[BreachExchange] Cyberattacks Will Soon Affect More Than Canadian Businesses' Bottom Lines

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 14 20:26:25 EDT 2017


http://www.huffingtonpost.ca/kevin-deveau/cyberattacks-
will-soon-affect-more-than-canadian-businesses-bot_a_23074142/

It seems that the topic of this quarter has been cybersecurity, and
rightfully so.

We're hearing of major data breaches occurring on nearly a monthly basis.
Recently the HBO cyberattack leaked proprietary information from Game of
Thrones, season seven, including an episode and script. In June, a Petya
malware attack took over computers across the globe, demanding ransom from
its victims.

HBO is one of the lucky ones, if you ask me. The cable and satellite
television network has the resources to come back from this. For other
smaller businesses with plenty of competition, however, a data breach can
be absolutely crippling. With Canada's Digital Privacy Act soon requiring
that breaches be reported to regulators and clients, it's not only an
organization's infrastructure and bottom line that will suffer as they try
to recover from an attack, it's their reputation.

You might think that this would encourage organizations to take every step
possible to ensure they were doing everything in their power to protect
themselves from potential cyberattacks, but according to a recent survey
conducted by Ovum for FICO, this is not the case.

Although 76 per cent of Canadian executives surveyed admitted that they
expect the number of data breach attempts to increase over the next year,
less than half (46 per cent) reported that their organization's level of
investments in cybersecurity will increase over the same time period.

Further, 68 per cent reported that their organization's volume of attempted
data breaches has increased over the past year. While 53 per cent of U.S.
respondents felt that an assessment of their firm's cybersecurity in a
year's time would show improvement, that number was significantly lower in
Canada, at only 36 per cent.

As a business leader it can be easy to brush off the risks of gambling with
your organization's data with the sentiment that "it will never happen to
us," but the reality of the situation is it very well could. When you look
at attacks like WannaCry, which targeted those using a Windows operating
system and demanded ransoms delivered in bitcoin, you realize that no one
is out of reach. Organizations of all sizes with varying levels of
resources are now being targeted and infected.

If that's not enough, it's not only your organization that you have to be
worried about, but every partner in your supply chain. These partners
likely have access to your systems and your data to some degree. If not,
you are most certainly interacting with them on a digital level. If they
become infected, you might be going down with them. There are tools out
there that can help, for example, the Enterprise Security Score allows
organizations to assess, score and identify weaknesses in their
cyber-defense walls.

A great back-up defensive mechanism is cyber-risk insurance. While Canadian
organizations rank higher than our U.S. counterparts, it appears that more
than one-third do not have cyber-risk insurance. Further still, 16 per cent
have no intention to obtain this insurance for their business.

Why is this? It could be that cyber-insurance pricing is viewed as being
unclear. Eighty per cent of Canadian respondents feel that insurance
companies should be doing more to help organizations understand how their
risk price structure is calculated, while 20 per cent believe that their
business' calculated premiums do not accurately reflect their risk profile.

Moreover, it could be that businesses perceive difficulty in identifying
the direct return on investment from a major cyber-insurance purchase. When
an organization sits down and evaluates how best to spend their budget for
the year, understandably it may be tough to allocate a big portion of the
funding to an area where added value is not immediately visible. So you're
probably wondering what the best way to invest to protect your business is.
Each investment works differently, but there are three major strategies
that should be considered.

Defense: Imagine your business as a castle. The first way you can protect
it is by investing in firewalls—these are your castle's defensive walls,
and your moat. These will hopefully deter attackers from targeting you in
the first place, and will provide a barrier if they do come after you. Now,
you can build these walls higher and higher, and you can add more bricks to
make it thicker, but no matter how well you protect the perimeter, none of
this will matter if an unsuspecting villager lets the attackers in
(willingly or unknowingly — by downloading infected files for example) —
like a Trojan Horse.

Insurance: While this doesn't protect you from being attacked in the first
place, it will help cover the, potentially significant, costs of any
liability which may arise, as well as policyholders' own losses including
legal, IT security and regulatory costs, if you are breached.

Analytics and analysis: Investing in technology that allows you to
proactively monitor your organization's enterprise security risk is another
option — and one which may deliver the most obvious value to your team. In
its most leading-edge form, this technology can provide a 360-degree
analysis of where vulnerabilities in your current security infrastructure
and system exist, and how you can fix them. As tangible weaknesses are
identified, this could mean training for staff, updating operating systems,
or interpreting where the bulk of your attempted breaches are coming from
so that your organization can better block and deflect them — ultimately
allowing you to prevent a damaging event like the high-profile breaches we
have seen recently.

A combination of defense, insurance and analysis is the most powerful
protection against the increasingly risky cyber-landscape. However, it can
be challenging to know where to start. Having the analytic tools to
identify and break down your organization's risks can make the process of
protecting yourself much easier to tackle; without these tools, it's not
unlike trying to drink from a fire hose —totally overwhelming.

It will take some time, but it is important to ensure you are doing
everything in your power to protect your organization from the potential
damage of a cyberattack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170814/23fa5525/attachment.html>


More information about the BreachExchange mailing list