The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. Perhaps most unsettling, there is little you can do to avoid becoming a potential target.
However, there are steps you can take to reduce the severity and cost of a cyber incident. Here, we outline everything you need to understand how safe your business is, and how to enhance your level of cyber security, reduce the likelihood an attack will result in a breach, and keep the damage to a minimum if a breach does occur.
A cyber breach is any unauthorized access to your organization’s digital devices or systems which targets intellectual property, employee and customer information, IT infrastructure, or even physical locations. It can encompass a wide range of activities — from fraud perpetrated by an employee to malware that infiltrates an organization’s network through a nefarious email attachment. While there are countless forms of cyber breaches, distributed denial-of-service (DDoS) and ransomware attacks are two which most often afflict small- to medium-sized businesses.
A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting the server connected to the internet. They’ll typically accomplish this by flooding the targeted machine with false requests, which prevent it from fulfilling legitimate ones.
Some of the most notable DDoS attacks have targeted credit card payment processors and webhosting services. However, other utilities — such as pipelines, automated drilling equipment, electricity transmission infrastructure, wastewater treatment, etc. — are equally vulnerable. Attacks on these and similar critical infrastructure can lead to significant safety and environmental damages on top of lost productivity and profitability.
Ransomware is a subset of malicious applications called malware which gives hackers the ability to lock users out of the network and encrypt and/or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e., ransom) in exchange for restoring access.
However, as many victims learn the hard way, complying with demands does not guarantee a positive result. There’s little stopping attackers from continually upping the ransom amount or simply going underground without restoring access to critical systems after they receive payment.
According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues and lost productivity over and above the lingering costs of remediating the attack, restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.
More than four in every five of ransomware attacks originate through a phishing email or third-party / remote service vulnerability. With work-from-home arrangements becoming more commonplace, all these vulnerabilities will remain a large avenue of attack.
of organizations had to cease business operations immediately because of ransomware
of businesses have experienced a cyberattack
have suffered a data breach
were victims of ransomware
At an average cost of $6.75 million per incident according to a recent study by the Ponemon Institute, a single data breach can be overwhelming for Canadian small and medium-sized businesses. Considering how far-reaching a cyber breach can be, it’s easy to see why the price tag is so high.
Determining revenue losses can be rather difficult, partly because the financial impacts often linger long after the system is back to normal. A typical cyber breach can also cause a wide range of losses, including:
In addition to significant financial repercussions, a cyber breach can cost you a lot of time in compliance efforts. In Canada, the Breach of Security Safeguards Regulations apply to all organizations, including small businesses. Under these regulations, every business suffering from a cyber breach must:
Our experts are always ready to help.
While no organization can completely prevent a cyber breach, you can significantly reduce your likelihood of becoming a victim — along with the potential severity and associated costs of an attack. The key is to implement a proactive cyber plan that can protect your organization’s growing number of entry points and adequately defend you from increasingly frequent (and sophisticated) cyber threats.
Typically, a strong cyber plan is comprised of two components: a proactive defense strategy and a detailed incident response plan.
A proactive plan of defense should include:
A successful cyber response should include:
To reduce your chances of an attack, you need to explore your organization’s vulnerabilities from all angles and implement the appropriate risk controls. There are several different ways to do this, depending on your organization’s needs.
A growing number of organizations rely on digital identification (i.e., digital IDs) to ensure only authorized users can access their services. However, this often requires gathering and collecting personal information — sometimes including biometric data such as body measurements, fingerprints, etc. It’s imperative such organizations establish a standardized framework of trust and security, as well as clear rules, ethics, and governance around collecting and storing this sensitive information, such as:
Many individuals and organizations use different digital ID devices and software, which can lead to compatibility issues. For instance, different devices often come with different levels of security controls or different capabilities for the deployment of these controls. It’s critical to ensure applications are compatible with all relevant devices and have robust security measures to protect individuals’ privacy.
The technology underpinning digital IDs must have an extremely narrow margin of error — especially those utilizing biometric data. Common issues persist which may lead to false positives and negatives, both of which can limit the functionality of digital ID platform and lead to security breaches and/or workarounds which negate the technology’s utility.
Organizations that use digital IDs have a responsibility to keep sensitive user data secure. While a central digital source of information offers convenience for both organizations and individuals, there’s also tremendous risk. Individuals’ biometric markers are immutable, so security breaches can have catastrophic (and potentially irreversible) consequences.
Organizations must create and implement defined privacy and security procedures — and comply with all relevant privacy regulations — to protect user data from unauthorized access. A tiered access framework can help organizations reduce the amount of people who have access to the information and thereby reduce the associated risks of a breach.
A policy built around the data lifecycle
Organizations must consider the steps they’re taking to protect data throughout its entire lifecycle and make this information readily accessible for all relevant stakeholders. This includes how and why data is gathered, stored, and secured — as well as when, how, and why it’s ultimately deleted or purged. Such measures should be clearly defined (and rigidly followed) in comprehensive policy and procedural documents which are continually updated as practices or technologies evolve.
How to get digital ID management right
Cyber governance is a critical element of a proactive cyber defence plan. It outlines all the policies and processes surrounding how an organization will detect, prevent, and respond to cyber incidents. Senior leaders must create a culture and policy framework that effectively manages and mitigates cyber and privacy risks. A top-down commitment to cyber defense makes it easier for every individual in the organization to understand their role in preventing, reporting, and responding to a cyber breach.
Seven principles of cyber-focused leaders:
Learn more about the collection and management of personal information:
Beyond Regulation Whitepaper
Employees are the first — and in many ways, the best — line of defense against cyber breaches. Yet, businesses often fail to provide the training and tools to build and harness their capabilities. Fortunately, there are several steps you can take to strengthen your cyber training program and reap better results:
Make it personal
Introduce awareness programs that relate workplace security practices to a benefit in your employees’ personal lives. Demonstrating how strong, secure passwords and avoiding unsolicited links can protect their personal assets will transform how they view employer policies and procedures.
Make training engaging
Attention and information fatigue are real concerns for today’s workforce. Just because employees comply with mandatory training doesn’t guarantee they will fully engage with the information or absorb the desired key learnings. Rather than bombarding them with volumes of information, seek instead to make security awareness relevant and integrate it within their day-to-day work and the broader culture of your organization.
For example, you could run a simulated phishing exercise to reveal how many employees would click on a malicious link sent by email. Each employee will receive a tailored report card based on their performance along with a concise training module that directly speaks to their knowledge gaps. The results will be timely, personalized, and deliver tangible feedback on how their specific actions link to a potential security breach. Such exercises could be tailored to a variety of breach scenarios, roles, and authority levels and run indefinitely.
Encourage rather than penalize
Many organizations continue to preach perfection in their security training and often threaten employees with discipline or dismissal for actions leading to security breaches. Not only does this approach do little to curb malicious actions, but it may cause even more harm by making otherwise honest employees think twice about reporting an incident they had a hand in facilitating.
The cost and damage of a breach is generally proportionate to the length of time it takes to detect and address the threat. When IT and security departments react to reports with encouragement rather than antagonism, employees become part of the solution. The benefits are two-fold: Relevant professionals get the information they need to identify the source and mechanics of a breach and fix the problem, and the employee is more confident and likely to speak up if they suspect a problem.
The steps above are effective for managing cyber security risks that originate within your organization. However, as your organization continues to embrace a growing range of third-party websites, internet of things (IoT) devices, and software-as-a-service (SaaS) applications, you must also take steps to ensure cyber criminals don’t infiltrate your business by means of third-party vendors and suppliers. The following third-party cyber risk assessment can help identify vulnerabilities and steps to protect your organization:
The cloud can offer some security enhancements in addition to its many cost and convenience benefits. However, just like locally hosted servers and applications, thorough due diligence is still necessary to protect your data and your business. As with other third-party services, cloud implementations require frequent and comprehensive risk assessments to ensure the vendor is aligned with your cyber security needs, objectives, and regulatory requirements. Several international organizations continually develop and promote cloud governance standards and best practices to help guide your cloud security, including:
To adequately protect your organization from cyber criminals, you need a plan. A cyber roadmap helps you clarify your most critical assets, focus cyber security investments, and leverage your data in a responsible (and compliant) way.
The cyber security triangle is a helpful visual to structure your cyber security roadmap, as it allows you to clearly outline where your cyber security program stands today in comparison to where the organization would like it to be. It encompasses all the information you need to drive cyber security decision-making —including regulatory requirements, strategic planning or tactical initiatives, risks, and cyber maturity goals.
On each side of the triangle is a critical cyber security element: practice, regulations, and strategy. Without representation from all three sides, the program is incomplete.
This side of the triangle is all about the delta between your current and desired state. You can use several different assessments to gauge where the business is right now. The more frameworks you use, the more complete your picture of the current state will be. These include:
Generally, this involves a cyber security audit or self-assessment against one of numerous frameworks (e.g., NIST, CIS, ISO, PCI, etc.).
This involves determining your organization’s overall risk tolerance and identifying potential cyber security threats:
This determines the effectiveness of controls, considering both the technology and human factors, as well as the decision-making abilities of key stakeholders in your organization.
The desired state is more subjective. You may choose to focus on controls (e.g., alignment with compliance frameworks), risk, or maturity to gauge your progress — though at some point you’ll ideally address all three. What’s imperative is having a clear and documented plan of where your organization wants the cyber security program to trend towards, how it plans to get there, and what repeatable tests you plan to conduct to measure progress.
Every region and industry mandates specific — and increasingly stringent — laws, regulations, and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.
Some common examples include:
Data Protection Regulation (GDPR)
Applicable to organizations that collect personal information on European citizens.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable to organizations that collect personal information on Canadian citizens.
Payment Card Industry Data Security Standard (PCI-DSS)
Applicable to organizations that accept Visa, MasterCard or American Express to take payment, conduct credit checks or as identification (whether or not they are working with an approved scanning vendor or ASV).
The last part of the cyber security triangle is also the most important. Governed by risk and directed by maturity, strategy is the foundation the entire program rests on — and what ultimately dictates the speed and direction the other two sides will improve.
These complimentary variables exist in a continuous feedback loop. Each risk-based improvement will expose a maturity weakness (e.g., the ability to measure the solution’s effectiveness or the precision thereof). Conversely, each maturity-based improvement will feed directly back into risk management. Strategy and tactics seek to balance this system.
Building your cyber security program
Our experts are always ready to help.
A Red Team Exercise simulates a range of real cyber threat scenarios to test your organization’s cyber resiliency. It goes beyond traditional penetration testing (i.e., ethical hacking) by employing physical, digital, social engineering, open-source intelligence-gathering techniques to develop a customized attack strategy. The Red Team’s goal is to compromise your organization and gain access to high-value assets without being detected, while your organization actively strives to identify and defend against the Red Team’s attacks — emulating a real-world breach scenario.
A Red Team exercise can help enhance your cyber resiliency by:
Cyber security has become so complex and specialized in recent years that even the largest and most sophisticated organizations can find it challenging to excel without external support. Skilled security professionals are in high demand in virtually every industry and are fast becoming a rare and costly internal resource — especially for small and mid-sized companies.
Fortunately, turnkey cyber security solutions exist to help small to medium businesses outsource all or key components of their cyber protection. Such managed security service partners offer round-the-clock operations centres staffed by experts, and essentially act as an extension of your company’s team. They work with you to help prevent, detect, and respond to cyber threats — and mitigate risks before they cause major damage. They also provide comprehensive guidance and support to address a wide range of security processes, such as compliance, management, administration, deployment, and reporting.
Every region and industry mandates specific—and increasingly stringent—laws, regulations and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.
Once you select a managed services provider and establish an agreement, the next step is to help your partner to gain a clear understanding of your business, the current state of your security, as well as your needs and goals. The company should conduct a comprehensive assessment of your overall security architecture including software, networks, control systems, policies, procedures, and people to:
Equipped with a clear picture of the current situation, your managed services security partner will recommend practical and affordable solutions to address cyber security gaps and weaknesses—and help you build a cyber posture that dramatically reduces the risk of a cyber breach.