'It only takes one employee, and the attackers are getting more sophisticated'
“Every company in Canada is a target.”
So says Alexander Rau, a partner in the cybersecurity practice at KPMG Canada, in talking about cyber attacks.
That was only too evident this past November when both Maple Leaf Foods and Sobeys were victims of cybersecurity incidents, resulting in systems and service disruptions, along with a possible breach of personal data and payroll challenges.
As further proof, a report by Fortinet says that 80 per cent of organizations worldwide experienced one or more breaches in the last 12 months – with one in five suffering five or more breaches.
Almost 40 per cent suffered breaches that cost more than US$1 million to remediate, found the survey of 1,233 IT and cybersecurity decision-makers in more than 30 countries.
“It only takes one employee, and the attackers are getting more and more sophisticated,” says Rau.
“Oftentimes, it takes a breach to open the budgets. If you look at it, the amount spent after a breach is X amount of dollars they could have spent on preventative measures and training to prevent that. So, the message here is if you spend proactively, you will probably save money reactively.”
For years, HR has rolled out cybersecurity training – but this doesn’t seem to be working: worldwide, 80 per cent of organizations suffered one or more breaches that they could attribute to a lack of cybersecurity skills or awareness, found Fortinet.
Why? A variety of reasons that include more sophisticated threats, training fatigue and a lack of skilled staff to tackle the issues.
But there are newer solutions that employers should be considering, say the experts.
Changing threats
Too often, the focus on preventative measures has been on external threats. But there are statistics out there that show actual data leakage is mostly done internally, by insiders, says Rau.
“But then you have to also distinguish between a malicious insider and an unknowing insider — somebody who doesn't know that they're doing something wrong, somebody who loses a USB key with data on it or something like that.”
This kind of threat is much harder to detect, he says, but more employers are starting to focus on that piece from an education perspective.
While CEOs say cybersecurity is amongst their top concerns in the workplace, Canadian organizations say they're underprepared for a cyberattack, according to a new KPMG report.
Another challenge: Hackers are becoming more sophisticated. Last year, it was roughly 50-50 between phishing and a vulnerability in technology that was exploited by the threat actors, says Rau.
And while phishing has gone down thanks to awareness training and better detection technologies, such as multi-factor authentication, it may be coming back up, he says.
“It has ramped up more because attackers are becoming more savvy with the way they craft their phishing emails, the technologies that they're using to exploit organizations.”
Employees are more likely to become victims of HR-related phishing emails, a new report has found.
The attackers are using social engineering more often, says Kedar Mendhurwar, cyber instructor at Concordia Continuing Education in Montreal, citing an example where a hacker pretended to be an IT support person.
“He was able to make the employee pass through the two [authentications]. So, we might have all the security controls… but, basically, humans are the weakest link. And that's the biggest challenge for organizations. Because, as humans, we think that we are not vulnerable.”
Training fatigue, complacency
That’s another big problem: training fatigue or training complacency.
“Some companies do the same cybersecurity training over and over, every year… So people are almost getting tired of it: ‘Oh, I've already done this’; I don't need to pay attention to this anymore,’” says Rau.
Even with multi-factor authentication there’s “MFA fatigue,” he says, because people are being inundated with requests on their phone.
“Sometimes the attackers make use of that and send something [that looks familiar] so they gain access by exploiting our fatigue or weakness by pressing a button that we didn't even initiate.”
Just over a third (34 per cent) of employees express little-to-no concern about data theft at work, and 16 per cent believe they can't be targeted at all by cyber criminals, finds Terranova Security.
Most employees are unaware of the kind of damage a cyberattack can cause an organization, says Mendhurwar.
“[With] these different security awareness trainings, people think of it as just another checklist or just another check box to tick. And they don't take it really seriously. Most likely, they're not aware of what could go wrong.”
Whether people are working in academia or hospitals or banking, they think that IT security is not part of their job, he says.
“And then if they do act in a secure way, it's not going to impact their paycheck. So doing this, it's basically a burden for them.”
Even the security measures put in place to protect data can backfire if they hamper employees’ workflow by slowing down their machines or causing glitches.
“This is something we're still struggling with,” says Rau. “Security resources in the organization need to work more closely with the business to ensure — and it's not always possible — that security controls are seamlessly integrated into the business flow.”
If security controls prevent people from doing their jobs, “they will never be adopted, and the organization will always be a victim,” he says, so that means organizations should try to have the different parties collaborating as much as possible to address that.
Hiring, retaining cybersecurity staff
Another key factor is that organizations struggle to find and retain certified cybersecurity people. That’s evident in the Fortinet survey which found 60 per cent of global leaders struggling to recruit cybersecurity talent while 52 per cent are having trouble retaining qualified people
And two-thirds (67 per cent) agree that the shortage of qualified cybersecurity candidates creates additional risks for their organizations.
Part of the reason for the shortage in resources is that the industry and digital transformation have been so rapid, so educational institutions and employers have been lagging behind, says Rau.
“We have seen a lot of headway when it comes to — especially in Canada… colleges and universities producing very high-quality security professionals; it’s not perfect yet, but [that brings] entrants into the market that organizations can pick up and train and use. But the shortage continues.”
As for keeping the talented staff? “Once you have two years under your belt in this industry, you can basically pick and choose where you want to go these days,” he says.
With cybersecurity, what was relevant yesterday may not be relevant today, or tomorrow, says Mendhurwar.
“It's always evolving — there are very few people who are adapted to this change.”
But even with the best security team in the world, if employees lack awareness about security, the system will fail, he says.
“Security, it's a trifecta: It comprises of people, processes and technology. So you can have the best technical people, and you can have the best technology, you might have spent billions of dollars but then if you do not have the people — and when I say people, not the security professionals, but all your people, and also the processes — then your security is going to fall down, your infrastructure is going to be breached.”
Newer solutions for cybersecurity
Rather than security awareness being treated as an added burden, it's something that should be conveyed as “security culture,” says Mendhurwar, meaning “something that we inherit, something that we live”
Employers and HR should change the way they present training to employees, says Rau.
“When we talk about building security culture, there are multiple things involved. It's not just having a security awareness training… But you are also having different campaigns, like some meetings, some workshops with your employees; then also some sort of a phishing campaign where it would be a security team who would send out some phishing emails to see if someone has clicked on it. Then having some meetings with HR, frequently email notifications, send some PSAs on ‘What are the best security practices?’… and also rewarding people for certain initiatives.”
Despite the risks, fewer and fewer companies are investing in cybersecurity training for workers.
Making the training more personal is another effective way to resonate with staff. That’s about helping employees to bridge cybersecurity awareness into their personal lives, to make it relevant and make them more cyber secure or cyber aware, he says.
“Just by being more accountable, it will reduce the risk by them, by employees, in being more responsible, accountable.”
Multi-factor authentication can also make a difference in applying a multi-layered approach to cybersecurity, by asking people for a second credential on their phone or SMS message, says Rau.
“Yes, the human element is the weakest link in there, but we also need technology to support our employees… when we have a weak point or when we fall through the cracks,” he says.
Finally, with the return to the office, there’s a great opportunity to freshen up the training by doing it in-person, says Rau.
“In telling the stories about how [breaches] actually impacted people, I think that's much easier and more impactful if you have an individual that is talking about these things and brings it home and makes it more relevant. So, switching up the delivery method.”
