Every year, one in five Canadian small businesses suffers a cyber attack — and the issue is only becoming more prevalent: With a new attack occurring every 39 seconds by some estimates, the annual global cost of cyber crime is now close to US$6 trillion.
The stakes are high for Canadian businesses. A well-targeted attack can cripple or permanently destroy a small to medium-sized enterprise. Perhaps most unsettling, there is little you can do to avoid becoming a potential target.
However, there are steps you can take to reduce the severity and cost of a cyber incident. Here, we outline everything you need to understand how safe your business is, and how to enhance your level of cyber security, reduce the likelihood an attack will result in a breach, and keep the damage to a minimum if a breach does occur.
A cyber breach is any unauthorized access to your organization’s digital devices or systems which targets intellectual property, employee and customer information, IT infrastructure, or even physical locations. It can encompass a wide range of activities — from fraud perpetrated by an employee to malware that infiltrates an organization’s network through a nefarious email attachment. While there are countless forms of cyber breaches, distributed denial-of-service (DDoS) and ransomware attacks are two which most often afflict small- to medium-sized businesses.
A DDoS attack occurs when a threat actor seeks to make a network resource unavailable by disrupting the server connected to the internet. They’ll typically accomplish this by flooding the targeted machine with false requests, which prevent it from fulfilling legitimate ones.
Some of the most notable DDoS attacks have targeted credit card payment processors and webhosting services. However, other utilities — such as pipelines, automated drilling equipment, electricity transmission infrastructure, wastewater treatment, etc. — are equally vulnerable. Attacks on these and similar critical infrastructure can lead to significant safety and environmental damages on top of lost productivity and profitability.
However, as many victims learn the hard way, complying with demands does not guarantee a positive result. There’s little stopping attackers from continually upping the ransom amount or simply going underground without restoring access to critical systems after they receive payment.
According to Group IB Ransomware Uncovered, the average victim experiences 18 days of downtime due to ransomware. That’s nearly two-thirds of a month of suppressed revenues and lost productivity over and above the lingering costs of remediating the attack, restoring consumer / client confidence, retraining and auditing employees, and upgrading systems to prevent future attacks.
More than four in every five of ransomware attacks originate through a phishing email or third-party / remote service vulnerability. With work-from-home arrangements becoming more commonplace, all these vulnerabilities will remain a large avenue of attack.
At an average cost of $6.75 million per incident according to a recent study by the Ponemon Institute, a single data breach can be overwhelming for Canadian small and medium-sized businesses. Considering how far-reaching a cyber breach can be, it’s easy to see why the price tag is so high.
Determining revenue losses can be rather difficult, partly because the financial impacts often linger long after the system is back to normal. A typical cyber breach can also cause a wide range of losses, including:
In addition to significant financial repercussions, a cyber breach can cost you a lot of time in compliance efforts. In Canada, the Breach of Security Safeguards Regulations apply to all organizations, including small businesses. Under these regulations, every business suffering from a cyber breach must:
Perform a formal risk assessment to determine whether (and the degree to which) the breach presents “real risk of significant harm.” If it does, they must then complete the following steps.
Notify all affected clients with a description of the breach and its circumstances, including:
Notify the Canadian Privacy Commissioner of the circumstances and cause (if known) of the breach, including:
Maintain a record of the breach for a minimum of 24 months.
Meet Digital Privacy Act regulations and keep attestation documents verifying compliance readily accessible.
While no organization can completely prevent a cyber breach, you can significantly reduce your likelihood of becoming a victim — along with the potential severity and associated costs of an attack. The key is to implement a proactive cyber plan that can protect your organization’s growing number of entry points and adequately defend you from increasingly frequent (and sophisticated) cyber threats.
Typically, a strong cyber plan is comprised of two components: a proactive defense strategy and a detailed incident response plan.
A proactive plan of defense should include:
A successful cyber response should include:
Learn more: How practice owners and partners can reduce their cyber risks
To reduce your chances of an attack, you need to explore your organization’s vulnerabilities from all angles and implement the appropriate risk controls. There are several different ways to do this, depending on your organization’s needs.
A growing number of organizations rely on digital identification (i.e., digital IDs) to ensure only authorized users can access their services. However, this often requires gathering and collecting personal information — sometimes including biometric data such as body measurements, fingerprints, etc. It’s imperative such organizations establish a standardized framework of trust and security, as well as clear rules, ethics, and governance around collecting and storing this sensitive information, such as:
Device compatibility
Many individuals and organizations use different digital ID devices and software, which can lead to compatibility issues. For instance, different devices often come with different levels of security controls or different capabilities for the deployment of these controls. It’s critical to ensure applications are compatible with all relevant devices and have robust security measures to protect individuals’ privacy.
Robust technology
The technology underpinning digital IDs must have an extremely narrow margin of error — especially those utilizing biometric data. Common issues persist which may lead to false positives and negatives, both of which can limit the functionality of digital ID platform and lead to security breaches and/or workarounds which negate the technology’s utility.
Tiered access
Organizations that use digital IDs have a responsibility to keep sensitive user data secure. While a central digital source of information offers convenience for both organizations and individuals, there’s also tremendous risk. Individuals’ biometric markers are immutable, so security breaches can have catastrophic (and potentially irreversible) consequences.
Organizations must create and implement defined privacy and security procedures — and comply with all relevant privacy regulations — to protect user data from unauthorized access. A tiered access framework can help organizations reduce the amount of people who have access to the information and thereby reduce the associated risks of a breach.
A policy built around the data lifecycle
Organizations must consider the steps they’re taking to protect data throughout its entire lifecycle and make this information readily accessible for all relevant stakeholders. This includes how and why data is gathered, stored, and secured — as well as when, how, and why it’s ultimately deleted or purged. Such measures should be clearly defined (and rigidly followed) in comprehensive policy and procedural documents which are continually updated as practices or technologies evolve.
Learn more:
How to get digital ID management right
Cyber governance is a critical element of a proactive cyber defence plan. It outlines all the policies and processes surrounding how an organization will detect, prevent, and respond to cyber incidents. Senior leaders must create a culture and policy framework that effectively manages and mitigates cyber and privacy risks. A top-down commitment to cyber defense makes it easier for every individual in the organization to understand their role in preventing, reporting, and responding to a cyber breach.
Seven principles of cyber-focused leaders:
Learn more about the collection and management of personal information:
Beyond Regulation Whitepaper
Employees are the first — and in many ways, the best — line of defense against cyber breaches. Yet, businesses often fail to provide the training and tools to build and harness their capabilities. Fortunately, there are several steps you can take to strengthen your cyber training program and reap better results:
Make it personal
Introduce awareness programs that relate workplace security practices to a benefit in your employees’ personal lives. Demonstrating how strong, secure passwords and avoiding unsolicited links can protect their personal assets will transform how they view employer policies and procedures.
Make training engaging
Attention and information fatigue are real concerns for today’s workforce. Just because employees comply with mandatory training doesn’t guarantee they will fully engage with the information or absorb the desired key learnings. Rather than bombarding them with volumes of information, seek instead to make security awareness relevant and integrate it within their day-to-day work and the broader culture of your organization.
For example, you could run a simulated phishing exercise to reveal how many employees would click on a malicious link sent by email. Each employee will receive a tailored report card based on their performance along with a concise training module that directly speaks to their knowledge gaps. The results will be timely, personalized, and deliver tangible feedback on how their specific actions link to a potential security breach. Such exercises could be tailored to a variety of breach scenarios, roles, and authority levels and run indefinitely.
Encourage rather than penalize
Many organizations continue to preach perfection in their security training and often threaten employees with discipline or dismissal for actions leading to security breaches. Not only does this approach do little to curb malicious actions, but it may cause even more harm by making otherwise honest employees think twice about reporting an incident they had a hand in facilitating.
The cost and damage of a breach is generally proportionate to the length of time it takes to detect and address the threat. When IT and security departments react to reports with encouragement rather than antagonism, employees become part of the solution. The benefits are two-fold: Relevant professionals get the information they need to identify the source and mechanics of a breach and fix the problem, and the employee is more confident and likely to speak up if they suspect a problem.
Learn more:
How to build an effective cyber security employee awareness program
The steps above are effective for managing cyber security risks that originate within your organization. However, as your organization continues to embrace a growing range of third-party websites, internet of things (IoT) devices, and software-as-a-service (SaaS) applications, you must also take steps to ensure cyber criminals don’t infiltrate your business by means of third-party vendors and suppliers. The following third-party cyber risk assessment can help identify vulnerabilities and steps to protect your organization:
The cloud can offer some security enhancements in addition to its many cost and convenience benefits. However, just like locally hosted servers and applications, thorough due diligence is still necessary to protect your data and your business. As with other third-party services, cloud implementations require frequent and comprehensive risk assessments to ensure the vendor is aligned with your cyber security needs, objectives, and regulatory requirements. Several international organizations continually develop and promote cloud governance standards and best practices to help guide your cloud security, including:
To adequately protect your organization from cyber criminals, you need a plan. A cyber roadmap helps you clarify your most critical assets, focus cyber security investments, and leverage your data in a responsible (and compliant) way.
Since it’s impossible to protect every single aspect of your business, you need to identify those information and technology assets that are most critical to your operations. Sit down with each business unit to better understand their processes, core technologies, and relevance to the business. This should help you develop a high-level inventory and data map to guide your cyber defense efforts.
Next, you need a classification schema (e.g., essential, critical, important, not important, etc.) to determine which data is most worthy of protection. In this stage, you’ll assign data and technology elements to the schema, review pertinent legal and regulatory requirements, and develop controls guidelines.
Now that you know which data needs to be protected, it’s time to understand how you’re currently protecting it. Review current data handling practices and compare these against industry frameworks. Conduct interviews with current data owners, review existing security and privacy controls, and document any gaps and recommendations.
Your final order of business is to compile a management report and propose specific activities and timelines to strengthen your existing protection efforts. Set aside time to go over the plan with all relevant stakeholders
On each side of the triangle is a critical cyber security element: practice, regulations, and strategy. Without representation from all three sides, the program is incomplete.
Controls Assessment
Generally, this involves a cyber security audit or self-assessment against one of numerous frameworks (e.g., NIST, CIS, ISO, PCI, etc.).
Risk Assessment
This involves determining your organization’s overall risk tolerance and identifying potential cyber security threats:
Maturity Assessment
This determines the effectiveness of controls, considering both the technology and human factors, as well as the decision-making abilities of key stakeholders in your organization.
The desired state is more subjective. You may choose to focus on controls (e.g., alignment with compliance frameworks), risk, or maturity to gauge your progress — though at some point you’ll ideally address all three. What’s imperative is having a clear and documented plan of where your organization wants the cyber security program to trend towards, how it plans to get there, and what repeatable tests you plan to conduct to measure progress.
Every region and industry mandates specific — and increasingly stringent — laws, regulations, and compliance regimes organizations must follow to operate in their jurisdiction. These are generally straightforward and, considering the potential consequences, should be non-negotiable.
Some common examples include:
Data Protection Regulation (GDPR)
Applicable to organizations that collect personal information on European citizens.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable to organizations that collect personal information on Canadian citizens.
Payment Card Industry Data Security Standard (PCI-DSS)
Applicable to organizations that accept Visa, MasterCard or American Express to take payment, conduct credit checks or as identification (whether or not they are working with an approved scanning vendor or ASV).
The last part of the cyber security triangle is also the most important. Governed by risk and directed by maturity, strategy is the foundation the entire program rests on — and what ultimately dictates the speed and direction the other two sides will improve.
These complimentary variables exist in a continuous feedback loop. Each risk-based improvement will expose a maturity weakness (e.g., the ability to measure the solution’s effectiveness or the precision thereof). Conversely, each maturity-based improvement will feed directly back into risk management. Strategy and tactics seek to balance this system.
Learn more:
Building your cyber security program