TORONTO -- Canadian companies tend to be overconfident or unprepared to protect sensitive information from data breaches -- mostly because they have an incomplete or inadequate picture about the evolving challenges they face, according to cybersecurity experts.
A study conducted by Ovum for FICO -- a California-based data analytics company that operates a global fraud detection system for banks, credit card companies and others -- found 84 per cent of Canadian executives surveyed felt their organization was "better than average" or a "top performer."
The report asserts this is an "unrealistic" scenario and Canadian organizations "should look at their ability to prove how good they are."
"If you can't measure whether you're vulnerable or not, can you really say you're covered," FICO Canada vice-president Kevin Deveau said in an interview after the study was released.
While the report is based on a small sample -- Ovum conducted telephone interviews with 500 senior IT executives in several countries including Canada -- its findings about "cyber readiness" are consistent with what's been experienced by two other security experts who reviewed the report.
This week, the owner of Swiss Chalet, Harvey's, East Side Mario's and other restaurants was the latest business to report that its operations had been disrupted by a malware virus.
Recipes Unlimited Corp. learned of the outbreak on Friday and said that as of Wednesday, a "small percentage" of restaurants were still impacted.
Spokeswoman Maureen Hart says there was no evidence that any data was compromised, or that the company was being held for ransom by hackers.
Cyber security strategist Eldon Sprickerhoff, founder of Toronto-based eSentire, said in an interview prior to the Recipe Unlimited crisis, that research has shown humans have a universal tendency to be too optimistic.
But Canadian companies also have a mistaken belief that they're too small or insignificant to be a target -- and therefore, they may be overconfident that they're prepared, he said.
"If you're not actively watching for attacks that are going on, it's very difficult to be able to say you're in a good space," Sprickerhoff said.
The good news, from his perspective, is that more Canadian boards have begun to make cybersecurity a regular agenda item.
That's at least partly because private-sector organizations will be required to report all leaks of personal information to the federal privacy commissioner starting Nov. 1, Sprickerhoff said.
David Masson, the Canada country manager for Darktrace -- a cybersecurity software company headquartered in San Francisco and Cambridge, England -- agreed that businesses are paying more attention because of increased regulation in various jurisdictions and general awareness of the risks.
Nevertheless, he said, most have inadequate knowledge of what they're facing because "they're missing proper visibility of their networks, they can't really see what's going on."
Of the Fortune 500 very large companies that have done trials of Darktrace software, Masson said 85 per cent of the time "we find malware and malicious behaviour they had no idea was on their network. And when you're outside the Fortune 500, that figure goes up to 95 per cent of the time."
He predicts the situation will only get more challenging because the number of potential vulnerable openings will grow exponentially as more sensors, consumer electronics and communications devices are connected.
"There's going to be an explosion, for the want of a better word, of unsecured devices into networks throughout the world," Masson said.
FICO's Deveau and eSentire's Sprickerhoff also see third-party service providers as a growing weak spot.
"We're trying to get the customers, or the clients out there, to really see how vulnerable they are," Deveau said.
FICO developed a tool that an organization can use -- free of charge -- to detect its own vulnerabilities. For a fee, they can purchase add-on modules to assess their external suppliers.
Sprickerhoff said it's not unusual for a company to have "dozens and dozens of service providers" but doesn't think their cyber readiness can be adequately measured from outside.
"Your external-facing infrastructure is such a small percentage of what your security stance is," Sprickerhoff said. "You can have a good external-facing infrastructure, and have terrible internal-facing infrastructure."
Masson said Darktrace installs software on a client's system that uses machine learning to recognize the normal activities of a system and respond when something abnormal happens.
"This is what most companies are missing," said Darktrace's Masson. "You know, malware can own your system in seconds. It's too fast for human beings."