Recently, the University of Calgary was forced to pay $20,000 to cybercriminals. The ransom was paid because not responding would have resulted in the loss of years of research and data – as well as information that belonged to staff and faculty. This wasn’t an isolated incident; cyberattacks on Canadian business, financial, education, government and health-care sectors have increased in frequency and severity over the last year alone.
And size does not matter – businesses large and small, in all industries and sectors, have reported cybersecurity breaches, including ransom and malware attacks. The impact of cyberattacks includes IT system downtime, business disruptions and reputational damage, as well as theft of personal information. The cost per business, according to a 2016 study conducted by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, averaged $1.2 million a year.
While a growing number of companies are now aware of the potential threat cyberbreaches pose, many of them do not realize how cybercrime itself has changed and what this means to their business. As a result, many companies underestimate the risks they face and leave themselves vulnerable despite all their technology, data and cybersecurity investments.
The following four-step approach will help reduce the risk of, and prepare your business to respond to, a breach, while ensuring resources are used where they will make the most impact.
1. Reduce liability – know the rules
Businesses need to embed privacy protection measures into their operations, including data storage, software platforms, privacy policies, etc., not only for security and reputational issues but also to comply with provincial privacy acts and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). The act regulates how organizations collect, use, disclose and dispose of personal data.
Protecting your enterprise and leaders, who could be held liable, starts with understanding the relevant legislation. It will tell you what you are required to do and suggest safeguards that should be put in place. Depending on the legislation, it may cover risk management, security policies, human resources security, physical security, technical security, incident management and business continuity planning.
Conducting a full cybersecurity review should take into account all these facets. By having a clear understanding of your cybersecurity risks, assets and responsibilities in the event of a breach, you increase protection, not only of your organization’s data, but also of your customers and business partners.
2. Take your cybersecurity’s temperature
In the cybersecurity world, we talk about how well protected an organization is by referring to its maturity: a mature organization is well protected. Maturity can be assessed using a cybersecurity health check and involves three primary activities:
· evaluating your cybersecurity controls by using a recognized and proven cybersecurity framework;
· determining which areas present the highest risk if breached – risk to the operation, to management and to others affected by the breach, including suppliers and customers; and
· analyzing cyberattack trends impacting your industry and business, and the frequency at which they are happening.
Conducting a cyber health check enables businesses to determine liability and risks, and understand the controls they have and how to effectively update specific strategies and programs. Determining your cybersecurity maturity helps determine where you are now and where you want to be. Together, they provide clear direction on where to focus your cybersecurity budget and resources most effectively.
3. Engage hired guns to test resiliency
Once Step 2 is concluded, a trusted third party should be hired to assess your potential vulnerabilities and test how difficult it is to attack areas of high risk loss. Vulnerability assessments and penetration testing identify your weakest links for applications, networks and mobiles which simulate cyberattacks to gain access to sensitive data and critical systems. Under threat are intellectual property (IP), personal information, plant systems, building elevators, computer servers and mobile devices. This tells you where you may be vulnerable or exploited so you can focus on remediating those areas of weakness.
4. Prepare an incident response plan
All businesses, regardless of size, need to determine what steps must be taken if a breach occurs. A clear, established and accessible communication plan is vital to enable all those affected to take steps themselves to minimize any damage caused by a breach.
The incident response plan should cover how you will:
· contain the breach;
· mitigate the damage;
· report the breach – to leaders, managers, staff, business partners and customers;
· conduct a post-incident root cause analysis; and
· develop an improvement plan going forward.
A rapid, established response will help you resolve the incident swiftly and with minimum impact.
Cyberattacks are a reality. For organizations, it’s not “if” but rather “when” an attack will occur. Following the above steps will limit your exposure and help you enact an effective incident response plan for when a breach occurs.
BIV’s digital privacy and security discussion will tackle some of the most pressing information technology challenges facing businesses of all sizes today. In this session, experts will draw on real-life examples of breaches of sensitive data at companies and shine light on ways of ensuring that companies have the strongest possible protection against cybercrime. For more information or to register, visit www.biv.com/events/bes-digital.
Contact Danny Timmins, MNP national leader, cybersecurity services, at 905-607-9777 or [email protected].
