The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. Perhaps most unsettling, there is little you can do to avoid becoming a potential target.

However, there are steps you can take to reduce the severity and cost of a cyber incident. Here, we outline everything you need to understand how safe your business is, and how to enhance your level of cyber security, reduce the likelihood an attack will result in a breach, and keep the damage to a minimum if a breach does occur.

A cyber breach is any unauthorized access to your organization’s digital devices or systems which targets intellectual property, employee and customer information, IT infrastructure, or even physical locations. It can encompass a wide range of activities — from fraud perpetrated by an employee to malware that infiltrates an organization’s network through a nefarious email attachment. While there are countless forms of cyber breaches, distributed denial-of-service (DDoS) and ransomware attacks are two which most often afflict small- to medium-sized businesses.

A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting the server connected to the internet. They’ll typically accomplish this by flooding the targeted machine with false requests, which prevent it from fulfilling legitimate ones.

Some of the most notable DDoS attacks have targeted credit card payment processors and webhosting services. However, other utilities — such as pipelines, automated drilling equipment, electricity transmission infrastructure, wastewater treatment, etc. — are equally vulnerable. Attacks on these and similar critical infrastructure can lead to significant safety and environmental damages on top of lost productivity and profitability.

Ransomware is a subset of malicious applications called malware which gives hackers the ability to lock users out of the network and encrypt and/or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e., ransom) in exchange for restoring access.

However, as many victims learn the hard way, complying with demands does not guarantee a positive result. There’s little stopping attackers from continually upping the ransom amount or simply going underground without restoring access to critical systems after they receive payment.

According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues and lost productivity over and above the lingering costs of remediating the attack, restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.

More than four in every five of ransomware attacks originate through a phishing email or third-party / remote service vulnerability. With work-from-home arrangements becoming more commonplace, all these vulnerabilities will remain a large avenue of attack.

Learn more:
Why are data breaches increasing? A shift in mindset is necessary to reduce cyber threats

Business recovery planning is essential. Why do few organizations have it in place?

Six IT mistakes SMBs make (and how to fix them)

At an average cost of $6.75 million per incident according to a recent study by the Ponemon Institute, a single data breach can be overwhelming for Canadian small and medium-sized businesses. Considering how far-reaching a cyber breach can be, it’s easy to see why the price tag is so high.

Determining revenue losses can be rather difficult, partly because the financial impacts often linger long after the system is back to normal. A typical cyber breach can also cause a wide range of losses, including:

In addition to significant financial repercussions, a cyber breach can cost you a lot of time in compliance efforts. In Canada, the Breach of Security Safeguards Regulations apply to all organizations, including small businesses. Under these regulations, every business suffering from a cyber breach must:

While no organization can completely prevent a cyber breach, you can significantly reduce your likelihood of becoming a victim — along with the potential severity and associated costs of an attack. The key is to implement a proactive cyber plan that can protect your organization’s growing number of entry points and adequately defend you from increasingly frequent (and sophisticated) cyber threats.

Typically, a strong cyber plan is comprised of two components: a proactive defense strategy and a detailed incident response plan.

Learn more:

The Data Dilemma: Ideas to improve the effectiveness of your incident response plan eBook

How practice owners and partners can reduce their cyber risks

To reduce your chances of an attack, you need to explore your organization’s vulnerabilities from all angles and implement the appropriate risk controls. There are several different ways to do this, depending on your organization’s needs.

A growing number of organizations rely on digital identification (i.e., digital IDs) to ensure only authorized users can access their services. However, this often requires gathering and collecting personal information — sometimes including biometric data such as body measurements, fingerprints, etc. It’s imperative such organizations establish a standardized framework of trust and security, as well as clear rules, ethics, and governance around collecting and storing this sensitive information, such as: 

Device compatibility
Many individuals and organizations use different digital ID devices and software, which can lead to compatibility issues. For instance, different devices often come with different levels of security controls or different capabilities for the deployment of these controls. It’s critical to ensure applications are compatible with all relevant devices and have robust security measures to protect individuals’ privacy.

Robust technology
The technology underpinning digital IDs must have an extremely narrow margin of error — especially those utilizing biometric data. Common issues persist which may lead to false positives and negatives, both of which can limit the functionality of digital ID platform and lead to security breaches and/or workarounds which negate the technology’s utility.

Tiered access
Organizations that use digital IDs have a responsibility to keep sensitive user data secure. While a central digital source of information offers convenience for both organizations and individuals, there’s also tremendous risk. Individuals’ biometric markers are immutable, so security breaches can have catastrophic (and potentially irreversible) consequences.

Organizations must create and implement defined privacy and security procedures — and comply with all relevant privacy regulations — to protect user data from unauthorized access. A tiered access framework can help organizations reduce the amount of people who have access to the information and thereby reduce the associated risks of a breach.

A policy built around the data lifecycle
Organizations must consider the steps they’re taking to protect data throughout its entire lifecycle and make this information readily accessible for all relevant stakeholders. This includes how and why data is gathered, stored, and secured — as well as when, how, and why it’s ultimately deleted or purged. Such measures should be clearly defined (and rigidly followed) in comprehensive policy and procedural documents which are continually updated as practices or technologies evolve.

Learn more:
How to get digital ID management right

The Data Dilemma: Privacy, ethics, and the future of AI eBook

Cyber governance is a critical element of a proactive cyber defence plan. It outlines all the policies and processes surrounding how an organization will detect, prevent, and respond to cyber incidents. Senior leaders must create a culture and policy framework that effectively manages and mitigates cyber and privacy risks. A top-down commitment to cyber defense makes it easier for every individual in the organization to understand their role in preventing, reporting, and responding to a cyber breach.

Seven principles of cyber-focused leaders:

1. Cyber risk is enterprise risk: Technology is inseparable from the business. Incorporate cyber and privacy concerns within enterprise risk planning (e.g., through a risk register) to understand the likelihood and source of a potential breach — and steps to take to reduce its harm to the organization.
2. Cyber risk requires cyber perspective: Invite cyber security experts to advise on cyber topics and regularly include cyber and privacy on the leadership agenda. Create a technology committee to discuss priorities, trends, concerns, and emerging controls.
3. Cyber risk management begins with policy: Create and promote a culture of cyber incident prevention by emphasizing privacy protection, good technology hygiene, and risk awareness throughout the organization.
4. Cyber risks have legal implications: Be aware of any legislative changes, compliance or regulatory needs, and legal cases pertaining to privacy, cyber security, reporting guidelines, and repercussions for businesses that experienced a cyber breach.
5. Cyber risks and attacks are always evolving: Focus on the fundamentals and strive for excellence in cyber maturity. Stay on the lookout for new breach techniques, incidents, and risks; especially those occurring within your industry or sector.
6. Cyber risks are not all equal: Know which cyber risks you want to avoid, need to mitigate, or are willing to accept or transfer through cyber insurance — along with your strategy for each.
7. Data collection and privacy need a policy: Be aware of the data you collect and stay on top of new and existing regulations in your jurisdiction(s). Be conscious of what stakeholders know and want — and invest in policies that consistently exceed their expectations.

Learn more about the collection and management of personal information:
Beyond Regulation Whitepaper

Video: What’s next for privacy?

Employees are the first — and in many ways, the best — line of defense against cyber breaches. Yet, businesses often fail to provide the training and tools to build and harness their capabilities. Fortunately, there are several steps you can take to strengthen your cyber training program and reap better results:

Make it personal
Introduce awareness programs that relate workplace security practices to a benefit in your employees’ personal lives. Demonstrating how strong, secure passwords and avoiding unsolicited links can protect their personal assets will transform how they view employer policies and procedures.

Make training engaging
Attention and information fatigue are real concerns for today’s workforce. Just because employees comply with mandatory training doesn’t guarantee they will fully engage with the information or absorb the desired key learnings. Rather than bombarding them with volumes of information, seek instead to make security awareness relevant and integrate it within their day-to-day work and the broader culture of your organization.

For example, you could run a simulated phishing exercise to reveal how many employees would click on a malicious link sent by email. Each employee will receive a tailored report card based on their performance along with a concise training module that directly speaks to their knowledge gaps. The results will be timely, personalized, and deliver tangible feedback on how their specific actions link to a potential security breach. Such exercises could be tailored to a variety of breach scenarios, roles, and authority levels and run indefinitely.

Encourage rather than penalize
Many organizations continue to preach perfection in their security training and often threaten employees with discipline or dismissal for actions leading to security breaches. Not only does this approach do little to curb malicious actions, but it may cause even more harm by making otherwise honest employees think twice about reporting an incident they had a hand in facilitating.

The cost and damage of a breach is generally proportionate to the length of time it takes to detect and address the threat. When IT and security departments react to reports with encouragement rather than antagonism, employees become part of the solution. The benefits are two-fold: Relevant professionals get the information they need to identify the source and mechanics of a breach and fix the problem, and the employee is more confident and likely to speak up if they suspect a problem.

Learn more:
How to build an effective cyber security employee awareness program

The Perfect Storm: Why Cyber Awareness is More Important than Ever

The steps above are effective for managing cyber security risks that originate within your organization. However, as your organization continues to embrace a growing range of third-party websites, internet of things (IoT) devices, and software-as-a-service (SaaS) applications, you must also take steps to ensure cyber criminals don’t infiltrate your business by means of third-party vendors and suppliers. The following third-party cyber risk assessment can help identify vulnerabilities and steps to protect your organization:

The cloud can offer some security enhancements in addition to its many cost and convenience benefits. However, just like locally hosted servers and applications, thorough due diligence is still necessary to protect your data and your business. As with other third-party services, cloud implementations require frequent and comprehensive risk assessments to ensure the vendor is aligned with your cyber security needs, objectives, and regulatory requirements. Several international organizations continually develop and promote cloud governance standards and best practices to help guide your cloud security, including:

• Cloud Security Alliance (CSA)
• European Network and Information Security Agency (ENISA)
• ISACA
• National Institute of Standards and Technology (NIST)
• Centre for Internet Security (CIS)