It’s undisputable and double-edged contradiction. Technology is a vital and invaluable fact of business life. It is also a colossal risk with threats almost everywhere.
Connectivity through the Internet has redefined business with tremendous efficiency, productivity and profitability. However, that transformational technology is also redefining the focus of risk management.
“Cybersecurity may be the top risk for most organizations today,” warns Alberta-based Dom Amyotte, security sales specialist at Scalar Decisions, Canada’s leading IT solutions integrator. “The combination of our dependence on technology with the increased prevalence and immediate impact of cyber-threats makes this a challenge that cannot be ignored.”
The most recent Global Risks Report from the World Economic Forum shows cybersecurity as a top-three likelihood and a top-five impact, behind extreme weather and natural disasters. IT experts are not discouraged but agree that since there is little direct control over the natural environment, cybersecurity is today’s top risk that can actually be managed.
News headlines about high-profile cyberattacks like Target, Marriott, Equifax and Sony create the mistaken impression that cyber breaches target giant organizations.
Amyotte underscores that, in the real world, the opposite is the scary reality. “In Scalar’s 2018 security study, we found that 87 per cent of Canadian companies had suffered a cybersecurity breach. Sadly, this continues to grow, to the point where virtually every company has had a breach of one type or another.
“It’s a documented fact that cybersecurity is one of the top risks that SMB organizations are dealing with. A dramatic increase of cybercrime and related threats such as cryptoware and email fraud have brought the problem to the forefront, regardless of an organization’s size or industry,” he cautions. “Cybercrime does not discriminate according to size.”
Trac Bo is the technology risk services leader with MNP, one of the largest full-service chartered accountancy and business advisory firms in Canada, and he emphasizes the vital business reality that as cybersecurity evolves, it is no longer a threat targeting solely large corporations. “Attackers are expanding their scope to include organizations of all sizes and industries. Small and mid-sized businesses (SMBs) often do not have the resources and budget to focus on cybersecurity, potentially leaving this range of organizations more vulnerable to emerging cyber-threats.
“As the threat landscape continues to grow and evolve, SMBs will see a higher frequency of cybersecurity incidents, especially if the focus on cybersecurity continues to be neglected.”
Bo continues, “Technology brings risk to all businesses, regardless of size. From email phishing to ransomware, we have seen more and more clients reach out for help responding to a breach. Some have even started proactively planning their incident response so that they will be prepared to act whenever it does happen.”
As more and more SMBs consider their vulnerability and confront the critical need for cybersecurity as a key aspect of their risk management toolkit, they are jolted to understand the real reasons (versus Hollywood versions) for the business epidemic of cybercrime.
And the real details are not nearly as juicy or simplistic as the exciting espionage clichés about stealing company secrets.
“Regardless of the size of an organization, cybercriminals are generally looking to steal confidential information, such as personal/customer, financial and proprietary information,” Bo explains. “An attacker can manipulate companies in a few ways to profit. Cybercriminals will try to exploit weaknesses in a SMB’s weak IT practices by locking or encrypting their data and demanding a monetary ransom to unlock the information.
“Or, a criminal may breach an organization, steal confidential information and sell it on the black market for profit. Similarly, through social engineering techniques, a cybercriminal may deceive employees into sending money to the attacker via email phishing, posing as a vendor or client demanding payment.”
The unavoidable and challenging fact of cybercrime is that today’s hackers are sophisticated criminals who are perfecting the art and science of monetizing their cyber theft. In a state-of-the-art, high-tech way, the theft is like the curse of retail shoplifting, with the basic purpose of making money by selling stolen loot.
“Current estimates show that the annual profits for cybercrime top $1.5 trillion U.S.,” Amyotte points out. “It is eclipsing the sale of illegal drugs. In the 2018 Scalar cybersecurity study, we found that most attacks focused on immediate financial gain by the attacker. They generate money by stealing information and selling it on the black market.
“Credit card numbers go for between $5 and $110 each. Driver’s licences and loyalty accounts are about $20 each. There is the common cybercrime weapon of holding a business’ data ransom. The typical price to get the business’ data back is $500 to $5,000. Or the hackers can trick the business into issuing a payment to a fraudulent account. It can be anywhere from $5,000 to $20 million and is typically tailored to what is normal for the organization.”
There are volumes of reports and pages of Google links detailing and documenting incidents and aspects of cyberattacks and breaches of cybersecurity. Particularly SMBs, who invariably don’t have the luxury or budget of in-house IT staff and expertise, anxiously ask consultants for help to detect common warning signs of possible cyberattacks.
“As cybersecurity threats persist and evolve, so do cybersecurity defence strategies and technologies,” Bo adds with an important warning. “The crucial fact is that technology can only do so much for an organization. The compelling and bottom line fact is the evolution of cyber-threats focuses on the weakest link of an organization’s security – typically the end user.
“Social engineering – such as email and phone phishing – attempts to coerce employees and executives to provide attackers with confidential information, credentials or transfer funds. And social engineering doesn’t end at the keyboard,” he points out.
“Attackers may also go to extremes such as attempts to tailgate employees into company buildings and offices, preying on a person’s natural tendency to be polite. These common attack techniques are more likely to succeed against people, rather than technological attacks, as defences become more difficult to breach.”
According to IT and cybersecurity experts, SMBs should be vigilant about:
- Unusual behaviour on the business’ system, like suddenly being very busy and things happening without anyone doing anything.
- Files, emails and other items that “go missing” without explanation.
- Phishing emails trying to trick users into clicking links that run software.
- Focused and/or tailored phishing emails from external users that are highly focused to the specific organization.
Understanding a business’ vulnerabilities and how cyberattacks happen is, of course, half of the risk management challenge. What to do about it is key. “We encourage businesses, regardless of size, to develop cyber-resilience within the organization,” urges Scalar’s Dom Amyotte, “to develop the ability to prevent, detect and recover from an attack.” He emphasizes that, particularly, SMBs should:
- Prepare for attacks by assessing the business’ exposure and conduct a comprehensive threat risk assessment (TRA) – using the findings to develop and implement a security plan.
- Establish strong IT security controls to prevent as many attacks as possible.
- Build detection capabilities, including training staff how to identify threats and malicious activity.
- Respond as efficiently as possible. Similar to fire drills, preparation and practice allows the organization to quickly respond, avoid mistakes and reduce the impact of an attack.
As technology continues its warp-speed evolution – and as the cloud increasingly becomes a part of every IT environment – 2019 will be a key year for reskilling the workforce, educating new talent and making the right moves to face cyber-threats and challenges.