Experts say it is no longer about preventing attacks, but minimizing their impact
Cybersecurity, it turns out, is passé. According to the World Economic Forum, cyber resilience is the new standard.
What’s the difference?
Cybersecurity is all about foundational security controls. Cyber resilience - which the WEF calls “the defining mandate of our time” – is the ability of an organization to anticipate and withstand future threats, recover from cyberattacks, and adapt to likely future digital shocks.
And according to the Canadian Centre for Cybersecurity, the likelihood of “digital shocks” is on the rise: ransomware attacks increased by 151 percent during the first half of 2021 compared to the same period in 2020.
But the corporate world may not be keeping up.
That’s apparent from a recent report from Proofpoint Inc. and MIT Sloan, which found that two-thirds of board members in 12 countries, including Canada, fear a cyberattack in the next year, yet almost half feel their organization is unprepared to cope. Making things worse, Canada had the highest percentage of board members who felt that their organization did not adequately invest in cybersecurity.
The report also found that boards focus primarily on protective measures instead of responding properly to attacks.
“They may even have deemed the cyberattacks as ‘cost of doing business,’ without fully understanding either the risk or the impact to the bottom line,” the report states.
That’s unfortunate because the impact is considerable. According to a data breach survey released by IBM and the Ponemon Institute in July, the 25 Canadian companies that suffered a breach in the 12 months ending in March incurred $7 million in recovery costs per incident.
“Companies will dedicate considerable resources to deal with the immediate issue that they’re facing, but they also have to prepare for a threat that is constantly evolving,” says Michael Castro, the Toronto-based CEO of RiskAware (Cybersecurity) Inc., a consultancy, and former chief information security officer (CIS0) at Loblaws. “The reality is that it’s impossible to be totally secure, so companies need to think of the issue in terms of reducing the likelihood of an attack and being as prepared as possible for when it happens.”
According to Castro, being prepared involves investing in the right technology, training staff, raising awareness and having an incident response plan. Other measures include strong user authentication, using offline backups, and recognizing and reporting phishing.
“These steps won’t prevent attacks, but they will minimize their impact,” Castro says.
Fortunately, although an organization may still fall short on cyber resilience, the situation is improving.
“Organizations are better prepared than they were five years ago, but they must continue to evolve by growing their budgets and efforts, or they’ll soon find themselves back where they were before and end up being the next headline,” Castro says.
Imran Ahmad, co-head of Norton Rose Fulbright Canada LLP’s information governance, privacy and cybersecurity practice, says clients are moving from an incident response mentality to preparing for potential threats.
“The emphasis today is on resiliency, which companies need to build up. It’s no longer a case of whether a cyberattack will happen, because it will, but on how to best reduce disruption. That takes proper preparation, and is in some ways analogous to fire drills, which focus on testing, which door to use, and who to follow in case of fire, or to installing a burglar alarm that goes off and gets the cops there quickly to reduce the damage from the break-in.”
But there are challenges, most notably a disconnect between Canadian board members and CISOs in their perception of risk. The Proofpoint and MIT Sloan report concluded that only 50 percent of board members saw greater risk compared to 76 percent of CISOs – one of the highest disparities among the countries surveyed.
Equally challenging is a shortage of skilled cybersecurity personnel.
“The cost of hiring is constantly increasing, and the ability to retain staff is a recurring issue,” Castro says.
Perhaps most significantly, employees are becoming numb to cybersecurity issues.
“People are getting tired of the constant testing and the bombardment of messaging around cybersecurity, and that’s a problem when you consider that 95 percent of security incidents originate with a user clicking on a malicious link in an email or on a website,” Castro says.
“Organizations have to find a way to make these issues stickier and more meaningful through better educational methods, proper training techniques and positive reinforcement.”