“This could easily have been any of us.”
I was recently asked to host an exclusive cybersecurity Digital ThinkTank roundtable with Canadian CIOs, partnering with the CIO Association of Canada. It was a timely topic and riveting discussion as barely a week goes by without a serious data breach hitting the headlines.
I began by discussing a couple of the companies recently affected by major breaches. “We know what a bad response looks like,” I told them. It is easy to predict the harm to organizations in the wake of a material breach and the all-too familiar pattern of departures in senior leadership and testimony before government inquiries that inevitably follows.
So, what does it take to change that conversation? The CIOs at the meeting had some interesting answers.
Protection is vital, but so is good cyber hygiene
Today, organizations know they need cutting-edge security technologies like next-generation firewalls, and security incident and event management systems, so their boards budget for them.
They also know they need good cyber hygiene such as strong password policies and that it is vital to patch vulnerable software. However, the CIOs agreed that patching isn’t always as easy as it’s made out to be. It can take months for a large organization to secure all of its systems. That’s why it’s important to classify data and patch the most critical areas first. An organization should identify its “crown jewels” - its most valuable and important assets,and make sure those are secured first.
This was met with agreement as one CIO commented, “15% of our data is critical. When we patched for WannaCry, we did it by priority because even if you have the best patch management in the world, you can’t do it all.” Ask yourself:
Why anyone would want my data?
What data would they want most?
For additional protection, some CIOs described sending out almost daily notifications educating their own team members about security and warning of new possible threats. Others have made cybersecurity part of their employee onboarding process, devoting time during orientation to security realities and challenges.
CIO’s are also pioneering novel approaches such as “Secure-by-Design,” so that new systems are secured before they become operational. We discussed Google’s BeyondCorp approach or ‘zero trust’ policy, where an employee’s status doesn’t automatically entitle them to access the corporate network and data. Everyone is treated as an outsider, subjected to the same stringent security whenever they log in. This could be a valuable approach for companies that, like TELUS, have a high percentage of mobile workers.
Know the threat landscape
As public cloud and social media increasingly become intertwined with the platforms for our digital economy, threat actors go where they can access you. Social media pages are seeded with malicious software (malware). Web traffic is encrypted by default and we need to direct more attention to protecting end-points.
Other potential dangers include increasingly sophisticated bots that can bypass traditional safeguards, IoT malware and insecure mobile APIs. Many mobile apps leak customer data and hackers have figured out how to get into them. In fact, one popular mobile device game was suspected of exposing players to a host of risks because of the personal information it gleaned from every user.
Consider different strategies
“Ransomware and DDoS attacks are what keep me awake,” claimed one CIO. As a result, the CIO mitigates risks by storing as little customer data as possible, avoiding credit card or social security information. This CIO prefers to let the banks handle financial data and the HR department maintain encrypted employee data. But the organization is still vulnerable to hackers seeking to take down its network.
Other organizations can’t operate without customer data and must find ways to secure it. For example, financial organizations need customer details to transact on their behalf. For them, testing is key. They do regular penetration testing (also known as pen-testing) to make sure their systems are secure and protected. Encryption can also be important, making any information useless to hackers, even if they are able to access it.
Even with the best protection you can afford, you must always assume that you can’t stop everything malicious. That means having the ability to detect breaches (many organizations don’t even know they’ve been hacked), respond to them and be prepared to recover data.
Part of disaster recovery involves disclosing a data breach to customers who have been affected. Right now, there are almost zero reporting requirements in Canada, but as all the CIOs acknowledged, this is about to change. The government is introducing amendments to the Digital Privacy Act that will require disclosure. But even before the new laws come into effect, companies need to consider how they will respond to a breach.
So, if the hackers are always one-step ahead and breaches are inevitable and if “we don’t know what we don’t know”, what can organizations do? One of the best approaches is to ensure that your digital providers are true partners who share your concerns about security. Another is to connect with experienced security experts who can help your organization protect itself and recover as quickly and effectively as possible.
Learn more about security solutions to protect your business.