With remote work bringing more people online, there’s now a cybersecurity crisis

Yogen Appalraju is a partner and the Canadian cybersecurity leader at EY Canada.

If the digitization of businesses has taught us anything, it’s that cybersecurity is much more than simply a technology risk, it’s also a very serious business risk.

A recent report from Statistics Canada showed that 18 per cent of Canadian businesses were affected by cybersecurity incidents last year, including 37 per cent of large businesses. By not giving the required attention to cybersecurity, businesses open themselves up to a plethora of risks, including effects on their operations, which will drive losses of revenue and profits. In fact, last year Canadian businesses spent $600-million on recovery efforts after cybersecurity incidents, a figure which doesn’t account for the reputational effect and subsequent loss of customers that a data breach can have on a business.

Much of the increase in these incidents can likely be attributed to the shift to remote work and the increased risks of using remote-access technologies. While many were expecting the high levels of risk to lessen as the pandemic restrictions eased, the continuing labour shortage in our country has further exacerbated those issues, with the needed cybersecurity talent simply not available.

One study concluded that the world’s cybersecurity work force needs to grow by as much as 65 per cent to meet industry needs, even as the available talent pool continues to shrink.

Any time cybersecurity is not able to receive the attention it requires – and support from the right processes, technology, and most importantly, people – risk is increased and the likelihood of a cybersecurity incident affecting a business rises drastically, especially when critical infrastructure that supports the businesses’ operations is compromised.

This is especially so in industries such as manufacturing or mining, where their entire field operations could be at risk of failure if their infrastructure is compromised. In an industry such as banking, a few hours of their infrastructure being offline could be catastrophic for both them and the many businesses who rely on their financial services as customers.

In 2021, a ransomware attack shut down the Colonial Pipeline – which transports nearly half of the fuel on the U.S. East Coast – for nearly a week. The attack sparked shortages, panic buying and a state of emergency declared by President Joe Biden. The total losses to the economy are impossible to quantify in dollar terms.

And such attacks are increasing, according to a report to be released on Thursday by Cloudflare Inc. of San Francisco, which provides webhosting for about 20 per cent of the Internet.

The company said there’s been a 30-per-cent increase in web traffic globally in 2021, and that has been accompanied by a year-over-year rise of 40 per cent in cyberattacks. Cloudflare says it blocks an average of 126 billion cyber threats every day.

Without being able to acquire the talent they need to support their cybersecurity efforts, what can businesses do to protect themselves and their critical infrastructure?

Leaning on under-represented groups that have similar skill sets can fill the talent gap; our company has been retraining military veterans for cybersecurity projects within the Government of Canada. There’s the rise of managed services – outsourcing to a specialized firm that can do more with fewer bodies. There’s also automation technologies that are easily scaled and do not require humans.

But more solutions are needed, especially from a big-picture, policy perspective, to tackle the root of the issue. For one, universities need to expand their offerings for cybersecurity, and students could be nudged toward them with tax breaks and scholarships.

The skills gap won’t be solved overnight, and the shortage of cybersecurity talent right now amounts to a crisis. The sooner we recognize this reality, the less vulnerable we’d all be.