Executive Pulse seeks input from Canadian leaders on vital issues that affect our business and economy.
Cyber Monday may be an annual boon to Canadian shoppers, but for the country's businesses, the cybersphere presents a daily headache in dealing with ongoing concerns over data and security breaches. Janet Kennedy, president of Microsoft Canada, and Dino Trevisani, president of IBM Canada, weigh in on the matter.
What is the best way for Canadian businesses to approach cybersecurity?
Janet Kennedy: Canadian businesses need to evolve their approach to security for today's mobile-first, cloud-first world. Businesses should start by getting the fundamentals right and then building out from there. Fundamentals include straightforward controls such as: updating computers, tablets and smartphones to the latest version of the operating system; turning on automatic updates; enabling anti-virus software; using strong passwords or enabling password alternatives; and education and awareness. Most businesses have focused on protecting their information technology assets and digital information; however, they also need to implement solutions to better detect cybersecurity attacks and breaches and then have a plan in place to quickly and effectively respond to those incidents if they occur.
Are there sectors that don't have cybersecurity enough on the radar? What are potential consequences of security breaches?
Dino Trevisani: Every company in every sector can always be doing more to protect themselves. This is just the reality we are in today.
A 2014 risk survey of 1,500 Canadians provided some key insight on what's at stake for organizations. Fifty per cent of respondents indicated they would likely do business with an organization that had above-average IT security, while more than 83 per cent of respondents indicated they would likely or very likely switch to a competitor if that organization experienced a data breach where personal information was lost or compromised. Whether the number of users actually switch to a competitor remains to be seen, however, if even 10 per cent of 83 per cent actually switched, that could have disastrous impacts. The consequences of a breach range from tangible impacts – corporate value, lost customers, compromised customer data, business continuity and the like – to intangible – reputational and brand erosion, stakeholder trust, and other impacts that are harder to measure.
In terms of financial impacts, we partnered with the Ponemon Institute [which conducts independent research on privacy, data protection and information security policy] earlier this year on a study that examined the cost of data breaches in Canada. Twenty-one companies participated in the study, which found that the average per capita cost of a data breach is $250 and the average total organizational cost is $5.32-million.
The industries with a per capita data breach of substantially more than $250 were financial, services, technology and energy. Public sector, education and consumer organizations had a per capita cost well below the overall mean value.
What can be done, both from a technology and institutional standpoint, to lower levels of anxiety over cybersecurity?
JK: It's important to have the right solutions in place and continually test them to ensure they stand up to the latest security threats. Businesses are increasingly recognizing that developing a comprehensive security plan may not be within their core organizational competencies and that cloud solutions can be more secure than on-premise security solutions. I liken it to keeping your money under your mattress instead of in a bank. Recognizing this, many businesses are partnering with companies to help find solutions to address their security needs.
Does the increasing use of technology, particularly with such things as mobile payments, make us more vulnerable to risk, or do cybersecurity tools do a good job of keeping up with the latest technologies? And how does the advent of the Internet of Things change security concerns?
DT: At a high level, cybersecurity is about more than just the latest technologies. It's about properly identifying and assessing the risks to an organization, ensuring that employees are trained and educated about these risks, and that the proper policies and response plans are put into place to manage these risks. On their own, technologies can only do so much.
With respect to the IoT, it's an expanded computing environment that presents a broad set of security challenges. In general, as devices become more connected and produce more data, the systems and applications supporting them become more vulnerable as potential attack points for malicious actors. Meanwhile, IoT systems that support manufacturing, energy, transportation and other industrial sectors of the economy are becoming more connected to enable broader visibility, control and condition-based maintenance. In doing so, they also become vulnerable to security attacks.
Business leaders should understand that there are different requirements for IoT security, depending on the risk profile of the system being secured. The security needs for a consumer IoT system to measure and control a watering system for garden plants are different from the needs of a complex, mission critical, enterprise petroleum drilling or pipeline operation that involves IoT-connected valves and pumps. The drilling and pipeline operations must include safety-critical systems to protect the business, the environment and human life. The risks and costs of compromise for the drilling operation are far greater than those of the home garden watering system. As such, comprehensive security measures, expertise, analysis, testing and management are necessary.
Does Canada have a cybersecurity talent shortage, and if so, how can this be countered?
DT: It's not just Canada, but a global issue. Companies in nearly every industry are working to invest in hiring and recruitment, talent and training and other initiatives to bring their organizations up to speed with the rising threat of cyberattacks. A recent study, led by Forrester Research and IBM, shows global IT decision makers and business leaders have acquired security technology but lack the skills needed to apply these technologies and protect their businesses. There is a shortage of people to design secure systems, and to create tools to prevent, detect or mitigate system failures and malicious acts.
But more can be done and with a greater sense of urgency. As our chairman, president and CEO, Ginni Rommety, said recently: "We believe that data is the phenomenon of our time. It is the world's new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world."
JK: The Information and Communications Technology Council has said that by 2019 Canada will require approximately 182,000 critical ICT positions. While a portion of this number are definitely security and privacy specialists and experts, it's not just a cybersecurity gap. We would love to see computer science added to the curriculum at the elementary and high school level and we're working with schools and school boards across the country to make technology accessible to every student.
Responses have been edited and condensed.