Cyber attacks come in a variety of forms and with a variety of intensions. Whether for money or pure disruption, organizations are at risk of both the intrusion and the potential breach of regulatory obligations.
Identifying cyber risks
While there are many different types of cyber threats, the following are the most common five encountered:
Phishing: A ploy that utilizes misleading emails in an attempt to get a user to follow a link to a website designed to infect the user’s PC or ply away personal information.
Malware: A generic term that refers to many forms of malicious software. This includes viruses, Trojans, worms, ransomware and spyware. Each of these serves to gain access to a target’s system and disrupt normal activity, steal sensitive data, and/or hold access for ransom.
Data breaches and man-in-the-middle: Data is either stolen directly from unwanted access or intercepted during transmission between two parties.
Denial of service: Attacks that are targeted at such specific things as hardware, applications or websites in order to disrupt their use.
Internet of things device attack (IoT): Where corporate devices are connected via the internet, there is opportunity for these connections to be exploited and for data to be stolen.
Nearly 90% of cyber incidents are phishing attacks. While the technological maturity level of an organization can greatly influence the response rate, statistics show that upwards of 30% of the targets of a phishing attack open the malicious emails. Up to 12% were found to take the next step and open the included website or attachment. As a result, your user-base is often one of the weakest points in your environment.
Getting on the right track
Organizations can significantly reduce their cyber risk with the implementation of a consistent IT methodology with security in mind. Start by taking an inventory of your organization’s hardware and software. By simply removing unsanctioned hardware and software from access to your network, you immediately improve your defenses. Manage this going forward by restricting the administrative privileges needed to install new applications and to configure hardware options.
As part of your IT methodology, establish a consistent configuration base of all your devices. Add rigour to how these units are configured, and ensure that proper security protocols are used. In many cases, simply making changes from the manufacturer’s default settings will help reduce exposure. Once you have established your configuration, employ change-control procedures to assess and monitor their upkeep. Work in a regular patching process to ensure that all your devices are up to date with the latest changes from the manufacturer, which often include security improvements. Many attacks focus specifically on out-of-date software versions.
As discussed earlier, many attacks are buoyed by fooling users into clicking a dangerous link or downloading malicious applications. As such, do not underestimate the importance of educating your user-base. Be sure to highlight what to look for, enforce a critical thinking approach, and reassess as needed. Phishing email drills can be very eye-opening and can help to reinforce preparedness.
Getting the right help
Cyber security is an increasingly complex and important topic. As such, it is often difficult for smaller organizations to stay on top of their security needs. They may not have the proper in-house skills to set the right IT methodology in place or manage it going forward. There is certainly a cost benefit consideration to hiring the needed technical help versus bringing it in externally.
Do not hesitate to look for help. There are numerous consulting companies that can be engaged to conduct an initial cyber security review or assessment of your current environment. These companies can either direct you as to where to make the most important improvements or take over the responsibility as part of an outsource agreement.
Responsibility to protect
Currently in Canada, it is not against the Criminal Code to fail to implement cyber security measures. However, there are a number of civil and liability obligations that are relevant. Most notably, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) is relevant to all personal information involved in commercial activities. PIPEDA calls for the protection against loss or theft, modification, copying, unauthorized access, or even disclosure of personal information. This means that the organization itself has a duty to protect the data in its realm.
PIPEDA is not the only regulatory component to be concerned with. Several provinces have passed similar legislation that require the keepers of data to safeguard this information. Various industry regulators have also implemented regulations around not only the protection of data but also the reporting of intrusive events. For example, the Canadian Securities Administrators (CSA) requires market participants to implement a security framework (relative to their scale).
Cyber attacks are a part of the new reality in our increasingly connected commercial paradigm. Your industry, your scale and the sensitivity of your data will dictate how much you need to do to mitigate the inevitable intrusions. The basic steps above will help to reduce simple or widespread cyber attacks. However, do not underestimate the importance of an effective IT methodology to fully mitigate risks associated with cyber attacks.
This article is reprinted from the newsletter BUSINESS MATTERS with the permission of CPA Canada. BUSINESS MATTERS is a bimonthly newsletter prepared by the CPA Canada for the clients of its members.
BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.
Richard Fulcher, CPA, CA – Author; Patricia Adamson, M.A., M.I.St. – CPA Canada Editor.