It seems that the topic of this quarter has been cybersecurity, and rightfully so.
We're hearing of major data breaches occurring on nearly a monthly basis. Recently the HBO cyberattack leaked proprietary information from Game of Thrones, season seven, including an episode and script. In June, a Petya malware attack took over computers across the globe, demanding ransom from its victims.
HBO is one of the lucky ones, if you ask me. The cable and satellite television network has the resources to come back from this. For other smaller businesses with plenty of competition, however, a data breach can be absolutely crippling. With Canada's Digital Privacy Act soon requiring that breaches be reported to regulators and clients, it's not only an organization's infrastructure and bottom line that will suffer as they try to recover from an attack, it's their reputation.
You might think that this would encourage organizations to take every step possible to ensure they were doing everything in their power to protect themselves from potential cyberattacks, but according to a recent survey conducted by Ovum for FICO, this is not the case.
Although 76 per cent of Canadian executives surveyed admitted that they expect the number of data breach attempts to increase over the next year, less than half (46 per cent) reported that their organization's level of investments in cybersecurity will increase over the same time period.
Further, 68 per cent reported that their organization's volume of attempted data breaches has increased over the past year. While 53 per cent of U.S. respondents felt that an assessment of their firm's cybersecurity in a year's time would show improvement, that number was significantly lower in Canada, at only 36 per cent.
As a business leader it can be easy to brush off the risks of gambling with your organization's data with the sentiment that "it will never happen to us," but the reality of the situation is it very well could. When you look at attacks like WannaCry, which targeted those using a Windows operating system and demanded ransoms delivered in bitcoin, you realize that no one is out of reach. Organizations of all sizes with varying levels of resources are now being targeted and infected.
It's not only an organization's infrastructure and bottom line that will suffer as they try to recover from an attack, it's their reputation.
If that's not enough, it's not only your organization that you have to be worried about, but every partner in your supply chain. These partners likely have access to your systems and your data to some degree. If not, you are most certainly interacting with them on a digital level. If they become infected, you might be going down with them. There are tools out there that can help, for example, the Enterprise Security Score allows organizations to assess, score and identify weaknesses in their cyber-defense walls.
A great back-up defensive mechanism is cyber-risk insurance. While Canadian organizations rank higher than our U.S. counterparts, it appears that more than one-third do not have cyber-risk insurance. Further still, 16 per cent have no intention to obtain this insurance for their business.
Why is this? It could be that cyber-insurance pricing is viewed as being unclear. Eighty per cent of Canadian respondents feel that insurance companies should be doing more to help organizations understand how their risk price structure is calculated, while 20 per cent believe that their business' calculated premiums do not accurately reflect their risk profile.
Moreover, it could be that businesses perceive difficulty in identifying the direct return on investment from a major cyber-insurance purchase. When an organization sits down and evaluates how best to spend their budget for the year, understandably it may be tough to allocate a big portion of the funding to an area where added value is not immediately visible. So you're probably wondering what the best way to invest to protect your business is. Each investment works differently, but there are three major strategies that should be considered.
Defense: Imagine your business as a castle. The first way you can protect it is by investing in firewalls—these are your castle's defensive walls, and your moat. These will hopefully deter attackers from targeting you in the first place, and will provide a barrier if they do come after you. Now, you can build these walls higher and higher, and you can add more bricks to make it thicker, but no matter how well you protect the perimeter, none of this will matter if an unsuspecting villager lets the attackers in (willingly or unknowingly — by downloading infected files for example) — like a Trojan Horse.
Insurance: While this doesn't protect you from being attacked in the first place, it will help cover the, potentially significant, costs of any liability which may arise, as well as policyholders' own losses including legal, IT security and regulatory costs, if you are breached.
Analytics and analysis: Investing in technology that allows you to proactively monitor your organization's enterprise security risk is another option — and one which may deliver the most obvious value to your team. In its most leading-edge form, this technology can provide a 360-degree analysis of where vulnerabilities in your current security infrastructure and system exist, and how you can fix them. As tangible weaknesses are identified, this could mean training for staff, updating operating systems, or interpreting where the bulk of your attempted breaches are coming from so that your organization can better block and deflect them — ultimately allowing you to prevent a damaging event like the high-profile breaches we have seen recently.
A combination of defense, insurance and analysis is the most powerful protection against the increasingly risky cyber-landscape. However, it can be challenging to know where to start. Having the analytic tools to identify and break down your organization's risks can make the process of protecting yourself much easier to tackle; without these tools, it's not unlike trying to drink from a fire hose —totally overwhelming.
It will take some time, but it is important to ensure you are doing everything in your power to protect your organization from the potential damage of a cyberattack.
Also on HuffPost: