Why do you feel it is important for small and medium organizations to be thinking about their cybersecurity posture?
Today more than ever, we are seeing an increase in attacks. We have recently seen an uptick on phishing scams and remote desktop intrusions due to COVID19 and the growing “work from home” culture. There is approximately a 300 percent increase in various attack methodologies concerning “Business Email Compromise” and “Ransomware”.
The threat landscape is constantly evolving, having a baseline of protection and better awareness will force the attacker to move to a business that is an easier target.
Why do you feel it is important for Canadian Organizations to develop incident response plans?
Where do I start. It’s about possibly saving a life. A response plan creates confidence, builds trust, it is a roadmap, time saver, protect assets etc. “My IT guy will fix the issue” used to work in the 90’s. Today every business has the responsibility to protect their client information and the safe operation of the business. The plan should outline who to call first, ie. Police or Fire, or any service that might require instruction and steps for an incident.
In the case of a data breach, a team that has the capability to determine the cause and effect, and your lawyer, insurance. When the data is collected, and remediated, the privacy commissioner.
The plan should have the names and phone numbers for everyone in the plan and whom receives the plan. The plan should be validated on a regular basis.
This process can make the recovery efficient and minimize your recovery costs.
What is important to know when drafting an incident response plan?
Think of all possible scenarios where you may need to include that incident. Look at other well-crafted plans for a business of your type. Make the plan relevant for the company size. Have all the data collected from all your co-workers. Work with a team, others may have some practical ideas about the coordination of the plan and can fill in missing details that may become critical during an incident.
What should an organization do to plan for incidents they cannot manage on their own?
Have a plan in place and include an external IR manager. They can be your regular IT, a lawyer, or a person you can rely on with some experience and knowledge of your business. Have a backup of your external resources that you will be relying on.
Do you believe having an incident response plan can help a Canadian organization maintain trust and show due diligence in the event of a cyber security incident?
I think that having a proper IRP will let people such as, employees, board members, the public, insurance providers, whomever understand you thought about incidents before they happened. It shows the business has started to do their best to manage an incident. This will help the insurance company minimize the costs. They will appreciate it. You build a great IRP by keeping it current and building on that. As the landscape changes you need to review on a regular interval. I don’t think the general public know or care about an IR plan because they expect the SME to do what is right, to protect them from future identity theft issues, business email compromises and anything may be the affect long term outcomes. They will care only when there is a breach and they may become victims in the future
Would Cyber Security Insurance help Canadian organizations recover from a Cyber Incident?
We have seen SME’s self-managed incidents(not reported) costing well over $20,000.00 and reaching up to $50,000 out of pocket expenses, including minimal forensics, upgrades of systems (re-installing operating systems, usually updating the operating systems to current versions) legal fees (managing the IR or review documents prior to reporting to Privacy Commissions), Incident reporting, overtime for all involved, and new licenses for different AV solutions, considering the installed software failed to catch the threat. There are other expenses that are not usually considered, like food and parking for the staff, overtime, aside from the long-term issues that may result from the incident. I am sure I left little things out that will cost.
What do you feel is the primary threat for Canadian small and medium organization today?
We are constantly seeing phishing attacks that lead to Business Email Compromise, Stealing Credentials, email redirections, and ultimately ransomware. These have been continuous over the years, but since COVID, it has increased by 300%. I do not think any user of the internet is immune to these attacks. Our biggest challenge is the worker from home that has access to the internal network of the organization. Home network security has never been of primary concern for SME’s because remote workers were not prevalent. Now we have remote workers that can be 10 to 90 percent of the workforce. These workers are easy targets. Sharing computers with family members, being on the same networks that may have a compromised device on the network monitoring or attacking the environment. As a note part of this threat is the lack of education users have in the form of behavioural shaping and reminders. (awareness training)
Do you feel implementation of CyberSecure Canada controls could help Canadian small and medium organizations protect their intellectual property from breach?
YES. The program brings awareness. The biggest benefit is knowing what you must protect and where it is. Knowing that you have done something to protect your assets, intellectual property, etc. and in the event of a catastrophe, you can recover with minimal downtime. As a business owner it shows diligence towards protection, it is one less thing to worry about and allows the marketing people tell clients that you are serious about protecting their data.
What would you recommend Canadian small and medium organizations consider when planning to implement the CyberSecure Canada controls?
This is a new baseline for security, and we have found that SME’s are not prepared. We still get comments like ‘I have nothing to hide or I have nothing that hackers would want.’ It is only when you lose it, you realize you had something valuable to a hacker.
Consider how helpful it will be to at least know your posture. Consider how less exposed you will be, consider you will now have a budget for better protection now and going forward.
Do you feel small and medium organizations should seek the assistance of Managed Service Providers when implementing the CyberSecure Canada controls?
I feel like it depends on their posture today and plan for tomorrow. What are the resources in house?? Maybe, if required, a security orientated MSP for such services. Primarily when deciding if an MSP is required you need to understand the businesses needs and then whatever cannot be managed in house in a professional responsible way, you will employ the services of the MSP or a practitioner to guide you through the process.