'The biggest mistake is viewing cybersecurity only as an IT problem, rather than a business risk'
Scanning the news these days will invariably include a story about an organization or public institution suffering from a cybersecurity attack.
In 2021, 85.7 per cent of Canadian companies experienced at least one cyberattack within a 12-month period, according to a CyberEdge Group report — compared to 78 percent in 2020.
As a result, ransomware, backdoor exploits and phishing are terms that IT professionals have come to know well.
So, how can employers and HR better prepare for the onslaught? It starts with understanding the “enemy,” knowing your organization’s weaknesses and seeing cyber attacks as a business risk — not just an IT problem, say the experts.
Who and what are the cyber threats?
Apart from the stereotypical hooded individual who might wish to cause harm, there are two main threats to be aware of for businesses, according to Adil Palsetia, partner in cyber security at KPMG Canada in Toronto.
“On one end, you have nation states. Some of those are adversarial to ours and they’re attacking Canadian infrastructure, Canadian organizations, our IP infrastructure, our connection infrastructure, the communications infrastructure, as well as our financial and banking infrastructure.
“All of these things are targets for them in terms of trying to cause havoc or sometimes to push us in a different direction, or have us look in one direction while they’re trying to do something else.”
As well, there are organized criminals with a simple goal, he says. “Their mandate is crime usually, a means to make more money, and so they’re the ones that we’re hearing about around this uptick in ransomware attacks.”
Indigo was one of the most recent companies to be hit with a ransomware attack that could see employee identification compromised.
New ways to exploit organizations are often being rewarded in the criminal underworld, according to Evan O’Regan, associate partner, digital trust and IAM, at IBM in Ottawa.
“Whereas if our credit card number will fetch maybe $10 on the dark web, the identity information can fetch a much higher price on the dark web because those can be used to create synthetic identities to perpetrate more sophisticated fraud and even more. So if I develop an exploit, a backdoor into a company, I can sell that exploit on the dark web multiple times at $10,000 a pop.”
As well, phishing attempts are being used as ways to manipulate an employee to hand over cash quickly, says Antoine Saikaley, technical director at Trend Micro in Toronto.
“For example, these would include bogus invoices, CEO fraud, which is someone impersonating a C-level employee to ask a coworker for money by account compromise and data theft. The objective of the attack is to have company funds wired into the attacking bank account, so employees need to be alert to these measures.”
‘Attack the human’
All of these methods point out the main weaknesses that organization have, and it isn’t often the hardware.
“What the attackers have continued to realize is the best way to get around these technical controls is to attack the human,” says Palsetia.
To mitigate when something goes wrong, there are two approaches that are often taken by organizations, according to O’Regan: the reactive and proactive.
For those who are proactive, “they’re prepared, they have mitigation plans. They also have basic cybersecurity hygiene and practices; reviews, testing, and those pieces.”
In addition, the right attitude toward cybersecurity will help best manage the risk, he says.
“Organizations that tend to be poorly prepared view their IT security investment as an expense, as a cost centre; something that doesn’t really add value to the business and any type of cost like that, any business is going to try to reduce and minimize that expenditure.”
On the other hand, “businesses that tend to do well have grasped the approach that having good IT security, good cybersecurity practices enables them to deliver services better, more efficiently through their digital channels,” says O’Regan.
The average cost to organizations for one fraud is estimated at $7.76 million, according to IBM.
Often, those decisions are made at the board of director level, and the risk should not be under-emphasized, says Saikaley.
“The biggest mistake is viewing cybersecurity only as an IT problem, rather than seeing it for what it is, which is a business risk. It’s a business problem. The problem with not viewing it as a business problem or a business risk is they tend to downplay the need for investing more in cybersecurity.”
“I think that’s one of the biggest mistakes by organizations today,” he says.
HR’s role in cybersecurity
This planning also includes changing access to employees as they change departments.
“As the employee moves throughout the organization, we need to enable them but also decrease what they have access to when they no longer need access to it so [it’s about] finding the balance between how much you lock down, how much you trust them [and] train your users,” says Palsetia.
For HR, it’s crucial to get to know the IT team when it comes to ensuring safety.
“Work with the security teams when it comes to the cyber-awareness trainings. HR teams can incorporate cyber-awareness training when an employee is onboarding as well for new hires so that way, right from the beginning, HR teams can bake in cyber-awareness from the start,” says Saikaley.
“Cybersecurity is every employee’s responsibility.”
Only two per cent of actual attacks were reported by employees, according to a survey.
While training is important, “awareness is critical,” says O’Regan and a blameless culture will yield the best outcomes in case something bad happens.
“Somebody might mistakenly click on a link and it’ll allow some ransomware into the organization or open a door to an exploit. The ability to engage employees, and especially to say: ‘Look this isn’t an enforcement, you’ve done something bad, but if you suspect something’s happened, let us know as soon as possible so that we can get on it and mitigate it before it develops into a much bigger and serious risk.’”
