No one thinks it’s going to be them. Until it is.
According to the movies, cybercriminals operate out of abandoned warehouses, target carefully selected conglomerates and use things like “worms” and “keys” to gain access. The reality, however, is that cybercriminals, using scattergun techniques like phishing, are not out for world domination but rather a more familiar motive: money.
In 2016, 24% of breaches targeted financial organizations, 15% healthcare, 12% public sector entities and 15% targeted retail and accommodations*. Whether it’s design plans, medical records or good, old-fashioned payment card details—someone, somewhere will see it as their meal ticket.
Organizations need to build a strong security posture by implementing strategies that address internal and external threats across the entire chain. It is critical to start from the premise that systems will be breached. This perspective enhances the effectiveness of decision making related to preventing, mitigating and recovering from a breach.
Another recent development makes this a pressing imperative. Canada’s new Digital Privacy Act has introduced mandatory breach notification. In 2017 organizations will be required to notify the Office of the Privacy Commissioner, as well as the individuals affected, if the organization experiences the loss or theft of personal identifiable information that puts these people at “real risk of significant harm.” Failing to do so could result in fines of up to $100,000 per offence. This comes as part The Digital Privacy Act (formerly referred to as Bill S-4) that was put into effect in June 2015.
On January 19, 2017, the Canadian Securities Administrators (CSA) published Multilateral Staff Notice 11-332, stating that they expect issuers to provide risk disclosure that is as detailed and entity specific as possible, should they determine that a cyber security risk is a material risk. In order to determine materiality, the cyber security incident requires analyzing and the probability of a breach occurring and the anticipated magnitude of its effect needs to be determined. The CSA expects issuers to disclose specific risks, rather than generic risks common to all issuers, and they expect issuers to tailor their disclosure of cyber security risks to the particular circumstance. Underestimating risks leaves enterprises highly vulnerable. Poor security can lead to painful, even catastrophic, financial and reputational losses. Moreover, data breaches and other security incidents put not just individual companies, but entire supply chains, at risk. The following are three steps to build a robust security posture that will support the goals and resilience of your organization, and assist you in determining your cyber security risk.
- Conduct a health check of your organization’s cyber security maturity.
A health check is an assessment of an organization’s controls, security risks and threats, to define its current security posture and highlight gaps.
The health check assesses current risks to your industry and business and evaluates the strengths and weaknesses of your organization’s existing security controls.
The health check determines the impact a breach could have on your organization: operations, productivity, information assets, infrastructure, reputation, materiality of the cyber security risks and brand.
- Develop a clear security roadmap.
The health check will guide an organization by providing a clear map of priority risks and practical direction regarding where to most effectively focus cyber security budget and resources.
- Test your organization’s vulnerability to cyber-attack.
It’s essential to supplement planning with robust testing to determine your organization’s vulnerability to cyber breaches. Intellectual property, personal information, plant systems, computer servers, and mobile devices, could all be targets for attacks.
Seek objective, trusted third party cyber security expertise to assess potential weaknesses through vulnerability assessments and penetration testing of your internal and external networks and applications.
Without adequate protection, cyber security threats can put your organizations’ operations, reputation – even its existence – at risk. Vigilant assessment, planning and testing are critical to protect the bottom line.
For more information on how you can better protect your business from cyber-attacks, contact: Danny Timmins, CISSP, National Cyber Security Leader T: 905.607.9777 E: [email protected]
MNP is a leading national accounting, tax and business consulting firm in Canada. We proudly serve and respond to the needs of our clients in the public, private and not-for-profit sectors. Through partner-led engagements, we provide a collaborative, cost-effective approach to doing business and personalized strategies to help organizations succeed across the country and around the world.
- 2017 Verizon Data Breach Investigations Report
- Canadian Securities Administrators Multilateral Staff Notice 51-347 – Disclosure of cyber security risks and incidents
- Canadian Parliament: Digital Privacy Act (Bill S-4)
- Government of Canada: For Discussion — Data Breach Notification and Reporting Regulations