New Threats to Security
In the next five years, it’s estimated that cyber attacks could cost companies three percent in lost revenue growth. Canada is particularly vulnerable. Last year, we had the third most cyber incidents in the world, according to a study by U.S. firm Risk Based Security. Another report notes that Canada has among the highest costs associated with a security breach.
Customer records, intellectual property, financial information, employee records, and business correspondence can all be at risk in a cyber attack. The growing demand for e-commerce and other technologies to facilitate financial transactions increases vulnerability. Hotels, for example, offer ample opportunity for cyber attacks in the wake of increasing credit card and debit transactions at check-in, as well in hotel bars, restaurants and shops.
Businesses with a large amount of data are also vulnerable. Earlier this year, Olympia Financial Group Inc. announced that it had been a victim of malware that encrypted electronic data stored on the organization’s network. Fortunately, the Alberta-based trust company had measures in place to limit the availability of customers’ personal information that might result from unauthorized access. The company “immediately implemented countermeasures to prevent further infection,” according to a Global Newswire story. Olympia had developed cybersecurity policies in consultation with industry leading cybersecurity specialists.
However, Olympia may be in the minority. A survey by the Canadian Internet Registration Authority (CIRA) showed that 37 per cent of Canadian respondents didn’t have anti-malware protection and 71 per cent didn’t have a plan for safe system restoration following a breach.
From phishing to whaling - cybersecurity vulnerabilities
Cyber criminals are becoming increasingly more sophisticated. Instead of blanket-targeting any employee, i.e. “phishing,” they now often target executives with access to company resources. This “whaling” involves sending a message that appears to be from a relevant employee asking that the executive to direct funds to an account controlled by the sender.
In addition, threat actors are increasingly able to exploit supply chain vulnerabilities. Due to the interdependent nature of many modern businesses, security threats are learning to exploit shared networks to get at primary targets. Increased digital capabilities, improved efficiencies and more growth opportunities have, conversely, created openings in systems for hackers to exploit.
As Accenture notes, “the rise of the IoT has expanded the surface area of attack for enterprise networks from thousands of end points—including remote devices, such as mobile phones and laptops—to several million for the largest companies. At the same time, the IoT compels all companies to suddenly manage what are often unfamiliar technology processes, where every connected device is a potential vulnerability.”
With more and more devices connected to the internet, cybercriminals will have new opportunities to use malware to generate or “mine” cryptocurrency. Ransomware attacks, like the one that encrypted Olympia’s IT system, are also on the rise.
Costs of cyberattacks
Globally, the average cost of a breach last year was US$3.86 million, up by 6.4 per cent from the prior year. According to Accenture, the value at risk through direct and indirect attacks in the next five years is US$5.2 trillion. That includes $347 billion in the banking sector, $340 billion in retail, $305 billion in insurance and $70 billion in travel.
A Ponemon Institute report notes that Canada is subject to some of the highest costs from a breach, including items such as notifying victims and engaging forensic experts.
As of last year, additional costs could include fines of up to $100k for failure to report a breach.
The Personal Information Protection and Electronic Documents Act (PIPEDA) stipulates mandatory breach notification rules. Under this act, the Office of the Privacy Commissioner of Canada (OPC) requires organizations to report any security breach involving personal information that creates a “real risk of significant harm” (RROSH) to both the people affected and the Privacy Commissioner. They must also keep records of all breaches.
Who’s at risk?
It’s not just big companies that are at risk. The CIRA survey found that 66 per cent of businesses with 250 to 499 employees experienced a cyber attack in the last 12 months. At the same time, it estimates that 70 per cent of data breaches happen against companies with fewer than 100 employees. A 2016 Symantec report found that phishers targeted small businesses (up to 250 employees) 43 per cent of the time.
Small to medium-sized businesses (SMBs) are even more at risk than larger businesses. Many can’t afford regulatory orders, fines, lawsuits and the reputational harm that results from a security breach. These businesses need to have a response plan.
Preventing and managing cyberattacks
The most effective strategy in combatting cyber attacks is to take preventive measures, and to prepare a response plan in case a security breach does occur.
Preventive measures include training and informing employees in your company about phishing schemes, installing anti-malware, encrypting personal data, purchasing cyber insurance, and consulting a cyber-security expert.
A breach plan should include investigation and containment, impact assessment, recovery, notification and communication, and evaluation and improvement.
Taking these and other steps probably won’t make your business invulnerable to attack. But as threats increase, staying on top of the latest security measures is the best policy, whatever the size of your business.