Most Canadian companies that are victims of cyber incidents lack even basic recommended security measures. This observation from the latest available National Cyber Threat Assessment from the Canadian Centre for Cyber Security has never been more relevant. Organizations must assess their security posture now, before they become another target for hackers looking to disrupt domestic operations.
The government’s strong involvement in sanctions against other nation-states and support through military aid increases the risk level for both public and private organizations in Canada. Prime Minister Justin Trudeau has been vocal in his condemnation of hostile actions, as has U.S. President Joseph Biden, thus increasing the likelihood of retaliatory actions.
The cost of cyber security incidents continues to rise
Last year, expenses from the average data breach in Canada totalled C$6.75 million and the trend continues upward. Victims of breaches spent an additional half a million dollars more than the year prior on forensic investigations, recovery efforts, ransoms and increased cyber insurance premiums. Large enterprises and infrastructure providers are common targets of sophisticated state-sponsored cyber attacks. However, businesses of all sizes must harden their defences given the prevalence of cyber crime.
In one notable case, malicious actors took over the network of Saint John, N.B., and demanded a ransom of C$20 million in bitcoin. The city refused to pay the ransom even though the hackers shut down its website and numerous government services. Instead, it opted to build a new network and website from scratch at a cost of approximately C$2.9 million, with much of this covered by insurance policies.
This was a remarkable response from the city. However, the challenge is that most organizations lack the flexibility to simply start over like this. Moreover, system downtime and intangible costs of reputational damage typically far exceed the pure financial costs of rebuilding an entire tech stack. Fortunately, there are achievable steps to take that greatly improve an organization’s cyber security posture.
Know your weaknesses before your enemy does
Threat assessment is a critical first step to prioritize security efforts and manage cyber defences. Large organizations have an ever-increasing attack surface due to the pervasiveness of remote work, while smaller organizations typically have limited resources dedicated to the problem. Thus, cyber defence efforts must focus on where vulnerabilities exist.
Identifying key systems and critical infrastructure — an organization’s “crown jewels” – serves to guide threat assessments. An organization’s critical data is its greatest asset. Data stores should be categorized based on business priorities and risk tolerance, with access controls and backup policies tailored for each level. The most secure protection against data loss or corruption is the use of immutable, air-gapped backup solutions that are physically disconnected from the network.
The use of outdated software versions represents an all too common vulnerability. The simplest and most effective remediation strategy is simply to scan for updates and apply patches diligently. The importance of this practice cannot be overstated.
A well-understood business practice is to be your own customer, as this technique shines a spotlight on aspects of the customer experience that need improvement. Likewise, cyber vulnerabilities may not be visible internally until one looks at their enterprise from a hacker’s viewpoint. Third-party assessments are beneficial here, but any fresh perspective from the outside facilitates the rapid identification of security gaps and likely attack areas.
Pen testing and cyber attack simulations — table top exercises – are invaluable tools in this space. Beyond the value of short-term remediations, data from these exercises are critical for informing risk calculations and driving future security investments. These exercises should not be viewed as one-off activities; rather, they should be incorporated into ongoing operations.
The emergence of zero trust in a world with no perimeters
The days of feeling secure sitting behind a firewall are long gone. Cyber security in the digitally transformed world assumes no perimeter, given the use of public and private cloud infrastructure, SaaS, and remote workers. Given there no longer is a trusted perimeter, it stands to reason that no one should be trusted by default.
While initially this may seem inconvenient or even offensive to some, the minor inconvenience experienced by employees in this paradigm is well worth the security benefit. Multi-factor authentication should be considered table stakes at this point, as it is an essential safeguard against compromised passwords.
Access to systems and even individual transactions in a zero trust model is based on context, not just simple permissions. Active scanning solutions are available that evaluate whether transactions fall outside of normal usage patterns. They learn and adapt over time as well, moving into the background of most processes. A simple confirmation may be all that is required when a transaction is flagged, but detecting abnormal activity at the source helps shorten the time to resolution of actual security incidents.
Be prepared if an incident does occur
The observation “time is money” originated back in the 1700s, but it accurately describes the passage of each minute during an active cyber attack. Remediation quickly becomes more expensive with prolonged exposure, thus it is critical to have a robust and practiced incident response plan in place. This starts at the individual desktop level, where employees should be trained to report any potential incidents they observe.
Once a recovery playbook has been implemented, be sure to keep it up to date and test your security protocols periodically. Cyber attack simulations provide a great mechanism to exercise response and recovery plans. Don’t forget to verify that data backups can be restored in a timely manner as well.
Above all, make cyber security a proactive part of your operational hygiene. New cyber threats emerge on a regular basis, especially given ongoing world conflicts. However, the good news is that organizations can take the straightforward steps discussed here to increase their cyber resilience.