Playbook: Everything you need to know to reduce your risk of a cyber breach

Is your business cyber secure?

11

Every year, one in five Canadian small businesses suffers a cyber attack — and the issue is only becoming more prevalent: With a new attack occurring every 39 seconds by some estimates, the annual global cost of cyber crime is now close to US$6 trillion.

The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. Perhaps most unsettling, there is little you can do to avoid becoming a potential target.

However, there are steps you can take to reduce the severity and cost of a cyber incident. Here, we outline everything you need to understand how safe your business is, and how to enhance your level of cyber security, reduce the likelihood an attack will result in a breach, and keep the damage to a minimum if a breach does occur.

What is a cyber breach?

A cyber breach is any unauthorized access to your organization’s digital devices or systems which targets intellectual property, employee and customer information, IT infrastructure, or even physical locations. It can encompass a wide range of activities — from fraud perpetrated by an employee to malware that infiltrates an organization’s network through a nefarious email attachment. While there are countless forms of cyber breaches, distributed denial-of-service (DDoS) and ransomware attacks are two which most often afflict small- to medium-sized businesses.

Distributed Denial-of-Service (DDoS)

A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting the server connected to the internet. They’ll typically accomplish this by flooding the targeted machine with false requests, which prevent it from fulfilling legitimate ones.

Some of the most notable DDoS attacks have targeted credit card payment processors and webhosting services. However, other utilities — such as pipelines, automated drilling equipment, electricity transmission infrastructure, wastewater treatment, etc. — are equally vulnerable. Attacks on these and similar critical infrastructure can lead to significant safety and environmental damages on top of lost productivity and profitability.

What is a DDoS attack?

11DDoS attack

Ransomware

Ransomware is a subset of malicious applications called malware which gives hackers the ability to lock users out of the network and encrypt and/or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e., ransom) in exchange for restoring access.

However, as many victims learn the hard way, complying with demands does not guarantee a positive result. There’s little stopping attackers from continually upping the ransom amount or simply going underground without restoring access to critical systems after they receive payment.

According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues and lost productivity over and above the lingering costs of remediating the attack, restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.

More than four in every five of ransomware attacks originate through a phishing email or third-party / remote service vulnerability. With work-from-home arrangements becoming more commonplace, all these vulnerabilities will remain a large avenue of attack.

2222%

of organizations had to cease business operations immediately because of ransomware

8181%

of businesses have experienced a cyberattack

6666%

have suffered a data breach

3535%

were victims of ransomware

How much does a cyber breach cost?

At an average cost of $6.75 million per incident according to a recent study by the Ponemon Institute, a single data breach can be overwhelming for Canadian small and medium-sized businesses. Considering how far-reaching a cyber breach can be, it’s easy to see why the price tag is so high.

Determining revenue losses can be rather difficult, partly because the financial impacts often linger long after the system is back to normal. A typical cyber breach can also cause a wide range of losses, including:

  • Loss of intellectual property
  • Compensation to affected parties through credit monitoring, financial compensation, and other measures
  • Loss of trust and confidence among clients and customers, employees, management, and investors
  • Lost productivity — both during and after the breach
  • Lawsuits and legal battles
  • Damages to public image 
  • Damages to outreach investment
  • Added fees associated with hiring professional advisors to mitigate malicious code
  • The risk of future breaches, due to compromised servers and/or login credentials
  • Regulatory fines
  • Higher costs for cyber insurance

Regulatory requirements after a cyber breach

In addition to significant financial repercussions, a cyber breach can cost you a lot of time in compliance efforts. In Canada, the Breach of Security Safeguards Regulations apply to all organizations, including small businesses. Under these regulations, every business suffering from a cyber breach must:

11

Perform a formal risk assessment to determine whether (and the degree to which) the breach presents “real risk of significant harm.” If it does, they must then complete the following steps.

11

Notify all affected clients with a description of the breach and its circumstances, including:

  • The approximate timeline of the breach
  • The personal information compromised or at risk
  • Steps taken to reduce further harm
  • Steps for the individual to mitigate or prevent further harm
  • The organization’s primary contact for follow-up or further information
11

Notify the Canadian Privacy Commissioner of the circumstances and cause (if known) of the breach, including:

  • When the breach occurred
  • The personal information at risk
  • The number of affected individuals
  • Steps taken to reduce further harm
  • How the organization will contact affected individuals
  • The organization’s primary contact for follow-up
11

Maintain a record of the breach for a minimum of 24 months.

11

Meet Digital Privacy Act regulations and keep attestation documents verifying compliance readily accessible.

Do you have questions
about cyber security?

Our experts are always ready to help.

How do you prevent cyber breaches?

While no organization can completely prevent a cyber breach, you can significantly reduce your likelihood of becoming a victim — along with the potential severity and associated costs of an attack. The key is to implement a proactive cyber plan that can protect your organization’s growing number of entry points and adequately defend you from increasingly frequent (and sophisticated) cyber threats.

Typically, a strong cyber plan is comprised of two components: a proactive defense strategy and a detailed incident response plan.

A proactive plan of defense should include:

  •  A clear playbook that outlines cyber best practices, processes, and procedures to minimize your chances of an attack
  • Controlled offensive and defensive tabletop testing exercises to expose vulnerabilities and improve your system’s response processes (this may include a Dark Web assessment)
  • Assessments of your most vulnerable systems (e.g., PCI, SWIFT, and Interac assessment)
  • A path to gradually enhance incidence response sophistication
  • A formal assessment of your organization’s current cyber readiness state
  • Scheduled rehearsals so everyone knows what to do before an incident occurs

A successful cyber response should include:

    • A 24-hour monitoring system to identify and contain threats in real time
    • A clear action plan to prevent further damage
    • A method to assess the impact of the attack and quickly identify next steps
    • A post-mortem designed to address the issue that caused the breach and prevent a similar incident from recurring

5 elements of a proactive cyber defense plan

To reduce your chances of an attack, you need to explore your organization’s vulnerabilities from all angles and implement the appropriate risk controls. There are several different ways to do this, depending on your organization’s needs.

11

Identity/access management

A growing number of organizations rely on digital identification (i.e., digital IDs) to ensure only authorized users can access their services. However, this often requires gathering and collecting personal information — sometimes including biometric data such as body measurements, fingerprints, etc. It’s imperative such organizations establish a standardized framework of trust and security, as well as clear rules, ethics, and governance around collecting and storing this sensitive information, such as: 

Device compatibility
Many individuals and organizations use different digital ID devices and software, which can lead to compatibility issues. For instance, different devices often come with different levels of security controls or different capabilities for the deployment of these controls. It’s critical to ensure applications are compatible with all relevant devices and have robust security measures to protect individuals’ privacy.

Robust technology
The technology underpinning digital IDs must have an extremely narrow margin of error — especially those utilizing biometric data. Common issues persist which may lead to false positives and negatives, both of which can limit the functionality of digital ID platform and lead to security breaches and/or workarounds which negate the technology’s utility.

Tiered access
Organizations that use digital IDs have a responsibility to keep sensitive user data secure. While a central digital source of information offers convenience for both organizations and individuals, there’s also tremendous risk. Individuals’ biometric markers are immutable, so security breaches can have catastrophic (and potentially irreversible) consequences.

Organizations must create and implement defined privacy and security procedures — and comply with all relevant privacy regulations — to protect user data from unauthorized access. A tiered access framework can help organizations reduce the amount of people who have access to the information and thereby reduce the associated risks of a breach.

A policy built around the data lifecycle
Organizations must consider the steps they’re taking to protect data throughout its entire lifecycle and make this information readily accessible for all relevant stakeholders. This includes how and why data is gathered, stored, and secured — as well as when, how, and why it’s ultimately deleted or purged. Such measures should be clearly defined (and rigidly followed) in comprehensive policy and procedural documents which are continually updated as practices or technologies evolve.

Learn more:
How to get digital ID management right

11element-02

Cyber governance

Cyber governance is a critical element of a proactive cyber defence plan. It outlines all the policies and processes surrounding how an organization will detect, prevent, and respond to cyber incidents. Senior leaders must create a culture and policy framework that effectively manages and mitigates cyber and privacy risks. A top-down commitment to cyber defense makes it easier for every individual in the organization to understand their role in preventing, reporting, and responding to a cyber breach.

Seven principles of cyber-focused leaders:

  1. Cyber risk is enterprise risk: Technology is inseparable from the business. Incorporate cyber and privacy concerns within enterprise risk planning (e.g., through a risk register) to understand the likelihood and source of a potential breach — and steps to take to reduce its harm to the organization.
  2. Cyber risk requires cyber perspective: Invite cyber security experts to advise on cyber topics and regularly include cyber and privacy on the leadership agenda. Create a technology committee to discuss priorities, trends, concerns, and emerging controls.
  3. Cyber risk management begins with policy: Create and promote a culture of cyber incident prevention by emphasizing privacy protection, good technology hygiene, and risk awareness throughout the organization.
  4. Cyber risks have legal implications: Be aware of any legislative changes, compliance or regulatory needs, and legal cases pertaining to privacy, cyber security, reporting guidelines, and repercussions for businesses that experienced a cyber breach.
  5. Cyber risks and attacks are always evolving: Focus on the fundamentals and strive for excellence in cyber maturity. Stay on the lookout for new breach techniques, incidents, and risks; especially those occurring within your industry or sector.
  6. Cyber risks are not all equal: Know which cyber risks you want to avoid, need to mitigate, or are willing to accept or transfer through cyber insurance — along with your strategy for each.
  7. Data collection and privacy need a policy: Be aware of the data you collect and stay on top of new and existing regulations in your jurisdiction(s). Be conscious of what stakeholders know and want — and invest in policies that consistently exceed their expectations.

Learn more about the collection and management of personal information:
Beyond Regulation Whitepaper

11element-03

Cyber awareness

Employees are the first — and in many ways, the best — line of defense against cyber breaches. Yet, businesses often fail to provide the training and tools to build and harness their capabilities. Fortunately, there are several steps you can take to strengthen your cyber training program and reap better results:

Make it personal
Introduce awareness programs that relate workplace security practices to a benefit in your employees’ personal lives. Demonstrating how strong, secure passwords and avoiding unsolicited links can protect their personal assets will transform how they view employer policies and procedures.

Make training engaging
Attention and information fatigue are real concerns for today’s workforce. Just because employees comply with mandatory training doesn’t guarantee they will fully engage with the information or absorb the desired key learnings. Rather than bombarding them with volumes of information, seek instead to make security awareness relevant and integrate it within their day-to-day work and the broader culture of your organization.

For example, you could run a simulated phishing exercise to reveal how many employees would click on a malicious link sent by email. Each employee will receive a tailored report card based on their performance along with a concise training module that directly speaks to their knowledge gaps. The results will be timely, personalized, and deliver tangible feedback on how their specific actions link to a potential security breach. Such exercises could be tailored to a variety of breach scenarios, roles, and authority levels and run indefinitely.

Encourage rather than penalize
Many organizations continue to preach perfection in their security training and often threaten employees with discipline or dismissal for actions leading to security breaches. Not only does this approach do little to curb malicious actions, but it may cause even more harm by making otherwise honest employees think twice about reporting an incident they had a hand in facilitating.

The cost and damage of a breach is generally proportionate to the length of time it takes to detect and address the threat. When IT and security departments react to reports with encouragement rather than antagonism, employees become part of the solution. The benefits are two-fold: Relevant professionals get the information they need to identify the source and mechanics of a breach and fix the problem, and the employee is more confident and likely to speak up if they suspect a problem.

Learn more:
How to build an effective cyber security employee awareness program

11element-04

Third-party cyber risk assessment

The steps above are effective for managing cyber security risks that originate within your organization. However, as your organization continues to embrace a growing range of third-party websites, internet of things (IoT) devices, and software-as-a-service (SaaS) applications, you must also take steps to ensure cyber criminals don’t infiltrate your business by means of third-party vendors and suppliers. The following third-party cyber risk assessment can help identify vulnerabilities and steps to protect your organization:

  • Step 1
    Develop the assessment framework you will use. This could include:
    • Regulatory requirements (e.g., the Office of the Superintendent of Financial Institutions (OSFI), Payment Card Industry (PCI), etc.)
    • Relevant standards or policies (e.g., ISO 27001/2)
    • External assessment criteria (e.g., contractor requirements, reputational impact, etc.)
    • High value assets in your organization (e.g., proprietary information, sensitive personal or payment information, etc.)
  • Step 2
    Conduct workshops with business stakeholders to identify your third-party service providers.
  • Step 3
    Develop standard reporting templates to ensure consistency across vendors.
  • Step 4
    Identify and recommend tools such as risk-based third-party cyber security assessments to help quantify the risk.
  • Step 5
    Review your program with the right stakeholders and adjust it as necessary.
  • Step 6
    Perform third-party risk assessments based on vendor risk levels (i.e., high, medium, low), with vendors at high risk levels requiring more extensive and frequent assessments.
  • Step 7
    Collect information from vendors
    • Notify and engage your vendors. Open communication and understanding can lead to greater cooperation.
    • Assess third parties through questionnaires or passive risk tools.
    • Gather information from vendors using an adaptive and agile approach (e.g., self assessments, clarification questions, evidence gathering, and additional testing if required).
  • Step 8
    Analyze the results to rate vendors, identify gaps, and build in improvements as required.
11element-05

Managing cloud security risks

The cloud can offer some security enhancements in addition to its many cost and convenience benefits. However, just like locally hosted servers and applications, thorough due diligence is still necessary to protect your data and your business. As with other third-party services, cloud implementations require frequent and comprehensive risk assessments to ensure the vendor is aligned with your cyber security needs, objectives, and regulatory requirements. Several international organizations continually develop and promote cloud governance standards and best practices to help guide your cloud security, including:

How to build a security roadmap

To adequately protect your organization from cyber criminals, you need a plan. A cyber roadmap helps you clarify your most critical assets, focus cyber security investments, and leverage your data in a responsible (and compliant) way.

1101

Understand critical assets

Since it’s impossible to protect every single aspect of your business, you need to identify those information and technology assets that are most critical to your operations. Sit down with each business unit to better understand their processes, core technologies, and relevance to the business. This should help you develop a high-level inventory and data map to guide your cyber defense efforts.

1102

Classify data

Next, you need a classification schema (e.g., essential, critical, important, not important, etc.) to determine which data is most worthy of protection. In this stage, you’ll assign data and technology elements to the schema, review pertinent legal and regulatory requirements, and develop controls guidelines.

1103

Assess current practices

Now that you know which data needs to be protected, it’s time to understand how you’re currently protecting it. Review current data handling practices and compare these against industry frameworks. Conduct interviews with current data owners, review existing security and privacy controls, and document any gaps and recommendations.

1104

Develop roadmap

Your final order of business is to compile a management report and propose specific activities and timelines to strengthen your existing protection efforts. Set aside time to go over the plan with all relevant stakeholders.

The cybersecurity triangle

The cyber security triangle is a helpful visual to structure your cyber security roadmap, as it allows you to clearly outline where your cyber security program stands today in comparison to where the organization would like it to be. It encompasses all the information you need to drive cyber security decision-making —including regulatory requirements, strategic planning or tactical initiatives, risks, and cyber maturity goals.

On each side of the triangle is a critical cyber security element: practice, regulations, and strategy. Without representation from all three sides, the program is incomplete.

11cybersecurity triangle

Practice

This side of the triangle is all about the delta between your current and desired state. You can use several different assessments to gauge where the business is right now. The more frameworks you use, the more complete your picture of the current state will be. These include:

Controls Assessment
Generally, this involves a cyber security audit or self-assessment against one of numerous frameworks (e.g., NIST, CIS, ISO, PCI, etc.).

Risk Assessment
This involves determining your organization’s overall risk tolerance and identifying potential cyber security threats:

  • Within your industry;
  • Related to specific technologies your organization uses;
  • Facing organizations of your size and organizational structure;
  • Resulting from your cyber security structure.

Maturity Assessment
This determines the effectiveness of controls, considering both the technology and human factors, as well as the decision-making abilities of key stakeholders in your organization.

The desired state is more subjective. You may choose to focus on controls (e.g., alignment with compliance frameworks), risk, or maturity to gauge your progress — though at some point you’ll ideally address all three. What’s imperative is having a clear and documented plan of where your organization wants the cyber security program to trend towards, how it plans to get there, and what repeatable tests you plan to conduct to measure progress.

Regulations

Every region and industry mandates specific — and increasingly stringent — laws, regulations, and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.

Some common examples include:

Data Protection Regulation (GDPR)
Applicable to organizations that collect personal information on European citizens.

Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable to organizations that collect personal information on Canadian citizens.

Payment Card Industry Data Security Standard (PCI-DSS)
Applicable to organizations that accept Visa, MasterCard or American Express to take payment, conduct credit checks or as identification (whether or not they are working with an approved scanning vendor or ASV).

Strategy

The last part of the cyber security triangle is also the most important. Governed by risk and directed by maturity, strategy is the foundation the entire program rests on — and what ultimately dictates the speed and direction the other two sides will improve.

  • Risks are critical objectives. Failing to address these could significantly impact profitability, stock price, and the ability to function or recover in the event of a breach.
  • Maturity goals are aspirational objectives that define how an organization will improve its overall cyber security posture.

These complimentary variables exist in a continuous feedback loop. Each risk-based improvement will expose a maturity weakness (e.g., the ability to measure the solution’s effectiveness or the precision thereof). Conversely, each maturity-based improvement will feed directly back into risk management. Strategy and tactics seek to balance this system.

Learn more:
Building your cyber security program

Do you have questions
about cyber security?

Our experts are always ready to help.

Testing your cyber resiliency with Red Team exercises

A Red Team Exercise simulates a range of real cyber threat scenarios to test your organization’s cyber resiliency. It goes beyond traditional penetration testing (i.e., ethical hacking) by employing physical, digital, social engineering, open-source intelligence-gathering techniques to develop a customized attack strategy. The Red Team’s goal is to compromise your organization and gain access to high-value assets without being detected, while your organization actively strives to identify and defend against the Red Team’s attacks — emulating a real-world breach scenario.

A Red Team exercise can help enhance your cyber resiliency by:

  • Uncovering previously unidentified risks, thereby allowing your organization to increase security before you become a victim of an attack;
  • Providing you with invaluable insight on your organization’s situational awareness and response capabilities; and
  • Combining physical, digital, and social engineering attack techniques that reveal insights about all aspects of your organization’s security.

Where to find cybersecurity support

Cyber security has become so complex and specialized in recent years that even the largest and most sophisticated organizations can find it challenging to excel without external support. Skilled security professionals are in high demand in virtually every industry and are fast becoming a rare and costly internal resource — especially for small and mid-sized companies.

Fortunately, turnkey cyber security solutions exist to help small to medium businesses outsource all or key components of their cyber protection. Such managed security service partners offer round-the-clock operations centres staffed by experts, and essentially act as an extension of your company’s team. They work with you to help prevent, detect, and respond to cyber threats — and mitigate risks before they cause major damage. They also provide comprehensive guidance and support to address a wide range of security processes, such as compliance, management, administration, deployment, and reporting.

11 Questions to Ask Managed Security Services Providers

Every region and industry mandates specific—and increasingly stringent—laws, regulations and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.

1101

Do they understand your industry, your business and the security challenges you face?

1102

Do they deliver a holistic, risk-based approach to security?

1103

What is their reputation and track record?

1104

Do they have a state-of-the-art, 24-7 operations centre equipped with the latest technologies and well-trained security staff?

1105

Do security staff have relevant professional qualifications, certifications, skills and experience?

1106

What is the staffing structure; would your account have dedicated staff? Are senior staff hands-on?

1107

What is their quality control process? What standards and best practices do they follow?

1108

Do they have strong relationships with manufacturers and other suppliers so they can quickly resolve product issues?

1109

Are their policies and procedures for communicating, responding and reporting clear and comprehensive?

11

What benefits will you receive from partnering with them? How does this compare with costs?

1111

Do your two organizations blend well? Is there a good cultural match?

The cyber security assessment

Once you select a managed services provider and establish an agreement, the next step is to help your partner to gain a clear understanding of your business, the current state of your security, as well as your needs and goals. The company should conduct a comprehensive assessment of your overall security architecture including software, networks, control systems, policies, procedures, and people to:

  • Benchmark against cyber security standards
  • Identify your key cyber security risks
  • Conduct high-level cyber threat modeling
  • Make prioritized and practical recommendations to reduce your risk

Equipped with a clear picture of the current situation, your managed services security partner will recommend practical and affordable solutions to address cyber security gaps and weaknesses—and help you build a cyber posture that dramatically reduces the risk of a cyber breach.

Content contributors

11Business portrait of Tom Beaupre

Tom Beaupre

Partner, Cyber Risk Management Lead
11Business portrait of Adriana Gliga

Adriana Gliga

Partner, Privacy and Data Protection Lead
11Business portrait of Chris Law

Chris Law

Partner, Cyber Offensive & Incident Management Lead
11Business portrait of Eugene Ng

Eugene Ng

Partner, Cyber Security Architecture & Managed Services Lead
11Business portrait of Danny Timmins

Danny Timmins

Partner, National Cyber Security & Privacy Leader

Get in touch!

Request a free consultation to explore your cyber security and privacy options.



Recommend for you

11

Three trends to consider when building your 2022 cyber budget

If your organization is struggling to keep up with proliferating cyber threats, you’re not alone.
11

Quebec’s Bill 64:
Are you ready for it?

Strict new privacy regulations will require significant changes for organizations operating in Quebec or engaging Quebec residents. Here’s what you need to get ready.
11cyber data

Playbook: Everything you need to know to reduce your risk of a cyber breach

The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. However, there are steps you can take to reduce the severity and cost of a cyber incident.