Canada appears to have weathered the recent ransomware attack that targeted computer systems worldwide in mid-May better than other hard hit nations, but it is time for Canadian organizations to get serious about cybersecurity nonetheless. After all, in this case, we simply got lucky. And as Accenture research shows, there is a troubling false sense of cybersecurity in this country, leading to delayed discovery and response along with other unnecessarily serious consequences for companies.
While the Canadian rate of cyber breaches is relatively low, the average organization still faces 96 targeted attacks each year, a third of which result in a security breach. That’s two to three effective attacks per month, per organization. And yet, according to our research, most Canadian companies do not have effective technology in place to monitor for cyberattacks. The companies in question also tend to focus on risks and outcomes that have not kept pace with the threat.
Accenture recently surveyed 124 Canadian security executives from large enterprises and about two-thirds of respondents were confident in their cybersecurity strategies. A similar number reported that security is “completely embedded” in their organizational cultures, and that the highest-level executives in their organizations support the strategy and use of resources.
Simply put, despite hacker success, Canadian organizations are confident that they are managing cybersecurity correctly. Clearly, there is a disconnect.
One potential explanation is that there is still too much emphasis on compliance and passing audits conducted by the risk organization within the business; compliance audit results feel tangible and measurable. Certainly, compliance frameworks and programs help to establish the minimum standards for security and give a company a checkmark during audits, but frameworks and programs often fail to protect a company from breaches. Having frameworks and programs will not be sufficient if they do not reflect real-world dynamics and fail to provide needed monitoring, detection, responses, or protection.
What’s more, the sentiment among those organizations we surveyed suggests that they will continue with the countermeasures they have been using instead of investing in new and different security controls to mitigate threats. Only a fifth of respondents would invest in mitigating financial loss, and just 22 per cent would invest in cybersecurity training.
In short, Canadian companies must reboot their approach to deal effectively with threats.
Protecting a company requires an end-to-end approach that considers threats across the spectrum of the industry-specific value chain and the company’s ecosystem. Business exposure needs to be identified and minimized, with a focus on protecting priority assets. The following steps can help organizations overcome limited perceptions and deal effectively with the high-impact cyber threats they face.
1. Define cybersecurity success
Canadian companies must improve the alignment of cybersecurity strategies with business imperatives, and improve their ability to detect and prevent more advanced attacks. Companies can start by answering critical questions that will reframe cybersecurity perceptions and build a new definition of success, including:
- Are you confident that you have identified all priority business data assets and their locations?
- Do you know what an adversary would really want?
- How would these attacks affect your business?
- Are you able to defend the organization from a motivated adversary?
- Do you have the tools and techniques to react and respond to a targeted attack?
- How often does your organization practice its plan to get better at responding to threats?
- Do you have the right alignment, structure, team members, and other resources to execute your cybersecurity mission?
2. Pressure-test security capabilities the way adversaries do
Organizations need to realistically assess their ability to protect against high-impact threats, whether internal or external. Pressure-testing company defences can help leaders understand whether they can withstand a focused, targeted attack. Organizations can engage white hat external hackers in simulated sparring matches with their cybersecurity teams to assess the teams’ true levels of preparedness and response effectiveness.
3. Protect from the inside out
Many organizations fail to limit internal access to key information, monitor for unusual employee network activities, or regularly review access. Adversaries know what they want, but they don’t know where key assets live. An organization’s cybersecurity professionals have the advantage of knowing which key assets need to be protected and where those assets reside. However, other employees also know what and where the assets are, yet companies lack or have inadequate internal controls that monitor and prevent data breaches by employees. Of the successful breaches that have had the greatest impact on Canadian companies, 37 per cent were from internal attempts.
By prioritizing energy on protecting key assets, organizations can build a more effective cybersecurity foundation. Instead of attempting to anticipate a seemingly infinite variety of external breach possibilities, organizations can concentrate on the fewer number of internal incursions that have the potential to make the greatest impact.
4. Make security everyone’s job
Employees also play a critical role in detecting and potentially preventing breaches. Almost all survey respondents (98 per cent) said that breaches not detected by the security team were most frequently found by employees. In fact, employees represent an organization’s first line of defence, which is why it is imperative to prioritize security awareness training for all employees and continually refresh cyber talent across the business with new content and talent.
5. Lead from the top
While the cybersecurity issue has gained leaders’ attention across many organizations, many chief information security officers (CISOs) may feel locked out of the C-suite. To succeed, CISOs need to step beyond their comfort zones (e.g., compliance audits, cyber technology) and materially engage with enterprise leadership on a day-to-day basis to effectively discuss the business issues at the core of cybersecurity.
Doing so will require CISOs to be able to articulate the business case of the cybersecurity team and how it represents a critical pillar in the ongoing battle to protect company value. At the same time, the CISO needs to build the board’s cyber literacy with the goal of making it a priority equal to business risk assessment.
6. Build on past lessons
Effective cybersecurity requires organizations to learn and grow with experience, but more importantly, become more disciplined in monitoring, detecting, and responding to cyber threats and events in order to improve their ability to protect the business from devastating losses due to cybercrime.
7. Invest to innovate and outmaneuver
When it comes to cybersecurity, standing still is not an option. Organizations need to continually innovate to stay ahead of potential attackers, which may require redirecting some resources to new strategies and programs rather than investing more in current programs.
Such a focus will improve a company’s cybersecurity capabilities and strengthen its resilience to cyberattacks, but it can require continual and systematic security investments. Organizations must take a comprehensive end-to-end approach to digital security—one that integrates cyber defence deeply into the enterprise.
As their digital security strategies mature and new solutions emerge, Canadian organizations that tie cybersecurity efforts to real business needs will gain a more justifiable confidence in their ability to deal with cyber threats.