CYBER SECURITY IN THE HYPER CONNECTED AGE

<Myth> All you need is a good firewall. </Myth>

Challenge the Myth

CYBER SECURITY IN THE HYPER CONNECTED AGE

2

Approximately 55 percent of organizations across North America experienced a cyber attack in the past year. As cyber security breaches have become increasingly common in both the public and private sectors, companies’ awareness of their risk exposure has risen greatly, as well. Companies of all sizes are paying more attention to cyber security issues and raising the issue around leadership and boardroom tables alike.

The figures around cyber security breaches are truly staggering. In 2015, more than 169 million personal records were exposed as the result of 781 publicized cyber breaches across the financial, business, education, government and healthcare sectors. The average global cost of each lost or stolen record containing confidential or sensitive data was US$154 — not to mention the potentially irreparable reputational damage caused among customers and business partners. And the cyber security threat is only growing.

Yet while a growing number of companies are now aware of the potential threat cyber breaches pose, many of them do not realize how cybercrime itself has changed and what this means to their business. As a result, many companies underestimate the risks they face and leave themselves vulnerable despite all their cyber security investment.

THE CHANGING FACE OF CYBERCRIME

Cyber crime is no longer a matter of malicious individuals hacking into corporate bank accounts — if that was ever much more than Hollywood fantasy. Today companies are under cyber siege around the clock from every direction, and cyber criminals’ targets aren’t what you might expect.

1 Source: ITRC, “ITRC Data Breach Reports - 2015 Year-End Totals.” 2 Source: IBM/Ponemon, “Cost of Data Breach Study: Global Analysis”

CYBER SECURITY IN THE HYPER CONNECTED AGE

3

EVERYONE’S A TARGET JUST NOT NECESSARILY THE ULTIMATE ONE

“Why would anyone hack us?” is something we often hear in our conversations with clients around cyber security matters. Many companies, particularly small or mid-sized organizations, simply cannot believe they would be targeted by cybercriminals. But these companies and others like them are targets, because once breached they provide a means to infiltrate another organization — possibly the “real,” ultimate target.

The role played by third parties, whether vendors, suppliers, customers or partners, has come under increasing scrutiny in the aftermath of high-profile cyber security incidents. Up to 70% of cyberattacks involve a second victim 3 — and 75% of attacks spread to that second victim, often the main target, within 24 hours.

Of course, many small-and mid-sized Canadian companies play an integral part in the value chain of organizations worldwide. And in today’s cyber security environment, that leaves them open to cybercriminals. Companies that do not take steps to identify and address these vulnerabilities could find themselves with irate customers and imperilled business relationships.

CYBER CRIMINALS ARE MORE DIVERSE AND SOPHISTICATED THAN EVER

Today’s hackers are not antisocial loners huddled over a keyboard in a basement or bedroom — they are highly sophisticated groups with the resources to mount constant cybercrime campaigns.

Companies now find themselves under cyberattack by “hacktivists,” organized crime groups, state-sponsored organizations and others. Their objectives can be as varied as their origins. Hacktivists may breach a company’s defences to uncover and make public confidential information in order to embarrass, incriminate or damage the reputations of organizations whose business or activities they disapprove of. Organized criminals worldwide may be running elaborate, long-term phishing or ransomware campaigns as a means to generate illicit funds. State-sponsored hackers could be attempting to infiltrate companies to obtain competitive intelligence, sensitive financial information, or cutting-edge research and intellectual property. Still others, aiming to cause more widespread harm, may be trying to shut down vital infrastructure — from a remote mine’s water pumps to an entire region’s electricity grid.

No matter their goal, modern cybercriminals are by no means amateurs. They are highly organized and very motivated to achieve their objectives. Like legitimate companies, they set business goals and work hard to meet monthly, quarterly and annual targets. They develop sophisticated strategies and “marketing” campaigns and employ specialized talent to monitor the market and identify prospects. They take a “customized” approach to each target, tailoring malware and other tools to suit — 70% to 90% of malware samples are unique to the targeted organization 4. And they are very successful: research has found that five of every fifty phishing emails succeed, a response rate that any

3 Source: Verizon, “2015 Data Breach Investigations Report.” 4 Source: Verizon, “2015 Data Breach Investigations Report.”

CYBER SECURITY IN THE HYPER CONNECTED AGE

4

CYBER BREACHES ARE THE RULE, NOT THE EXCEPTION

As organizations in every industry become ever more digitized, the number of potential access points into a company’s systems grows. It is no longer just a matter of browsers and email programs — today, companies are linked together in an intricate web of digital connections all along the value chain. Plant equipment, remote monitors and even vehicles are now connected to the internet. Employees are connecting their smartphones to corporate networks over not-so-secure wi-fi. Every point of digital connection is a potential attack vector and companies’ defences are only as strong as the weakest link to the network. And with cybercriminals launching wave after wave of attacks, there is no way to stop them all.

The fact is, cyber breaches are inevitable. It is not a question of if, but when. At least 52% of respondents to a 2015 survey believe they will fall victim to a successful cyberattack within the year 5. Countless companies have been breached already; some know it, while others have no idea. Many more will be breached at some point; some will know when it happens, and others will not. Often, these companies will only realize they have been breached once they are told by someone else, such as a customer, a supplier, or a law enforcement agency.

Cyber breaches are now the rule in today’s business environment, not the exception. It is a fact that overturns long-held assumptions about how companies should approach cyber security. Old notions of erecting a firewall around the whole organization — of trying to protect absolutely everything — are in fact unworkable and costly. In other words, companies can’t prevent breaches, and they cannot protect everything. Pouring money and energy into trying to do so is costly and ineffective.

A new approach to cyber security is needed, an approach that reflects today’s realities yet protects a company’s most valuable assets. It is an approach that requires a deep understanding of a company’s business risks — and the resilience to deal with the inevitable breaches when they occur.

TACKLING CYBER SECURITY

Effective cyber security is not impossible in today’s hyper connected world, but it has changed a lot since companies took their first steps online. The good news? Tackling cyber security challenges starts by focusing on the fundamentals: the company’s business goals and key business risks. While companies cannot address every security risk at once, using a pragmatic and prioritized risk methodology can help them exercise due diligence and due care when addressing cyber security. And the more clarity companies have about their most probable and material cyber risks, the better they will be able to optimize the cost-effectiveness of their cyber security controls.

5 Source: CyberEdge Group, “2015 Cyberthreat Defense Report.”

CYBER SECURITY IN THE HYPER CONNECTED AGE

5

START BY FOCUSING ON CRITICAL BUSINESS RISKS

Many companies struggle to understand their cyber security risk exposure and end up spending enormous resources only to miss critical vulnerabilities. Why does this happen? Because companies often treat cyber risks as a special category of risk and address it in isolation.

But cyber risks are business risks, pure and simple. A security breach itself means little — it is the financial, operational and reputational consequences of that breach that can harm an organization. Yet in our experience, few companies look at cyber risk through a business risk lens.

Any conversation around cyber security should begin with an assessment of the company’s business goals — and the major business risks facing the enterprise. Organizations should take a complete view of their enterprise risk to ensure they capture all the pertinent risks that could derail the business and damage the company’s finances, operations or reputation among customers, business partners, the finance community, regulators and larger public.

In tandem with this effort, companies should undertake efforts to measure and understand their maturity around existing security controls that protect significant business assets. When doing this, a commonly used and effective framework such as the Critical Security Controls should be referenced. Once the controls are identified, vertical-specific attack and threat data should be used to help prioritize cyber security initiatives to prevent the most common and frequent attacks.

Offensive security techniques should also be used to uncover vulnerabilities in companies’ networks and systems. External advisors can be engaged to review and test existing controls, whether technology- or process-based, to determine their strength and ensure they are functioning as intended. Outside advisors can also provide fresh insights into likely attack vectors and techniques used in a company’s particular market or industry. It is important to treat these steps as part of an ongoing exercise; hackers never stop thinking about new ways to succeed, which means companies can never stop working on their cyber preparedness.

Once controls and risks are identified, organizations can prioritize cyber security initiatives. Leadership teams can zero in on the assets, data and systems that must be protected with the finite resources available. It is essential to protect private, personal information about employees and customers, including credit card information, and most companies will add financial information to that list as well. A company’s business risk assessment may compel them to invest in protecting other areas as well — from critical infrastructure to security systems.

Focusing on the most important business risks and the relevant vulnerabilities ensures cyber security investments achieve the maximum impact. Once the highest-priority areas are secured, in subsequent years companies can move on to improving cyber security around the areas that are next on the priority list.

CYBER SECURITY IN THE HYPER CONNECTED AGE

6

DEVELOP A CYBER RESILIENCE PLAN

Businesses have little choice but to focus their cyber security investments on protecting their most critical assets and this necessarily leaves other areas of the business vulnerable to inevitable cyber breaches. These vulnerabilities can be addressed by developing a comprehensive cyber resilience plan that enables companies to swiftly respond to any breach.

A cyber resilience plan — often called an incident response plan — provides organizations with a clear framework for dealing with any instance of cyber breach. It sets out exactly what needs to happen in response to an incident to stop the incursion in its tracks and limit the damage to the company and other affected parties.

Cyber resilience plans should outline the steps to be followed to contain a breach and isolate any affected systems, patch or otherwise remediate any exposed vulnerabilities, conduct post-incident root cause analysis and debriefing and develop an improvement plan going forward.

The most important part of the cyber resilience plan, however, is the communication plan. When a breach occurs, it is vital people know exactly who needs to be contacted and what needs to be communicated to them — from company executives and directors to customers, suppliers, regulators and other stakeholders. Swift, frank and accurate communication can enable all those affected to take steps themselves to “stop the bleeding” caused by a cyber breach and minimize any damage caused. As well, companies should ensure they act fast to establish relationships with external parties that can help with incident response; discussing potential scenarios well before an actual breach occurs can improve companies’ ability to get the help they need when they really need it.

Developing a cyber resilience plan is in itself just the start. Training in the plan is essential to ensuring the company can spring into action when needed and move with speed and determination. Organizations should practice their cyber resilience plans in the same way they periodically rehearse health and safety drills or disaster recovery planning. This will make plan execution nearly automatic and mitigate the risk of poor decision making in the heat of the moment.

CYBER SECURITY IN THE HYPER CONNECTED AGE

7

CYBER SECURITY: KEY CONSIDERATIONS

Eager to make the most of limited cyber security resources? Want to ensure your investments are protecting the right assets given your business and risk profile? Here’s where to start.

• Ensure you understand your company’s key business risks. A comprehensive enterprise risk assessment can uncover the financial, operational and reputational risks facing your company. If you do not have the full risk picture, you could be missing something critical. Discuss how risks may interconnect and interact with one another to create a risk domino effect. Identifying key business risks will help you determine which key assets and systems need to be protected and drive the set of key controls that need to be in place.

• Understand your cyber security maturity. Leverage a structured approach using a cyber security framework such as Critical Security Controls to help you understand the controls you have. Optimally, this effort would provide a maturity dashboard to assist in determining liabilities and risks; recommended strategies to reduce those liabilities and risks; tailored analysis based on quantitative threat data; a prioritized, customized risk-based roadmap; insights to ensure budget and resources are allocated correctly, and perform an overall maturity score.

• Assess your organization’s cyber security vulnerabilities, including performance of penetration testing. Vulnerability assessments identify the particular security vulnerabilities for each asset or resource on your network; penetration testing simulates a cyber attack on your company in an attempt to gain access to critical systems or sensitive data. Both provide a “tactical” assessment of the effectiveness of your organization’s existing cyber security controls across the business — especially those involving your key risks.

• Look at what’s happening in your industry. What are your industry-wide risks? Which attack vectors are typically used in cyber security incidents in your industry? What are the baseline controls commonly used in your sector and among companies of your size? This can help identify the absolute minimum you need to meet — and build on.

• Close the gaps. After assessing your business risks, identifying vulnerabilities and determining the security standards in your industry, make a plan to invest in the appropriate process and technological improvements needed to close any gaps you have discovered.

• Beware of “shiny-toy syndrome.” Avoid investing in new cyber security technologies just because they are available or promise superior protection, because they may do nothing to address your company’s unique combination of business and cyber risks. In some cases, a simple policy change or training program is all that is needed to address a cyber security gap. Conserve your resources for what really matters.

• Get outside help when you need it. Cyber security is complex, resource intensive and constantly changing. It can be hard for companies to stay on top of it. An external advisor can help you understand your cyber security priorities and key vulnerabilities and develop a strategy to address them, bringing you insights gathered through their work with a wide range of companies in many industries. They can also help you respond rapidly to breaches when they occur to help your team bring a swift resolution to the incident.

• Manage expectations of leadership and boards. Continuously help leaders understand your company’s cyber security risks and your priorities to mitigate these risks. If you have concerns there might not be sufficient resources to provide critical mitigation, make sure you communicate this to leadership and the board. You may not be able to do everything you want to do, but at least you will have effectively managed expectations on risk exposure.

CYBER SECURITY IN THE HYPER CONNECTED AGE

8

MNP IS READY TO HELP

For decades, MNP has helped Canadian companies and other organizations overcome their business challenges and achieve their goals. As one of Canada’s largest cyber security advisory practices, we are well positioned to help you develop a cyber security strategy that addresses your unique situation, risks and objectives.

To learn how MNP’s team of professionals can help your company succeed, contact:

Danny Timmins National Cyber Security Leader T: 905.607.9777 E: danny.timmins@mnp.ca

Trac Bo Cyber Security Leader, Western Canada T: 403.263.3385 E: trac.bo@mnp.ca

Eugene Ng Cyber Security Leader, Eastern Canada T: 905.607.9777 E: eugene.ng@mnp.ca

ABOUT MNP

MNP is a leading national accounting, tax and business consulting firm in Canada. We proudly serve and respond to the needs of our clients in the public, private and not-for-profit sectors. Through partner-led engagements, we provide a collaborative, cost-effective approach to doing business and personalized strategies to help organizations succeed across the country and around the world.

Praxity AISBL is a global alliance of independent firms. Organised as an international not-for-profit entity under Belgium law, Praxity has its executive office in Epsom. Praxity – Global Alliance Limited is a not-for-profit company registered in England and Wales, limited by guarantee, and has its registered office in England. As an Alliance, Praxity does not practice the profession of public accountancy or provide audit, tax, consulting or other professional services of any type to third parties. The Alliance does not constitute a joint venture, partnership or network between participating firms. Because the Alliance firms are independent, Praxity does not guarantee the services or the quality of services provided by participating firms.

Visit us at MNP.ca