Nearly three-quarters (74 per cent) of Canadian organizations think they’ll be breached in the next 12 months, and judging by many news headlines, they have every right to think so.
It’s not about the days when occasional cyberattacks were basement-based probes into small or unsecured systems; serious and sophisticated cyberattacks on businesses around the world have almost doubled since last year.
Yet there are steps that businesses can and should take to protect their data, their operations, their profits – and their reputations as good stewards of the privacy of their customers.
Despite the concerns over upcoming breaches, Canada is actually more prepared to handle cyber risk than other countries, according to the biannual Cyber Risk Index (CRI) from Trend Micro, the multinational cybersecurity software company.
Its report says Canada faces a more moderate cyber risk level than the U.S. or countries globally, which have elevated risk levels.
In light of pandemic-related changes to the workplace and how we function in it, many needed digital investments were made to support remote work and maintain business efficiencies during the pandemic, which exposed more corporate “attach surfaces” to possible threats.
Canadian organizations are most worried about security risks in relation to mobile/remote employees, third-party applications, and mobile/smart phone devices (76, 72 and 66 per cent, respectively).
Greg Young, Vice President, Cybersecurity at Trend Micro Canada
“As organizations constantly navigate the ever-evolving security landscape, understanding what makes their businesses vulnerable is critical,” Greg Young, Vice President, Cybersecurity at Trend Micro Canada, said when the report was released. “This is where reports like the CRI can be a great resource in highlighting areas of possible concern to help organizations develop an effective cybersecurity strategy.”
The report also uses a slightly different metric than the usual “sky-is-falling threat report” he said later.
“We look at aspects of the state of cybersecurity, and two things to compare are the actual threats, against the lens of how prepared people are. There are threats out there, fine. Too often there’s hyper-ventilation about it, so we focus on that gap between the perception of risk and the level of preparedness for it.”
The nature of the banking industry here, or the country’s telecom infrastructure, provide certain advantages through size alone. There are fewer institutions, yes, but larger in general than many of the numerous players in other national markets. The size has helped contribute to awareness of, experience with and preparation for anticipated threats in a digital economy. Perhaps, too, the generally cautious and conservative culture in Canadian business.
That is not to ignore an underlying truth in cybersecurity: people will always be the weakest link, Young says. “Let’s expect mistakes; let’s recognize that a percentage of attacks will happen. How do we spot that early on? What preventative measures can we take?”
Old security models have to change in the face of the changing workplace. Young says we can break out of legacy systems with new kinds of technology-supported approaches: “That’s where the real ‘magic’ happens, with technology that is able to help us connect the dots where we couldn’t connect them before.”
That can include tools such as XDR, meaning extended detection and response.
Such as the detection and analysis of data activity across multiple security layers – email, endpoint, server, cloud workloads and network. Collecting data is one benefit of XDR, but applying machine-based analytics and intelligence turns that information into insight and response.
“Before, we had to wait on a response until it was 100 per cent sure an attack was happening; now, we can do really great things to keep us ahead,” Young says of new AI- and ML- based threat assessment capabilities.
Beyond the enhanced technical tools contributing to enhanced cybersecurity, Young says an equal partnership between private and public sectors is crucial.
The business sector should not be leading national policy responses, and government is not equipped to lead the way with technical advances, so a partnership is needed.
“Information-sharing is critical,” Young says, noting that an understanding in both directions of the abilities and priorities leads to a better safety environment.
One example of the beneficial environment fostered in a collective, consensus-based approach is seen in the Canadian Forum for Digital Infrastructure Resilience (CFDIR), a public-private sector group with the eponymous goal of resiliency for the country’s digital infrastructure. Formed in 2020, Young is the current private sector -co-chair of the group, which has among its topical areas of focus Internet and cloud resilience, IoT security, and supply chain assurance.
There will always be a need for detailed technical conversations in such a forum, of course, but Young notes a different tone in cybersecurity conversations these days, and it’s coming from the board room, not the IT department.
He recalled a conversation with a CIO a few weeks back, in which he was told how the corporate board, rather than seeking justification for every last dime of IT spending, was eager to ensure more was being done on the cyber side.
“The conversation is changing, and board management is very informed.”
Businesses are better at assessing risk, anticipating threats and they are more informed in their decisions about security strategy.
The best method to combat cybersecurity, at the end of the day, is still awareness, and the visibility that awareness brings to the threat landscape is one of the greatest protections for business.
“No, the sky definitely is not falling,” Young chuckles. “I can make it sound easy and boil it down to a couple of steps: back up your info and keep your patches up-to-date.”
“Now, those can be difficult things to do,” he acknowledges. But just being aware of those two measures means that information is on the radar screen, that preparedness is increasing.
-30-
