Skip to content

Playbook: Everything you need to know to reduce your risk of a cyber breach

MNP Digital

MNP Digital
pillar-hero@2x

Is your business cyber secure?

Every year, one in five Canadian small businesses suffers a cyber attack — and the issue is only becoming more prevalent: With a new attack occurring every 39 seconds by some estimates, the annual global cost of cyber crime is now close to US$6 trillion.

The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. Perhaps most unsettling, there is little you can do to avoid becoming a potential target.

However, there are steps you can take to reduce the severity and cost of a cyber incident. Here, we outline everything you need to understand how safe your business is, and how to enhance your level of cyber security, reduce the likelihood an attack will result in a breach, and keep the damage to a minimum if a breach does occur.

What is a cyber breach?

A cyber breach is any unauthorized access to your organization’s digital devices or systems which targets intellectual property, employee and customer information, IT infrastructure, or even physical locations. It can encompass a wide range of activities — from fraud perpetrated by an employee to malware that infiltrates an organization’s network through a nefarious email attachment. While there are countless forms of cyber breaches, distributed denial-of-service (DDoS) and ransomware attacks are two which most often afflict small- to medium-sized businesses.

Distributed Denial-of-Service (DDoS)

A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting the server connected to the internet. They’ll typically accomplish this by flooding the targeted machine with false requests, which prevent it from fulfilling legitimate ones.

Some of the most notable DDoS attacks have targeted credit card payment processors and webhosting services. However, other utilities — such as pipelines, automated drilling equipment, electricity transmission infrastructure, wastewater treatment, etc. — are equally vulnerable. Attacks on these and similar critical infrastructure can lead to significant safety and environmental damages on top of lost productivity and profitability.

DDoS-attack

Ransomware

Ransomware is a subset of malicious applications called malware which gives hackers the ability to lock users out of the network and encrypt and/or publish sensitive data. Ransomware attackers will generally demand some form of payment or concession (i.e., ransom) in exchange for restoring access.

However, as many victims learn the hard way, complying with demands does not guarantee a positive result. There’s little stopping attackers from continually upping the ransom amount or simply going underground without restoring access to critical systems after they receive payment.

According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues and lost productivity over and above the lingering costs of remediating the attack, restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.

More than four in every five of ransomware attacks originate through a phishing email or third-party / remote service vulnerability. With work-from-home arrangements becoming more commonplace, all these vulnerabilities will remain a large avenue of attack.

 MNP digital
 

How much does a cyber breach cost?

At an average cost of $6.75 million per incident according to a recent study by the Ponemon Institute, a single data breach can be overwhelming for Canadian small and medium-sized businesses. Considering how far-reaching a cyber breach can be, it’s easy to see why the price tag is so high.

Determining revenue losses can be rather difficult, partly because the financial impacts often linger long after the system is back to normal. A typical cyber breach can also cause a wide range of losses, including:

  • Loss of intellectual property
  • Compensation to affected parties through credit monitoring, financial compensation, and other measures
  • Loss of trust and confidence among clients and customers, employees, management, and investors
  • Lost productivity — both during and after the breach
  • Lawsuits and legal battles
  • Damages to public image 
  • Damages to outreach investment
  • Added fees associated with hiring professional advisors to mitigate malicious code
  • The risk of future breaches, due to compromised servers and/or login credentials
  • Regulatory fines
  • Higher costs for cyber insurance

Regulatory requirements after a cyber breach

In addition to significant financial repercussions, a cyber breach can cost you a lot of time in compliance efforts. In Canada, the Breach of Security Safeguards Regulations apply to all organizations, including small businesses. Under these regulations, every business suffering from a cyber breach must:

11

Perform a formal risk assessment to determine whether (and the degree to which) the breach presents “real risk of significant harm.” If it does, they must then complete the following steps.

 

11

 Notify all affected clients with a description of the breach and its circumstances, including:

  • The approximate timeline of the breach
  • The personal information compromised or at risk
  • Steps taken to reduce further harm
  • Steps for the individual to mitigate or prevent further harm
  • The organization’s primary contact for follow-up or further information
11

 Notify the Canadian Privacy Commissioner of the circumstances and cause (if known) of the breach, including:

  • When the breach occurred
  • The personal information at risk
  • The number of affected individuals
  • Steps taken to reduce further harm
  • How the organization will contact affected individuals
  • The organization’s primary contact for follow-up
11

 Maintain a record of the breach for a minimum of 24 months.

 

11

 Meet Digital Privacy Act regulations and keep attestation documents verifying compliance readily accessible.

 

How do you prevent cyber breaches?

While no organization can completely prevent a cyber breach, you can significantly reduce your likelihood of becoming a victim — along with the potential severity and associated costs of an attack. The key is to implement a proactive cyber plan that can protect your organization’s growing number of entry points and adequately defend you from increasingly frequent (and sophisticated) cyber threats.

Typically, a strong cyber plan is comprised of two components: a proactive defense strategy and a detailed incident response plan.

A proactive plan of defense should include:

  •  A clear playbook that outlines cyber best practices, processes, and procedures to minimize your chances of an attack.
  • Controlled offensive and defensive tabletop testing exercises to expose vulnerabilities and improve your system’s response processes (this may include a Dark Web assessment)
  • Assessments of your most vulnerable systems (e.g., PCI, SWIFT, and Interac assessment) 
  • A path to gradually enhance incidence response sophistication 
  • A formal assessment of your organization’s current cyber readiness state 
  • Scheduled rehearsals so everyone knows what to do before an incident occurs

A successful cyber response should include:

  • A 24-hour monitoring system to identify and contain threats in real time
  • A clear action plan to prevent further damage
  • A method to assess the impact of the attack and quickly identify next steps
  • A post-mortem designed to address the issue that caused the breach and prevent a similar incident from recurring

Learn more: How practice owners and partners can reduce their cyber risks

5 elements of a proactive cyber defense plan

To reduce your chances of an attack, you need to explore your organization’s vulnerabilities from all angles and implement the appropriate risk controls. There are several different ways to do this, depending on your organization’s needs.

 
11

Identity/access management

A growing number of organizations rely on digital identification (i.e., digital IDs) to ensure only authorized users can access their services. However, this often requires gathering and collecting personal information — sometimes including biometric data such as body measurements, fingerprints, etc. It’s imperative such organizations establish a standardized framework of trust and security, as well as clear rules, ethics, and governance around collecting and storing this sensitive information, such as: 

Device compatibility
Many individuals and organizations use different digital ID devices and software, which can lead to compatibility issues. For instance, different devices often come with different levels of security controls or different capabilities for the deployment of these controls. It’s critical to ensure applications are compatible with all relevant devices and have robust security measures to protect individuals’ privacy.

Robust technology
The technology underpinning digital IDs must have an extremely narrow margin of error — especially those utilizing biometric data. Common issues persist which may lead to false positives and negatives, both of which can limit the functionality of digital ID platform and lead to security breaches and/or workarounds which negate the technology’s utility.

Tiered access
Organizations that use digital IDs have a responsibility to keep sensitive user data secure. While a central digital source of information offers convenience for both organizations and individuals, there’s also tremendous risk. Individuals’ biometric markers are immutable, so security breaches can have catastrophic (and potentially irreversible) consequences.

Organizations must create and implement defined privacy and security procedures — and comply with all relevant privacy regulations — to protect user data from unauthorized access. A tiered access framework can help organizations reduce the amount of people who have access to the information and thereby reduce the associated risks of a breach.

A policy built around the data lifecycle
Organizations must consider the steps they’re taking to protect data throughout its entire lifecycle and make this information readily accessible for all relevant stakeholders. This includes how and why data is gathered, stored, and secured — as well as when, how, and why it’s ultimately deleted or purged. Such measures should be clearly defined (and rigidly followed) in comprehensive policy and procedural documents which are continually updated as practices or technologies evolve.

Learn more:
How to get digital ID management right

 
11element-02

Cyber governance

Cyber governance is a critical element of a proactive cyber defence plan. It outlines all the policies and processes surrounding how an organization will detect, prevent, and respond to cyber incidents. Senior leaders must create a culture and policy framework that effectively manages and mitigates cyber and privacy risks. A top-down commitment to cyber defense makes it easier for every individual in the organization to understand their role in preventing, reporting, and responding to a cyber breach.

Seven principles of cyber-focused leaders:

  1. Cyber risk is enterprise risk: Technology is inseparable from the business. Incorporate cyber and privacy concerns within enterprise risk planning (e.g., through a risk register) to understand the likelihood and source of a potential breach — and steps to take to reduce its harm to the organization.
  2. Cyber risk requires cyber perspective: Invite cyber security experts to advise on cyber topics and regularly include cyber and privacy on the leadership agenda. Create a technology committee to discuss priorities, trends, concerns, and emerging controls.
  3. Cyber risk management begins with policy: Create and promote a culture of cyber incident prevention by emphasizing privacy protection, good technology hygiene, and risk awareness throughout the organization.
  4. Cyber risks have legal implications: Be aware of any legislative changes, compliance or regulatory needs, and legal cases pertaining to privacy, cyber security, reporting guidelines, and repercussions for businesses that experienced a cyber breach.
  5. Cyber risks and attacks are always evolving: Focus on the fundamentals and strive for excellence in cyber maturity. Stay on the lookout for new breach techniques, incidents, and risks; especially those occurring within your industry or sector.
  6. Cyber risks are not all equal: Know which cyber risks you want to avoid, need to mitigate, or are willing to accept or transfer through cyber insurance — along with your strategy for each.
  7. Data collection and privacy need a policy: Be aware of the data you collect and stay on top of new and existing regulations in your jurisdiction(s). Be conscious of what stakeholders know and want — and invest in policies that consistently exceed their expectations.

Learn more about the collection and management of personal information:
Beyond Regulation Whitepaper

 
11element-03

Cyber awareness

Employees are the first — and in many ways, the best — line of defense against cyber breaches. Yet, businesses often fail to provide the training and tools to build and harness their capabilities. Fortunately, there are several steps you can take to strengthen your cyber training program and reap better results:

Make it personal
Introduce awareness programs that relate workplace security practices to a benefit in your employees’ personal lives. Demonstrating how strong, secure passwords and avoiding unsolicited links can protect their personal assets will transform how they view employer policies and procedures.

Make training engaging
Attention and information fatigue are real concerns for today’s workforce. Just because employees comply with mandatory training doesn’t guarantee they will fully engage with the information or absorb the desired key learnings. Rather than bombarding them with volumes of information, seek instead to make security awareness relevant and integrate it within their day-to-day work and the broader culture of your organization.

For example, you could run a simulated phishing exercise to reveal how many employees would click on a malicious link sent by email. Each employee will receive a tailored report card based on their performance along with a concise training module that directly speaks to their knowledge gaps. The results will be timely, personalized, and deliver tangible feedback on how their specific actions link to a potential security breach. Such exercises could be tailored to a variety of breach scenarios, roles, and authority levels and run indefinitely.

Encourage rather than penalize
Many organizations continue to preach perfection in their security training and often threaten employees with discipline or dismissal for actions leading to security breaches. Not only does this approach do little to curb malicious actions, but it may cause even more harm by making otherwise honest employees think twice about reporting an incident they had a hand in facilitating.

The cost and damage of a breach is generally proportionate to the length of time it takes to detect and address the threat. When IT and security departments react to reports with encouragement rather than antagonism, employees become part of the solution. The benefits are two-fold: Relevant professionals get the information they need to identify the source and mechanics of a breach and fix the problem, and the employee is more confident and likely to speak up if they suspect a problem.

Learn more:
How to build an effective cyber security employee awareness program

11element-04

Third-party cyber risk assessment

The steps above are effective for managing cyber security risks that originate within your organization. However, as your organization continues to embrace a growing range of third-party websites, internet of things (IoT) devices, and software-as-a-service (SaaS) applications, you must also take steps to ensure cyber criminals don’t infiltrate your business by means of third-party vendors and suppliers. The following third-party cyber risk assessment can help identify vulnerabilities and steps to protect your organization:

  • Step 1
    Develop the assessment framework you will use. This could include:
    • Regulatory requirements (e.g., the Office of the Superintendent of Financial Institutions (OSFI), Payment Card Industry (PCI), etc.)
    • Relevant standards or policies (e.g., ISO 27001/2)
    • External assessment criteria (e.g., contractor requirements, reputational impact, etc.)
    • High value assets in your organization (e.g., proprietary information, sensitive personal or payment information, etc.)
  • Step 2
    Conduct workshops with business stakeholders to identify your third-party service providers.
  • Step 3
    Develop standard reporting templates to ensure consistency across vendors.
  • Step 4
    Identify and recommend tools such as risk-based third-party cyber security assessments to help quantify the risk.
  • Step 5
    Review your program with the right stakeholders and adjust it as necessary.
  • Step 6
    Perform third-party risk assessments based on vendor risk levels (i.e., high, medium, low), with vendors at high risk levels requiring more extensive and frequent assessments.
  • Step 7
    Collect information from vendors
    • Notify and engage your vendors. Open communication and understanding can lead to greater cooperation.
    • Assess third parties through questionnaires or passive risk tools.
    • Gather information from vendors using an adaptive and agile approach (e.g., self assessments, clarification questions, evidence gathering, and additional testing if required).
  • Step 8
    Analyze the results to rate vendors, identify gaps, and build in improvements as required.
11element-05

Managing cloud security risks

The cloud can offer some security enhancements in addition to its many cost and convenience benefits. However, just like locally hosted servers and applications, thorough due diligence is still necessary to protect your data and your business. As with other third-party services, cloud implementations require frequent and comprehensive risk assessments to ensure the vendor is aligned with your cyber security needs, objectives, and regulatory requirements. Several international organizations continually develop and promote cloud governance standards and best practices to help guide your cloud security, including:

How to build a security roadmap

To adequately protect your organization from cyber criminals, you need a plan. A cyber roadmap helps you clarify your most critical assets, focus cyber security investments, and leverage your data in a responsible (and compliant) way.

  
1101

Understand critical assets

Since it’s impossible to protect every single aspect of your business, you need to identify those information and technology assets that are most critical to your operations. Sit down with each business unit to better understand their processes, core technologies, and relevance to the business. This should help you develop a high-level inventory and data map to guide your cyber defense efforts.

11
Classify data

Next, you need a classification schema (e.g., essential, critical, important, not important, etc.) to determine which data is most worthy of protection. In this stage, you’ll assign data and technology elements to the schema, review pertinent legal and regulatory requirements, and develop controls guidelines.

11

Assess current practices

Now that you know which data needs to be protected, it’s time to understand how you’re currently protecting it. Review current data handling practices and compare these against industry frameworks. Conduct interviews with current data owners, review existing security and privacy controls, and document any gaps and recommendations.

1104

Develop roadmap

Your final order of business is to compile a management report and propose specific activities and timelines to strengthen your existing protection efforts. Set aside time to go over the plan with all relevant stakeholders 

The cybersecurity triangle

11cybersecurity triangleThe cyber security triangle is a helpful visual to structure your cyber security roadmap, as it allows you to clearly outline where your cyber security program stands today in comparison to where the organization would like it to be. It encompasses all the information you need to drive cyber security decision-making —including regulatory requirements, strategic planning or tactical initiatives, risks, and cyber maturity goals.
 

On each side of the triangle is a critical cyber security element: practice, regulations, and strategy. Without representation from all three sides, the program is incomplete.

 
 
Practice
This side of the triangle is all about the delta between your current and desired state. You can use several different assessments to gauge where the business is right now. The more frameworks you use, the more complete your picture of the current state will be. These include:

Controls Assessment
Generally, this involves a cyber security audit or self-assessment against one of numerous frameworks (e.g., NIST, CIS, ISO, PCI, etc.).

Risk Assessment
This involves determining your organization’s overall risk tolerance and identifying potential cyber security threats:

  • Within your industry;
  • Related to specific technologies your organization uses;
  • Facing organizations of your size and organizational structure;
  • Resulting from your cyber security structure.

Maturity Assessment
This determines the effectiveness of controls, considering both the technology and human factors, as well as the decision-making abilities of key stakeholders in your organization.

The desired state is more subjective. You may choose to focus on controls (e.g., alignment with compliance frameworks), risk, or maturity to gauge your progress — though at some point you’ll ideally address all three. What’s imperative is having a clear and documented plan of where your organization wants the cyber security program to trend towards, how it plans to get there, and what repeatable tests you plan to conduct to measure progress. 

Regulations

Every region and industry mandates specific — and increasingly stringent — laws, regulations, and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.

Some common examples include:

Data Protection Regulation (GDPR)
Applicable to organizations that collect personal information on European citizens.

Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable to organizations that collect personal information on Canadian citizens.

Payment Card Industry Data Security Standard (PCI-DSS)
Applicable to organizations that accept Visa, MasterCard or American Express to take payment, conduct credit checks or as identification (whether or not they are working with an approved scanning vendor or ASV).

Strategy

The last part of the cyber security triangle is also the most important. Governed by risk and directed by maturity, strategy is the foundation the entire program rests on — and what ultimately dictates the speed and direction the other two sides will improve.

  • Risks are critical objectives. Failing to address these could significantly impact profitability, stock price, and the ability to function or recover in the event of a breach.
  • Maturity goals are aspirational objectives that define how an organization will improve its overall cyber security posture.

These complimentary variables exist in a continuous feedback loop. Each risk-based improvement will expose a maturity weakness (e.g., the ability to measure the solution’s effectiveness or the precision thereof). Conversely, each maturity-based improvement will feed directly back into risk management. Strategy and tactics seek to balance this system.

Learn more:
Building your cyber security program

Read the original article here

Read On