The Scout Adage still applies: Always be prepared

Tina Beaudry-Mellor, Deloitte Canada.

The prairies are having an economic moment. Geopolitical tensions stemming from the war in the Ukraine, the emergence from the global pandemic, and tightening supply chains have all escalated demand for the commodities that the prairies produce: the food, the fuel and the fertilizer, as is often quoted by the Premier of Saskatchewan.

It’s not “if” a cyber breach happens, it’s when.

But with increased opportunity comes increased risk, as nation-states and other threat actors look for impactful cyber targets. A ransomware attack happens about every 11 seconds and has the capacity to cripple business operations for hours and days. Reputationally and financially, the impact may be felt for years and decades. As cyber attacks rise in frequency and impact, insurance companies are also contracting coverage.

In June, the federal government took action to try to force companies to act. They introduced Bill C-26 into Parliament which aims to strengthen the cyber posture of the four federally regulated industries: telecommunications, transportation, energy, and finance. The proposed legislation carries with it significant regulatory requirements for reporting cyber breaches and hefty fines for failing to comply. Despite this, many organizations are still ill prepared to withstand a cyber breach and perhaps do not even know where to start. Cyber hygiene refers to the fundamental cybersecurity best practices that an organization can adopt to protect the organization’s network and digital assets. Cybersecurity is not solely an IT function; it is everyone’s responsibility. Following are some suggestions to get you started.

1. Educate your staff. Human behavior is THE number one cause of a cyber breach.

a. Someone clicks on an attachment in a phishing email which releases malware into your computer system and soon your system is shut down and held for ransom.
b. Or a person who should not have access to confidential information doesn’t protect it and your customer’s information ends up getting sold on the dark web.
c. Someone brings their work laptop or mobile device home and logs into a public unprotected network.

These are just a few examples of some of the most common human errors, the list is long. It is important to train staff on basic cyber hygiene principles and then to test compliance periodically. This is the easiest, cheapest, and fastest way to raise your organization’s cyber posture.

2. Use automated tools where you can. Patching your software when updates come up is an easy way to make sure software has been updated to protect against known vulnerabilities. It is important that updates are not ignored. Installing firewalls and antivirus software are also important tools in the arsenal to help protect critical networks.

3. Protect data. If you store customer and vendor data, ensure that it is being encrypted and that you have policies and procedures around where that data is stored (on site or in the cloud), backed up, and how long it is to be kept before being destroyed. You also need to protect who has access to that data in your organization—in general you should use the principle of least privilege where each employee or role in your organization only has access to the information they need to perform their task—not the entire system.

4. Password protection. A password is a first line of defense but not enough on its own to protect from unwanted access. Ensure that your organization has strong password requirements that require frequent updating or consider implementing multi-factor authentication to allow access to company devices like computers, laptops and mobile phones.

5. Working remotely? Employees may not be tied to the office anymore as the shift to hybrid work environments continues. If working from home, or elsewhere, ensure employees are using Virtual Private Networks (VPNs) to access the corporate network.

6. Revisit your physical security. Don’t let unauthorized personnel in areas where confidential company information is kept, for example, logged in computers at abandoned desks. Consider employee security and physical access restrictions. Do you know where servers and data are stored if they are on the premises? Are servers and other hardware under sprinkler systems, close to unsecured doors, or next to fire hazards?

7. Have an incident response plan. An incident response plan is a document that provides a set of instructions or procedures to detect, respond to, and limit the consequences of a cyber security breach. Your organization should have a plan, if you don’t, consult your industry and your insurance policy for the reporting and legal requirements that must be met should an incident occur. Build the plan for not only locating and addressing the breach, but also when, how and what to communicate to stakeholders. You will also need to decide whether your organization needs a policy on paying ransom in the case of a breach. Engage the whole organization in the development of the plan and practice scenarios so that roles and action plans are clear. This can save your business. Literally.

Industry associations can often help their members by offering training or packaging insurance policies in a more cost-effective way than businesses can do on their own. Check with your industry association to see what is available for your organization.

The point is to get started now. Having these basic elements in place is your best first line of defense. Don’t let a cyber-attack derail your business because you were not prepared.

Tina Beaudry-Mellor is a partner at Deloitte Canada in Cyber Strategy and Risk Advisory.