High-profile cyber attacks can all but decimate a business’ profitability — not to mention its reputation. To this point, our defense has centered largely around data security — proactively protecting against known digital threats. But how well are we prepared to react to new and emerging threats? Here’s how cyber resilience equips our systems and businesses to prevent or minimize the damage, despite the best efforts of digital saboteurs.
In March of 2020, the entire globe saw a seismic shift in the way people work. Over the course of a few short weeks, much of the world shifted from sharing space to sharing screens as the COVID-19 pandemic necessitated a rapid transition to digital-only work.
This vast, practical need pushed the boundaries of remote work, capitalizing on and expanding the opportunities (and opportunism) of our online infrastructure. As organizations and individuals adjusted quickly to create productive, connected remote work scenarios, hackers began to discover new vulnerabilities. It soon became a digital punchline to see a meeting turn into a meme, to get “Zoom-bombed” during an important client chat, or to face phishing scams centred around COVID-19.
In a time of crisis, how can we stay ahead of emerging cyber security risks — and how can we respond to breaches or challenges in a way that contains damage quickly, and protects business continuity?
Over the course of a few short weeks, much of the world shifted from sharing space to sharing screens as the COVID-19 pandemic necessitated a rapid transition to digital-only work.
Emerging threat landscape
As most of our business activity migrated online and remote over a short period of time, networks have seen significant traffic spikes. There’s a higher volume of both users and activity online — and likely a much higher volume of confidential and sensitive business information living on uncontrolled personal devices and floating through home WIFI networks.
The control and oversight that IT teams once had over networks, devices and security has diminished overnight, as many employees use stop-gap measures to remain productive and connected during a period of rapid change. Your IT leader can’t ensure that your WIFI network is properly password protected, for example, nor can they stop you from using a personal smartphone to send confidential client information.
A hurried shift to remote work has likely broadened the risk landscape for potential security breaches, as hackers suddenly have a widespread buffet of patchwork security practices and uncontrolled personal networks. Some are even preying on the atmosphere of anxiety surrounding COVID-19, setting up phishing scams ostensibly from the federal government, health agencies or pharmacies in an attempt to steal personal information or infect devices with malware.
Holding the perimeter
In 2017, the estimated average cost of breach in Canada was $6.1 billion. With the introduction of Canada’s Mandatory Reporting of Breaches of Security Safeguards, we expect to see this statistic grow over coming years. A breach which poses a Real Risk of Significant Harm (RROSH) must be reported; this includes breach of personal and corporate information. To assess if an organization’s data loss presents an RROSH, we consider damage to Personal Identifying Information (PII), reputation, property, information and trade secrets applicable.
One strategy in play is “Zero Trust,” which the information security sector has adopted as a critical measure to prevent data breach.
This concept abstains from automatically trusting any device, individual or token, inside or outside the perimeter, before the source has been verified and validated. Scaling up multifactor authentication, and installing strong security controls for remote use of facilities-based software provide some examples of this principle at play. Yet even with these and other technology measure in place, it’s important to remember that people are the perimeter for cyber security breaches.
It’s important to build defenses that account for both technology and human behaviour. Humans add an unpredictable layer of risk, from holding doors open for assumed colleagues, perceived contractors or guests, to freely enjoying guest WIFI access. Zero Trust can mitigate much of the digital risk and control access, but educating employees around cyber security best practices, phishing scams and related information is a critical tool for everyone’s protection.
Preventative measures
As you might imagine, the best line of defense here is proactive — preventing breaches or attacks from occurring in the first place, or at least from being successful. As the saying goes, it’s the best cure — but prevention is unlikely to be completely perfect, as digital saboteurs continue to develop unforeseen means of hacking information. However, we can close the vast majority of security gaps through a holistic combination of strategies, including technology, employee education, protocols and rapidly evolving compliance requirements and regulations. And when security is compromised, we can evolve strategies to contain the risk.
Using strategies like the aforementioned Zero Trust, multifactor authentication and related measures is critical on the front end, but so is strong employee education and establishing reliable processes. For example, organizations should communicate creatively and consistently with employees to help them understand security risks, teach best practices and provide special support and training to high-risk user groups that deal with sensitive information often. In terms of processes, the IT team might expand monitoring for data and end-points, and the organization might set up new protocols about securing physical documents.
Moving from cyber security to cyber resilience represents a paradigm shift that will empower an organization to respond when unprecedented risks or challenges do arise.
Resilient recovery
While prevention is certainly the ideal, a truly resilient organization will also have strategies in place for managing and recovering from a data breach if one should occur. Moving from cyber security to cyber resilience represents a paradigm shift that will empower an organization to respond when unprecedented risks or challenges do arise. This process might look like scenario planning for potential breaches or cyber attacks; establishing cyber incident reporting protocols and escalation paths to the right management levels; formal readiness and recovery plans for cyber attacks as part of business continuity planning; and even routine test cases or simulations of the cyber breach response. Expert advisors can help design these resilience plans, to minimize risk and maximize response to any threats on the horizon.
As the cyber risk landscape continues to shift at an unprecedented pace, resilience and adaptability becomes more critical than ever before. However, as more forward-thinking organizations shift their philosophy from cyber security to cyber resilience, we will be well-equipped to meet those challenges head-on.
