Cyberattacks are on the rise, and will continue to multiply. In light of this reality, the question is no longer “How can we guard against them?” but rather “How can we manage them?”

According to a study published in 2018, cyber crime is a growing global industry that’s worth more than $400 billion per year. Given this impressive “business volume,” you would expect that organizations would adopt sufficient countermeasures, faced with an increasing number of actual and potential threats, and yet…

The Impact of cybercrime on Canadian businesses study conducted by Statistics Canada in 2017 revealed that although 95% of organizations “employed some form of cyber security […], even for the most commonly reported protective measures, usage was not universal.” This just goes to show that the $14 billion invested by Canadian companies in 2017 to prevent, detect and overcome cybersecurity incidents is not a cure-all. Are we focusing too much on hardware and software, and not enough on awareness and training?

Assessing your organization’s maturity level

We cannot stress this enough: when it comes to cybersecurity, the human factor is the weak link in the chain of custody. Information security experts like to quip that the main risk factor is between the chair and the keyboard[ .This may be due to the fact that awareness has not quite made it to the highest echelons of the organization.

Whether they are unaware, misinformed or poorly advised, senior management and boards of directors underestimate their exposure to risk and overestimate both the reliability of their systems and their ability to react. As a result, they not only put their organization at risk, but they also jeopardize the constant flow of data that unites them with their business’s many stakeholders, such as employees, clients, suppliers, trade partners, public agencies and contractors. It’s wishful thinking to expect partners and representatives to handle information securely if the people in charge don’t set the example. Assessing an organization’s maturity level in terms of cybersecurity and cyber resilience therefore starts at the top.

Are senior management and board members aware of the risks they are running—and allowing to run—by failing to sufficiently protect themselves? Hewlett Packard Enterprise (HPE) has developed a six-point strategic reference framework to help companies contextualize this issue and address it in a somewhat positive way. Based on the “Yeses” gathered and their weightings, senior management can determine their organization’s degree of maturity. 

Cybersecurity and cyber resilience: A strategic reference framework

• Cybersecurity strategy
  The organization’s strategy is well suited to its objectives, projects, activities and business environment. Rationale: Not all cyber threats are equal in terms of their type and number, and not all industries are confronted with the same issues and challenges.
• Governance, risk management and compliance
  The board of directors and senior management are diligent and maintain tight control over information security. The organization has a risk management and compliance process enabling it to anticipate problems and solutions. The types of threats are identified and ranked. Standards and policies are documented, an action plan is in place and mitigation measures are ready to be implemented in the event of an attack.
• Operational security
  The organization is able to monitor, manage and respond to cyber threats in real time, 24/7, such that their impact is limited and affects day-to-day operations only minimally or not at all.
• Security of information assets and infrastructure
  Servers, operating systems, workstations, apps, internal networks, WiFi, Bluetooth systems, mobile devices, databases, external networks, etc. have many potential vulnerabilities that could be exploited to infiltrate an organization and bring it to its knees. A team of key stakeholders, methods and tools dedicated to information security ensure that, in the event of a security weakness or breach, the roles and responsibilities are clearly defined and the measures to be taken are understood, mastered and applied immediately.
• Third-party security and the cloud
  The organization is controlling the risks related to using cloud-based solutions and relationships with third parties (e.g. suppliers, partners, contractors, jurisdictions) by integrating policies, procedures and control mechanisms at every level of decision-making and operational processes.
• Culture and sensitivity to cybersecurity
  The organization knows how to counter ongoing threats and is proactive regarding potential threats. Cybersecurity concerns all employees, at every level of the organization. Education, prevention and training are their watchwords in this regard.
• Depending on the asset categories and level of protection they require, it is critical to develop an architecture allowing for sufficient protection measures to be put into place. Managing access, conducting reporting, keeping action logs, performing quality control of developed applications, and protecting data, whether at rest or in transit, are among the measures to be implemented to protect the confidentiality, integrity and availability of assets.

Our own addition to this reference framework is upstream security management.

Is your organization sufficiently protected?

Cyber crime can result in significant revenue loss, damage to your reputation following the theft of your clients’ data, a slowdown in your activities (or worse, a total halt), a significant increase in insurance premiums―which can take a major bite out of your profit margins―as well the risk of lawsuits and legal sanctions. These are just a few examples, but they should get you thinking.

Below are some tools to help you take stock of your situation and act promptly to protect your organization from cyberattacks.

• The Cyber Highway by Cyber Essentials Canada is an online tool “that offers a cost-effective approach for small and medium organizations to assess their organization and take steps to mitigate cyber risk.”
• The Investment Industry Regulatory Organization of Canada (IIROC) published the Cybersecurity Best Practices Guide for investment dealers, but any type of organization can use it as a model “to customize and quantify adjustments to their cybersecurity programs using cost-effective security controls and risk management techniques.”
• The Cybersecurity Framework was created by the National Institute of Standards and Technology (NIST) for mature organizations looking for bullet-proof armour to protect their activities. The framework is the ultimate reference tool for organizations operating in the financial services and insurance industry, in particular.
• Cyber Essentials, developed by the British government, is an excellent starting point and an effective tool for evaluating the reliability of your procedures and systems, making corrections to them and adopting sound basic practices.
• If your resources allow for it, ISO 27001 – Information security management systems “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks.”

Regardless of the reference framework you choose to protect your organization, Cofomo can guide you in selecting and implementing a standard as well as cybersecurity and cyber resilience systems that are tailored to your organization and its reality.

Learn more about our cybersecurity, governance and security, and risk and compliance management services. Need help? Don’t hesitate to contact us.