Event summary produced by the Globe and Mail Events team. The Globe’s editorial department was not involved.
Are executives fighting a losing battle when it comes to fending off cyberattacks? Yes and no, according to security experts who spoke at The Globe and Mail’s second annual Cybersecurity for Business Leaders event in Toronto on October 1.
The bad news is it’s nearly impossible, especially for small businesses, to keep pace with all the security patches issued by the big software companies such as Oracle, said Melissa Hathaway, who served as cybersecurity advisor in the administrations of former U.S. presidents Barack Obama and George W. Bush.
“Every month we have this thing called patch Tuesday. It was started by Microsoft about 10 years ago,” Ms. Hathaway said, explaining software companies sometimes release as many as 90 software patches for businesses to implement.
“It’s difficult to get to 90. Even you have 20 that are critical, it will take a long time…and our small businesses, sometimes they never patch. It’s 70 per cent of Canadian small businesses that never patch.”
Ms. Hathaway called for regulations requiring software companies to stop releasing vulnerable programs and code, similar to legislation in past eras requiring the use of seat belts, and laws that banned unsafe toys and cribs for children.
In the meantime, the good news is there are steps executives can take to minimize cyber risk and respond to attacks. Below are key action items:
Practise for an attack
“We run table-top exercises,” said Serge Bertini, vice-president and country manager for Canada with CrowdStrike. “You get all the executives in a room and plan... When [an attack] happens, they all know their role and what they have to do.” That preparedness should include a communication plan to employees, clients or consumers, Ms. Hathaway added.
Connect IT to business risk
Companies who are most prepared have converged information technology (IT) incident reporting with business continuity and disaster recovery plans, instead of looking at each program in isolation, added Ms. Hathaway. She also advised businesses to diagram their networks to understand who has access to what data.
Check your supply chain
Attackers will often go after a small business as an entry point to a larger target, said Robert Gordon, executive director of the Canadian Cyber Threat Exchange (CCTX). “If you’re relying on a small trucking company that brings in raw parts, the attacker will say ‘if I want to shut you down, I’ll shut down the trucking company'."
Pay attention to your devices
Mr. Gordon relayed how an attacker got into confidential client data in a Las Vegas casino by hacking the control system of the on-site fish tank. Another organization – a large financial institution - was breached when a hacker accessed the digital display screen in the lobby. In the era of the Internet of Things, business leaders should ensure connected devices aren’t potential points of entry.
Be careful at home
While business leaders are often cyber-aware at work, they can let their guard down at home. “A lot of executives are being targeted at home,” Ms. Hathaway said. “Are you doing VPN on the same computer your kids have PlayStation on?”
Collaborate and share
Mr. Gordon explained how the CCTX brings companies together, even competitors, to share information on cyberattacks. “Participating in threat sharing is a huge way to reduce your vulnerability...It doesn’t cost you anything.” He said on average, attackers are inside a target business for 181 days, gathering information and learning how the business operates. Sharing information lowers that average and make it harder for attackers to get inside in the first place, he added.
Develop good cyber hygiene
Mr. Bertini noted October is Cybersecurity Awareness Month but the threats need to be top of mind every day, at every level of the company. Awareness means practising good cyber hygiene – avoiding public WiFi for corporate use, always using two-factor authentication on devices, and backing up critical data in case individual computers fall prey to ransomware attacks.
Find IT people who can speak business
“You might be better off taking a business-trained person and turning them into a security specialist,” noted Jeff Curtis, chief privacy officer with Sunnybrook Health Sciences Centre. He said security people are often lacking an awareness of business risk, or an inability to put the risk into terms executives can relate to. When hiring, Mr. Curtis looks for security candidates who have strong communication skills. He also suggested considering business training for security employees with strong potential.
All too often, executives and board directors are told “don’t worry, we’ve got this covered,” by IT and security people, said Mr. Bertini. Leaders should keep going back to ask questions such as “why” systems are safe and what specific safeguards are in place. “It takes a long time to tell the truth and to understand it,” he noted.
Broaden your talent pool
Non-technical employees can play a role in security, said Andreas Faruki, a partner in the risk advisory practice of Deloitte Canada. He referred to a report prepared by Deloitte outlining key personas such as the ‘hacker’, the ‘strategist’, the ‘advisor’, and the ‘fire fighter’, who can be sourced and developed from other areas of the business beyond IT.
He and Lead Nord, director of skills and immigration policy with the Canadian Chamber of Commerce, cited a vacancy of 8,000 cybersecurity jobs in Canada. Bringing more women into the field and retaining them will help, along with partnerships with universities, colleges and schools. It’s also key to keep an open mind when hiring.
“You’re not going to get the ideal candidate out of the bucket,” Nord said. “Take a sociologist and given them cyber skills. Take an IT person and give them durable skills.”
Pay attention to trade deals
Cybersecurity is a sleeper issue in numerous trade agreements, cautioned Bonnie Butlin, co-founder and executive director of Security Partners’ Forum. For instance, she noted the United States-Mexico-Canada Agreement (USMCA) prevents government and businesses from opting to keep data on domestic servers. Cybersecurity regulations aren’t harmonized between Canada and many of the jurisdictions covered by these trade agreements – a consideration executives should be aware of.
The speakers agreed preventing every cyber breach is an unattainable goal. Cyberattacks are perpetrated by organized crime and nation states, and many of them collaborate to operate more effectively. In response, Canadian business leaders should ensure they’re prepared and know how to respond to an attack, work together to share intelligence, and keep security top of mind through the corporate ranks.