Canada | Fraud

66% of global cyber breaches hit business sector in 2018

‘It’s not a question of if, it’s a question of when and how bad,’ expert says. Here’s how to protect your business from an attack.

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Program code and flag of Canada. Canadian digital technology or programming related 3D rendering - IllustrationAccording to a recent report from Risk Based Security, Canada ranked third—after the United States and the U.K.—for the number of data breaches reported in 2018 (Shutterstock/Novikov Aleksey)

Canada may be among the countries most vulnerable to cybersecurity attacks, but it’s the lack of business preparedness that’s most alarming, say experts.

In its Data Breach QuickView report, released in February, Risk Based Security, a risk management solutions company, ranked Canada third—after the United States and the U.K.—for the number of breaches reported in 2018. 

“It’s not that we are in a weaker position than other countries. It’s that we are an attractive country for cybercriminals and cyber threat actors,” says Jason Besner, director of threat reporting and planning at the Canadian Centre for Cyber Security (Cyber Centre). “Being [an] attractive target, being that we have information that’s of value, and that we are more and more connected really is lending to that trend.”

In its 2018 National Cyber Threat Assessment, the Cyber Centre identifies cybercrime as the biggest threat to businesses this year, with cyber threat actors increasing their scale in activity, and using methods that are difficult to trace. The centre’s head, Scott Jones, recently encouraged Canadian banks—a prime target for cybercrime—to work with his organization to make Canada unappealing to hackers by warding off such attempts, while the collaborating institutions strive for increased  security.

But the threat permeates far beyond the financial sector. Risk Based Security’s report determined that out of the more than 6,500 reported breaches globally in 2018, the business sector was hit hardest, accounting for 66 per cent of these breaches. Yet businesses seem to be slow on the pickup, according to a 2018 Marsh & McLennan survey, which showed only 30 per cent of respondents had a plan in place to handle an attack. 

“I always say, it’s not a question of if, it’s a question of when and how bad when it comes to cybersecurity breaches or a cyber attack,” says Satyamoorthy Kabilan, vice-president of policy for the Public Policy Forum.

So how can a business without a cybersecurity plan get started? Here are some key tips from the experts on how to put one in place. 

IDENTIFY GAPS 

Get the basics down, starting with the technology. Refer to the Communications Security Establishment’s (CSE) Top 10 IT Security Actions to identify gaps to fill. 

Besner recommends having a strong patch regime in place to keep operating systems, applications and browsers up to date. “This is your best bang for your buck to make sure the holes are patched, so if you happen to falter in the other cybersecurity layers, at least there is nothing to take advantage of,” he says.

KNOW YOUR DATA 

Data and privacy breach lawyer Imran Ahmad, partner with Blake, Cassels & Graydon LLP, prioritizes data inventory and third-party contracting. Know what data you have and how you store it. When using outsourced contractors for services such as cloud-based storage or payments, make sure their security methods meet the needs of your organization and align with any compliance and regulatory rules, if applicable.   

“If you don’t know what you have and hold and what may have been touched by the hacker, you are going to be scrambling,” Ahmad says. “You [also] need to make sure that they [third-party vendors] are just as robust as you are.”

Ahmad also recommends putting logistics, such as lawyers, forensic teams and PR firms in place so they can be accessed quickly, if necessary, when a breach occurs. “Organizations that prepare on the front end end up paying less in remediation costs once they are hit by a cyber incident,” he says.

PRACTICE MAKES PERFECT 

Once a plan is in place, application is key. This includes scenario testing, challenging your systems, assessing resources and identifying partners to assist if a breach occurs.

“Just like a fire drill, you need to practise, you need to go through different scenarios, and you need to prepare,” Kabilan says. “It helps to unearth some of the weaknesses you have, but more importantly, it starts building that knowledge about what to do if an incident occurs.”

Besner reminds that a plan is always a work-in-progress; as technology evolves, business needs change and threats become more complex. “Look at your backups, look at your resilience, look at your incident response plan,” Besner says. “These are things that should be invested in and looked at regularly.”

GET STAFF ONBOARD

Bringing everyone up to speed is essential, say experts. Employees at every level should understand the protocols and policies around data handling and storage, device usage, password management, remote work guidelines and the action plan if a breach occurs (for example, what should employees do if they lose their laptop or click on a malicious link?). 

“It’s not a case of just putting them in front of a computer and hoping they are going to exercise what we call good cyber hygiene,” says Ahmad. “You want those people on the frontline to be able to trickle that information back up to legal or whoever is managing risk in the organization.” 

HOW CPAs CAN HELP

As trusted advisers, CPAs hold an influential role in cybersecurity planning given their holistic view of the organization, guiding it through financial planning, risk assessment, auditing and general compliance, experts say. 

“CPAs are playing the most important operational role in cyber preparedness,” Ahmad says. “They have an ability to look at the big picture much more easily.”

It’s a professional opportunity, adds Kabilan that uses the skills CPAs already have and the connections they’ve made with an organization’s key decision makers.   

“CPAs can apply their management knowledge on cybersecurity in terms of challenging and ensuring that organizations are taking the necessary steps,” he says.

MORE FUNDING ALLOCATED

Cybersecurity is a top priority for the Canadian government. 

The recently tabled federal budget provides more funding focusing on strengthening information sharing on foreign threats between the G7 nations; protecting critical infrastructure in the finance, telecommunications, energy and transport sectors; bolstering university cybersecurity networks and providing education and advice to political parties, election administrators and Canadians, overall.

The 2018 budget was a big year for cybersecurity, when upwards of $1 billion over five years was allocated toward these efforts. This included establishing a national cybersecurity strategy, creating the Canadian Cyber Security Centre and launching the RCMP’s National Cybercrime Coordination Unit. 

As of November 2018, the Personal Information Protection and Electronic Documents Act (PIPEDA) now includes mandatory breach reporting requiring businesses to report any security breaches that involve personal data and pose “significant harm” to individuals, or face penalties upwards of $100,000. 

“The key takeaway from this is, we are more focused on cyber [issues] and we are trying to align our approach to what the U.S., European and other international partners are doing because it’s a necessity now,” says Ahmad. 

BE MORE CYBERSECURITY SAVVY

Expand your knowledge on cybersecurity best practices with CPA Canada’s Cybersecurity Frameworks Certificate, which includes the Introduction to Cybersecurity for CPAs and the Cybersecurity Frameworks Explained online courses.   

You can also access CPA Canada’s Cybersecurity resources page for related tools and resources targeted to professionals in industry, board directors and practitioners and auditors.