The latest cybersecurity survey by the Canadian Internet Registration Authority (CIRA) sheds light on the ongoing challenges that organizations of all sizes across industries face in protecting their data and networks from hackers.
According to the report, 71 per cent of Canadian organizations surveyed were the victim of some form of cyberattack in 2018. Nearly all of the respondents said that while “cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.” Fewer than half (41 per cent) have actually mandated that training across their organizations.
Direct costs incurred in addressing these cyberattacks, as well as a negative impact on the victim’s brand, were the most damaging aspects of the incidents for affected organizations. Importantly, an earlier CIRA survey found that only 19 per cent of Canadians “… would continue to do business with an organization if their personal data were exposed in a cyberattack.” Only 48 per cent of organizations that had their data breached even reported the incident to their clients. A meagre 21 per cent made their board of directors aware that such a breach had occurred.
Meagre investments in cybersecurity
Perhaps most worrisome, a lack of resources was one of the main reasons why 43 per cent of respondents didn’t have specific systems, processes and talent dedicated to addressing cybersecurity vulnerabilities across their organization.
As the report notes:
“Canadian banks, schools, governments and businesses are still being taken down by cyberattacks, exposing customer data, paying ransoms to hackers, and losing valuable time recovering from breaches.
According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating an attack among Canadian organizations last year was $9.25 million.”
A series of costly ransomware attacks targeting Ontario municipalities over the past year—not to mention companies ranging from SMEs to enterprise—underscore cybercriminals’ growing sophistication. But not in ways you may expect. The reality is the nefarious software used to extort unwitting communities and businesses is becoming more commoditized by the day. Even a novice hacker with access to the dark web can get their hands on ransomware relatively cheaply and quickly.
Hackers are becoming more sophisticated
What’s changing is how hackers are targeting organizations. Increasingly that means tricking everyone from managers to employees to open suspect attachments or visit dubious websites. From there cybercriminals can plant malware in a computer (and/or network) and wait to pounce. That process can take several months, during which time the hacker will collect information, observe behavioural patterns and then develop an attack strategy that will likely involve some form of data theft or financial extortion.
As the CIRA survey notes, more organizations than ever are taking cybersecurity training seriously. Many are mandating courses for employees and introducing new data-protection protocols. Is it helping? Definitely. But massive vulnerabilities still exist across organizations. The reason is that many leadership teams—and the security consultants they employ—are using a one-size-fits-all approach to training and compliance.
One of the greatest complaints that people have with cybersecurity is that defensive protocols tend to be so stringent they impair employees’ ability to do their jobs effectively. In some cases, they could compromise new business opportunities and in extreme scenarios, even revenue growth. When cybersecurity tools and training become too onerous to use, they’ll soon fall by the wayside. That’s why customizing that training and tailoring it to the needs of departments (or even individual employees, whenever possible) is a far more effective risk-mitigation approach.
In short, cybersecurity systems need to be designed to align with the operational requirements and work habits of real people.
Customization is key
That’s why it’s incumbent on cybersecurity service providers to ask a comprehensive list of questions before delivering training. What are your organization’s business objectives? How do your people work? Why are your workplace policies—in particular those that address the management of sensitive data and information—drafted as they are? Can they be updated or improved to address rapidly-increasing cybersecurity risk? How can we design and implement policies that keep your business secure, while ensuring that key processes in areas such as sales or operations aren’t unduly disrupted?
Of course, these are only a tiny handful of the queries your service provider should pose. In most cases, they’ll need to dig much deeper and work with individual managers or employees to design a pragmatic strategy that makes practical sense for your organization.
We should all glean lessons from the cyber malfeasants who are making the time to take a personalized approach to digital crime. Because if they can customize their approach to data theft, network vandalism or ransomware-driven extortion, we should be doing the same when it comes to developing and implementing plans to stop them in their tracks.
Winston Stewart, President and CEO