each individual attack potentially threatens Canadas national security and represents a substantial risk for the Canadian economy a risk that needs to be acknowledged, investigated and mitigated at all costs.

Company view of new and emerging cybercrime threats that may impact Canada over the next 5 years and those sectors most at risk

With regards to new and emerging cybercrime threats that may impact Canada over the next 5 years, we are witnessing the evolvement of DoS and DDoS attacks into increasingly sophisticated schemes that use several attack vectors in an attempt to hide further nefarious activity. By intentionally misusing bandwidth resources in order to bring down sites, networks and applications, these attacks ultimately cause substantial business impacts such as: loss of revenues, diminished brand reputation and potentially long-term service interruptions. Another emerging trend that is already a strongly debated issue across the globe is the rise of cloud computing offerings. Although cloud computing is a much more convenient alternative to traditional data storage and handling, it provides a greater surface of attack that is much more complex to control. When it comes to the origin of threats, one of the most astonishing trends we have noticed is that businesses may even be attacked by their national competitors and not exclusively by international hackers.

No matter how the global cybercrime landscape evolves in coming years, organizations that store large amounts of sensitive data and are required to comply with strict standards, laws or regulations remain the primary targets of cybercriminals. This relates mostly to governmental organizations and financial institutions, but can also extend to organizations that are often considered to be devoid of major risk, such as manufacturing companies. Especially in the manufacturing sector, the theft of intellectual property can result in colossal damages. Although certain sectors are traditionally more at risk than others, it needs to be emphasized that no business, government, nongovernmental, or other organization of whatever size is invulnerable to cyber attacks (British-North American Committee, 2007: p. 3).

Company view of effective deterrents, responses and practices in fighting cybercrime + Company view of measures needed to combat cybercrime in Canada

In a 2012 Washington Post article, Alec Ross, senior adviser for innovation at the State Department was quoted as saying

If any college student asked me what career would most assure 30 years of steady, well-paying employment, Ross said, I would respond, cybersecurity. The simple reasoning

26

behind this is the growing number of cyber-related crimes. As such, companies now need to improve the quality of protections they have in place as legislative compliance requirements increase, security environments age, resources become scarce and internal IT security costs continueto rise.

Fighting cybercrime begins with raising the awareness level of both the business community and the general public. This can be achieved by large-scale research initiatives, such as the ICSPA study, as well as through education campaigns originating from public and private organizations. In addition, everyone who connects to cyberspace, a space that is expanding at the speed of light, should learn as much as they can about the threats that they are exposed to and their potential impact. Only if individuals and organizations alike fully comprehend the extent to which cybercriminal attacks can expose information and impair business operations, can adequate measures be taken to manage and mitigate the risk associated with cybercrime (British-North American Committee, 2007).

Organizations can strengthen their defenses by employing tactics that have already proved successful, such as allocating a budget specifically to IT security, establishing clear policies and controls, performing regular IT security audits, assessing current security measures in place and, most importantly, developing a concise risk mitigation and incident response plan (CERT, 2009; Deloitte, 2009a; PricewaterhouseCoopers, 2013). Moreover, by following an organized plan for IT security and risk management that includes partnerships with cybersecurity specialists and obtaining sound recommendations from third-party experts,

organizations can stay on the leading edge and ensure that their security posture remains solid and stable.

Lastly, governments and regulatory organizations must continue to prioritize, strengthen and assess cybercrime-related laws and regulations on a regular basis. Laws have barely caught up with todays reality and must be amended to better protect corporations and individuals from the disastrous effects of cybercrime. To put it simply, it is much easier to find a remedy after a physical corporate asset such as a car or a machine has been stolen than to take action against data theft and virus deployments. Canadian businesses must adopt best practices and make information security an integral part of their corporate culture (British-North American Committee, 2007). In our opinion, Canada has already taken initiative and is in a position to be a leader in establishing legal precedents to protect organizations, which can ultimately be emulated throughout the world.

In conclusion, with continued, timely exposure to the issues and growing public awareness, organizations and individuals need to take the next step and join forces, so they can work together to wage a persistent and formidable battle against cybercrime.

bibliographyBritish-North American Committee (2007) Cyber Attack: A Risk Management Primer for CEOs and Directors.

CERT (2009) Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition Version 3.1.

CNN (2013) Report: Chinese military engaged in extensive cyber espionage campaign [online] Available at: http://security.blogs.cnn.com/2013/02/19/report-chinese-military-engaged-in-extensive-cyber-espionage-campaign/?iref=allsearch. Accessed: 5 March 2013.

CSI (2009) 14th Annual CSI Computer Crime and Security Survey. Comprehensive Edition.

Deloitte Touche Tohmatsu (2009a) Cybersecurity: Everybodys Imperative. Protecting our economies, governments, and citizens.

Deloitte Touche Tohmatsu (2009b) Protecting what matters. The 6th Annual Global Security Survey.

INTERPOL (2013) Tackling cyber security threats focus of INTERPOL workshop [online] Available at: http://www.interpol.int/News-and-media/News-media-releases/2011/N20110707. Accessed: 27 February 2013.

Ponemon Institute (2012) The Impact of Cybercrime on Business. Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil.

PricewaterhouseCoopers (2012) Changing the game. Key findings from The Global State of Information Security Survey 2013.

The Washington Post (2012) Cybersecurity experts needed to meet growing demand. [online] Available at: http://articles.washingtonpost.com/2012-05-29/business/35458606_1_cybersecurity-college-students-visit-colleges. Accessed: 6 March 2013.

27

blackberry Sponsor commentaryHow safe is your smartphone

the blackberry focus on cyber Security.

contents A. An Introduction from Michael K. Brown, Vice-President, BlackBerry Security Product Management & Research 2 7 B. Executive Overview on Anti-Malware Security Approach 28C. Todays Mobile Landscape Safeguarding Security and Privacy 28D. A Significant Threat Malware on Mobile Devices 28F. Combating Mobile Malware and Privacy Implications Associated with Third-Party Apps 29G. Legal notice 30

an Introduction from michael K. brown, Vice-president, blackberry Security product management and research.Security was built into the heart of the BlackBerry secure infrastructure from the very beginning. From the battlefield to the boardroom, our customers have come to rely upon the unique level of protection BlackBerry offers through its layered approach to security. Nothing is more secure than a BlackBerry device running on the BlackBerry platform.

Over the past decade, this has evolved from our first Mobile Device Management (MDM) controls to let administrators manage the new thing called mobile, to more advanced technologies like process separation, stack cookies, and ASLR. Were very excited to keep pushing the envelope and providing an enjoyable experience along the way.

BlackBerry is committed to partnering with industry leading organizations to deepen the importance of data responsibility and secure infrastructure practices. 90% of Fortune 500 companies and countless government agencies rely on BlackBerry products and services each day because of our embedded security practices. This level of trust is something we take very seriously.

At BlackBerry, we have more security certifications than any other smartphone on the market. BlackBerry has always built security into everything we do from silicon to software. Our industry leading encryption, networking and data security practices are recognized world-wide for their robust abilities to keep customer data safe and secure.

For more information on BlackBerry security, visit www.blackberry.com/security, and if you have a security issue you would like to discuss with us, please email us at [email protected].

Warm regards,

michael K. brownVice President BlackBerry Security Product Management and Research

28

Executive Overview on Anti- Malware Security Approach Maintaining a leadership position in mobile security requires deep integration of security at the product development stage, but it also requires listening to the needs of customers, and working collaboratively across the industry. At BlackBerry, these are some of the core tenets that have led to the unique level of security the BlackBerry solution delivers and that our customers depend upon. BlackBerry anti-malware strategy is built upon five core pillars that focus on our smartphones built-in protections, analyzing third-party applications, transparent customer communications, educating developers and having an anti-malware team embedded in the security response group. By developing an anti-malware strategy based on five, key pillars of security, we provide BlackBerry customers an unparalleled level of protection from emerging security and privacy issues.

Todays Mobile Landscape Safeguarding Security and Privacy

Today, mobile devices have similar capabilities and characteristics of modern desktop computers, with one exception the amount of personal data on the device. Unlike computers, applications downloaded on mobile phones and tablets have the ability to broadcast your location, private conversations, pictures, banking information and other sensitive data, even when these mobile devices are not in use. Just as mobile customers expectations vary widely about privacy and security, so do the approaches that mobile vendors take in safeguarding customers security and privacy.

With the increased prevalence of smartphones and tablets becoming a common part of how we share information with our family, friends and co-workers, there is a growing potential for increased risks related to data security and privacy. This isnt the first time weve watched the computing threat landscape evolve. Over the last decade, as more users leveraged the power of personal computers, attackers began focusing on ways to steal users data and take control of their computers. Their methods included using vulnerabilities in the software and creating malicious software, known as malware, which is designed to trick a user into installing these programs in order for the attacker to gain control of a users system. Now, as we move toward a mobile computing society, were seeing that same trend happening across the mobile industry.

A Significant Threat Malware on Mobile Devices

At BlackBerry, were committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection we offer customers. We recognize that customers want and need access to apps that do not infringe on their privacy or impact their security. With such a significant challenge facing the mobile industry, we determined adding additional layers of protection are crucial to helping protect BlackBerry customers.

One of the significant security concerns facing the mobile industry is how to address the skyrocketing amount of malware on mobile devices. This concern is especially challenging because instead of attackers trying to trick computer users to install malware, attackers have shifted their focus and tactics by offering what appear to be safe apps. They are placing their malicious apps within smartphone app stores and bypassing protections that these app store vendors may have in place to help prevent malware. While most smartphone users have heard of malware, and know about its potential to harm their devices, they dont expect that any app downloaded from their smartphones app store is malicious. As a result, smartphone users may not be as careful or discerning when deciding which third-party apps to download, and these choices can lead to users being vulnerable to potential security and privacy implications associated with these apps. In order to bolster our own internal, proprietary application analyzing system, we are incorporating Trend MicroTMs industry-leading anti-malware technology into

29

our app vetting process. This collaboration will help ensure BlackBerry customers have access to apps that do not infringe on their privacy or impact their security.

Combating Mobile Malware and Privacy Implications Associated with Third-Party Apps

Given that both malware and privacy concerns span across the breadth of the mobile industry, its not practical to believe that any one company can thoroughly address these issues on their own. By working with an industry leader, such as Trend Micro, were establishing a unique level of protection for BlackBerry customers, and we believe the rest of the industry should also consider working collaboratively in order to address the significant increase in mobile malware and privacy implications associated with third-party apps.

As part of our comprehensive approach, BlackBerry is incorporating Trend Micros industry-leading anti-malware technology with our current internal, proprietary system for analyzing apps. BlackBerry is working with Trend Micro to implement a more robust approach for addressing privacy and security concerns related to third-party applications, said Adrian Stone, Director, BlackBerry Security Response and Threat Analysis at BlackBerry. By incorporating Trend Micros advanced mobile scanning and detection capabilities with our own internal, proprietary application analyzing system, we can provide another layer of protection and assurance for BlackBerry customers. Together, BlackBerry and Trend Micro are developing an innovative and comprehensive solution for protecting BlackBerry customers against emerging mobile security concerns. Through this collaboration, BlackBerry will use Trend Micros suite of app scanning technology to help enhance anti-malware capabilities, including industry-leading app analyzing techniques and built-in permission settings on BlackBerry devices. By vetting apps against Trend Micros extensive library of known malicious software, we will help ensure both current and new apps submitted to the BlackBerry World storefront are scanned for potential malicious behavior.

The volume of malicious and high-risk mobile apps are on the rise across the industry, which is why we applaud BlackBerrys commitment to protecting their customers against these emerging mobile threats, said Kevin Simzer, Vice President of Corporate Development and Alliances, Trend Micro. With the speed that cybercriminals are targeting new platforms and applications, Trend Micro and BlackBerrys strategic collaboration is natural and timely for the security of end users. Together, the two companies can further secure and enhance BlackBerry customers mobile experience.

Trend Micro has scanned and evaluated over 2 million mobile applications. Mobile Application Reputation Service is Trend Micros next generation cloud-based technology for mobile operating systems that analyzes application code and behavior to identify risks from malware and data leaks. It also detects the abuse of battery, memory, and data resources. This service leverages the Trend Micro Smart Protection Network infrastructure to provide meaningful mobile app reputation ratings. The Smart Protection Network is built upon unique in-the-cloud, technologies that naturally fit with cloud-based security services like the Mobile Application Reputation Service. By checking URLs, emails, files, and applications against continuously updated and correlated threat databases, customers always have immediate access to the latest protection.

Every smartphone and tablet vendor uses a different strategy for protecting customers from both malware and privacy concerns, and customers do not typically have insight into how they may or may not be protected from these issues. BlackBerry is taking an innovative approach for enhancing third-party app security, which is recognized as one of the fastest growing security concerns for the mobile industry.

30

Legal notice2013 Research In Motion Limited. All rights reserved. BlackBerry, RIM, Research In Motion, and related trademarks, names, and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world.

All other trademarks are the property of their respective owners.

This documentation including all documentation incorporated by reference herein such as documentation provided or made available at www.blackberry.com/go/docs is provided or made accessible AS IS and AS AVAILABLE and without condition, endorsement, guarantee, representation, or warranty of any kind by Research In Motion Limited and its affiliated companies (RIM) and RIM assumes no responsibility for any typographical, technical, or other inaccuracies, errors, or omissions in this documentation. In order to protect RIM proprietary and confidential information and/or trade secrets, this documentation may describe some aspects of RIM technology in generalized terms. RIM reserves the right to periodically change information that is contained in this documentation; however, RIM makes no commitment to provide any such changes, updates, enhancements, or other additions to this documentation to you in a timely manner or at all.

This documentation might contain references to third-party sources of information, hardware or software, products or services including components and content such as content protected by copyright and/or third-party websites (collectively the Third Party Products and Services). RIM does not control, and is not responsible for, any Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, trustworthiness, legality, decency, links, or any other aspect of Third Party Products and Services. The inclusion of a reference to Third Party Products and Services in this documentation does not imply endorsement by RIM of the Third Party Products and Services or the third party in any way.

EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON-INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR THE ITEM THAT IS THE SUBJECT OF THE CLAIM.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE OR STRICT LIABILITY.

THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, EMPLOYEES, AND INDEPENDENT CONTRACTORS.

IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR RELATED TO THE DOCUMENTATION.

Prior to subscribing for, installing, or using any Third Party Products and Services, it is your responsibility to ensure that your airtime service provider has agreed to support all of their features. Some airtime service providers might not offer Internet browsing functionality with a subscription to the BlackBerry Internet Service. Check with your service provider for availability, roaming arrangements, service plans and features. Installation or use of Third Party Products and Services with RIMs products and services may require one or more patent, trademark, copyright, or other licenses in order to avoid infringement or violation of third party rights. You

31

are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIMs products and services are provided as a convenience to you and are provided AS IS with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software.

The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada

Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom

Published in Canada

32

Global Cybercrime As a global security company Lockheed Martin has first-hand experience defending against the most sophisticated threats facing businesses today. We have been defending the highly sensitive (and heavily attacked) networks of both Lockheed Martin and its government and commercial customers against advanced persistent threats for more than 10 years. Increasingly, the motivation behind cyber attacks is cybercrime. Whether its attempting to disable mission critical networks, gain access to classified information, or steal corporate intellectual property, our adversaries are becoming more agile, more persistent and more sophisticated. These are challenges we all face as our adversaries are not constrained by geographic, political or national boundaries. It is imperative that, through activities such as this cybercrime study, we find ways to share tools, techniques and best practices to build a stronger, truly global cyber defense.

In a world that is becoming more connected by the minute, the opportunity for cybercrime increases exponentially. Canada is a prime target, where in recent years there has been a disturbing increase in cyber security events impacting not only government and private industry but also individual citizens. Complicating this is an expectation for Canadian businesses to operate securely in an era focused on mobility solutions, bring your own device (BYOD) policies, and ever expanding social media. It is critical that steps are taken to increase cyber security awareness and support an increasing uplift in capability across government and industry. Trusted partnerships, actionable intelligence and advanced tradecraft will be the key to success moving forward.

Lockheed Martin greatly appreciates the opportunity that ICSPA has provided to be a sponsor and contributor to this cybercrime study. Understanding the threats the Canadian industry is facing is a critical step to increasing the ability of all companies to not only defend themselves, but extend those security services to government and critical national infrastructure. Once these threats are better understood, forming the partnerships required to share information about emerging threats and potential mitigations becomes critical. There is no one magic answer to help businesses address the potential threat that cybercrime poses to operations and corporate reputation. It takes a coordinated and intelligent approach to addressing these challenges the ensure success against all aspects of cyber adversaries.

bob eastmanVice President Lockheed Martin IS&GS-National, Global Solutions

Lockheed martin Sponsor commentary

33

Cyber Security Threats and Potential Impacts Businesses today face a myriad of threats from different, and often times coordinated, actors and vectors. Beyond the external threat, companies increasingly face threats from within. Whether intentional or not, a business employees are both the first line of defense and the first risk companies face. Without proper education, employees can open attachments, click links and take other adverse actions that give threat actors access to corporate networks. Through education efforts, businesses can turn potential weaknesses into strengths as we have in Lockheed

Documents

ICSPA Canada Cyber Crime Study Report