Companies must focus on managing cyber-attacks, not eliminating them
Companies trying to stay ahead of the increasing threat of cyberattacks need to be cognizant of one simple fact: there is no perfect antidote or turnkey solution against criminals bent on breaching their systems.
“Everyone is hacking into everything,” said Benoit Dupont, professor of criminology at the University of Montreal and the Canada Research Chair in Cybersecurity.
“Even the most secure, aware organizations like the top intelligence agencies in the world get hacked,” he said. Last month, the New York Times reported that the cyberweapons developed by the National Security Agency to spy on other countries are now being used against it, thanks to a leak.
The number of Canadian businesses experiencing losses of $1 million or more loss rose to seven per cent from just one per cent two years ago, according to a 2017 report by the Canadian Chamber of Commerce.
With each passing year, hacking has become more dangerous, sophisticated and difficult to prevent — and solely ramping up spending on cybersecurity is not a viable solution for any organization, experts warn.
What’s required when it comes to cyber preparedness, Benoit and others argue, is a radical overhaul of the entire ecosystem that accounts for the significant role that human error plays in breaches - from confidential data sent to insecure home systems, to phishing schemes that rely on tricking people into giving up sensitive information belonging to their employer.
At a minimum, organizations should ensure that mechanisms are in place to minimize the damage caused by inevitable cyberinfiltrations so that if criminals are able to breach a system they won’t necessarily be able to exit with anything of value.
That starts with prioritizing the information that organizations must protect, said Christian Leuprecht, national security expert at the Royal Military College and Queen’s University.
“People think there is such a thing as privacy and that you can keep things secret. We need to come to the realization that’s not possible,” said Leuprecht.
“We need to say 90 per cent of stuff that becomes public, we can live with that. And here’s the stuff that we have to protect at any and all cost, and where we’re going to put all our efforts into protecting that.”
Surprisingly, encryption — in which data is translated into a secret code that can only be accessed by using a secret key or password to decrypt the documents into plain text — is one measure few companies seem to be adopting, said Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada.
“The fact that every time we hear about someone’s system being breached and people are able to read the details tells you a lot,” Kabilan added.
Encryption, however, isn’t a viable long-term cyber-strategy for companies that need to have constant access to data themselves, according to Andre Boysen, chief identity officer at Toronto-based SecureKey.
“It’s going to make it harder for the business to read the data,” he said.
“It’s got limited usefulness.”