Article
Cybersecurity: test your knowledge
How well do you understand the cyber threat to your business?
Matching wits with those who want to attack your business is no fun game for any organization, but these days it’s one you have to constantly play if you’re to protect yourself from financial and reputational harm.
Cybercrime is costing billions of dollars. How ready are Canadian organizations to prevent or respond to a sustained cyberattack? Not quite enough. Deloitte’s Cybersecurity survey 2015 revealed the average level of cybersecurity maturity in Canada is 2.2 on a five-point scale, putting Canadian organizations behind their US and European counterparts.
The key barriers to cybersecurity improvement for private companies in particular likely won’t surprise. First and foremost, many businesses probably still underestimate the threat. Carving the resources for security initiatives out of a tightening budget may be a challenge, especially for smaller companies. And getting people with the right skill sets to handle cybersecurity can be both difficult and expensive.
For organizations of all sizes, it’s critical to understand all the areas of risk to information systems and to both prioritize those risks and implement controls to mitigate them as cost-effectively as possible.
The truth is out there
How well a company responds to a cyberattack depends almost entirely on how secure, vigilant and resilient the organization is – in other words, how strong its defences are, how well it detects threats and how well it responds to a breach. Are you sure your company is sufficiently protected?
On being secure:
Fact or fiction? We’ve invested in a solid security system; we don’t need to do anything else.
Fiction: That’s a critical step – but it’s only a partial one. An adversary needs only to find a single chink in the armour to set a complex attack in motion. You really can’t let your guard down, not even for a minute. Are all your employees aware of the constant threat of cyber attacks? Have all been trained on what to look for and how to react if they receive a suspicious email or other Internet-based message? Security awareness programs are a cost-effective way to educate the end users of information systems. Employees aren’t the only potential point of access, of course: as organizations continue to launch new services and expand their reach to consumers, their risks also grow. You need to continually manage, update and fine-tune your security systems, and keep your employees aware. It takes only one attacker being right once – as an enterprise, you need to defend 100 percent of the time.
Fact or fiction? We’re just too small to be of interest to cyber criminals.
Fiction: There are two reasons you may be an attractive target, regardless of your size. To determine if your company could catch the wrong person’s eye, ask yourself:
- What kind of data are we collecting? Personal information, health records, payment cards, marketing information, competitive pricing data – the type of information will gauge how appealing it may be to a potential attacker.
- What kind(s) of companies do we serve? There have been many recent examples in which attackers gain access to their real target through a supplier -- and you don’t want to be a Trojan horse to your customer.
On being vigilant:
Fact or fiction? Constantly monitoring for new cyber threats helps us stay on top of developments.
Fact: Threats are growing more sophisticated almost daily, so monitoring and analyzing threat intelligence is critical. Doing so should uncover new vulnerabilities while simple controls, such as application and operating system patches, will help keep your security strong. Fortunately, a great deal of up-to-the-minute cyber threat information is available, much of it free. The biggest challenge is sifting through the hundreds of vulnerabilities to determine what’s most relevant to your organization.
Fact or fiction? We can effectively keep watch for threats on our own.
Fiction: It’s impossible for anyone organization to monitor and understand all the various threats, tools, tactics and procedures that cyber criminals are using. These include sharing intelligence about how to hack into specific systems or companies, since attackers know pooling knowledge leads to mutual gain. Companies would serve themselves well to do the same – by starting or joining cyber threat intelligence (CTI) sharing communities, in which organizations share information about threats, attacks, lessons learned, and tactics that work (or don’t). One such community for private Canadian businesses launched last November, a not-for-profit that offers a couple of levels of service and membership fee depending on size.
On being resilient:
Fact or fiction? Planning alone isn’t enough; we also have to rehearse our response.
Fact: Interdependencies on information systems and business stakeholders are constantly evolving, so it’s important your cyber defence plans keep pace. Do you regularly test your response plans with a simulated attack? Do you then adjust any gaps you discover? Being resilient means quick containment and recovery from an attack to minimize financial and reputational damage.
The 12-month action plan
Any organization, particularly smaller private companies, need to get the most out of what they invest. The key is balancing the cost of the controls against the level of risk for your enterprise. Prioritizing these risks and focusing your budget on those with the highest likelihood and highest potential for negative impact can help you cost-effectively improve your security posture.
- Take the attitude that you need to run security like a business. Develop a plan: What’s the vision? Is it aligned with the broader business needs, and the organization’s culture? Who’ll lead it?
- Consider adopting the CIS Critical Security Controls, a set of specific actions to prevent damaging cyberattacks recommended by the SANS Institute.
- Stick with the basics. Ensure, for example, that you can deal with simpler malware incidents before wondering if you need more complex tests.
- Take stock of your threat profile.
- Ensure you understand key elements of a security plan – its current patching levels, where its critical data is stored, and how it connects to clients.
- Assess your security posture, and set a schedule to re-assess at regular intervals.
- Ensure all employees receive regular security-awareness training. If you haven’t already, develop and deploy a program as soon as feasible. At regular intervals, update the material to keep pace with evolving threats and (re)train staff.
While many business owners, and especially start-up entrepreneurs, may balk at spending significantly on the security of their online systems, the stark reality is that cybersecurity matters – regardless of company size. If you’re online, you’re a target, whether you’re viewed as the top prize or merely the way to get to it.
And no, it’s not a game. It’s just the hard truth.