The number and size of cyber attacks continues to increase but Canadian organizations still lag in seriously dealing with the problem, say two experts.
“The awareness level [of cyber security] is higher than I’ve ever seen it in 15 years that I’ve been in security,” said Jason Doel, co-founder of Toronto-based Tracker Networks, which makes information and business risk management tools. “In terms of maturity, though, other than really large enterprises, generally Canadian enterprises are not as mature managing it as U.S. and European firms. Certainly, mid-size companies have been later getting serious about it.”
“To a large extent I think the legal and regulatory framework is behind in Canada. Ultimately that is what drives a lot of the security marketplace: Being forced to do it. That is why in Canada large banks are quite mature, but they’ve been driven by their regulators for some time.”
That may in part be because cyber security has been seen as an IT problem, he said. “The more enlightened view is the business is the first line of defence, there’s responsibility at business level for identifying and assessing risk, and then overseeing and providing governance to make sure risk is adequately managed.”
Dave Masson, who has worked for both British and Canadian intelligence agencies and now manages the Canadian division of Darktrace, which makes threat detection solutions, said a major problem is CISOs don’t have enough visibility into their networks. “They quite simply don’t know what’s going on in the network now,” he said, “and they don’t actually know what is on the network. If you don’t know what you have how are you going to detect it?”
Since leaving to the public sector last year he’s surprised at the naivety in the private sector here about the size of the cyber threat environment. Perhaps, he said, that might change if a Canadian organization suffers “a big hack.”
“I would suspect if ransomware became a big pain in the neck that might push people to do something about it.”
Doel and Masson are two members of a cyber security panel being moderated by IT World Canada CIO Jim Love at the annual Canadian Wireless Trade Show, Oct. 17-18, in Mississauga, Ont. Other panelists are Brian Kocsis, director of information security at Meridian Credit Union, which has 80 branches in Ontario and Quebec; and Bob Steadman, vice-president of security and compliance consulting at the Herjavec Group, a consulting firm with offices in Ontario, Alberta, Quebec and B.C.
Masson has also been an adviser to Ottawa on dealing with insider threats. Estimates of the number of employees who fit in this category vary. In its annual data breach investigation report, which compiles information from a number of security vendors around the world, Verizon Communications says on average 20 per cent of attacks are caused by insiders.
About 20 per cent of what Darktrace sees on customer networks is lateral movement, Masson said, meaning someone deliberately moving about the network. “The issue is whether you’re talking about a malicious insider or people who just make mistakes, and unfortunately there’s a good fraction who just make mistakes – people who dislike phishing training and still click on the link and download malicious software and all hell breaks loose. Having said that, let’s not underestimate the damage that can be done by a malicious insider. … You cannot ignore the insider threats.”
Masson also has an opinion on the need for speedy patching in light of recent exploits of vulnerabilities. IT administrators wrestle with the problem because in some environments patches need to be tested before being implemented to ensure a fix doesn’t bring down other applications.
“Accept there will be intrusions, accept that people will get in,” he said – and be ready. “Come up with a technology that allows you to see what is happening now, because when you see subtle changes now deal with it when it’s a small problem rather than wait until its a bigger problem.”
The are four key things organizations should do to improve their security profile, Doel said.
“First, make sure the organization has an enterprise risk program in place, and cyber security is aligned with it … What goes along with that is recognition that executives and lines of business have a role to play in cyber security. They set the risk tolerance of the org, they have to be part of the risk identification and risk assessment process. You can’t just put it on the technical people.”
Also CISOs have to pay more attention to protecting the critical data types and systems, he said. “What you often see in companies is they’ll have organizational policies and practices, but they don’t take the extra step of identifying what are the crown jewels –and are we verifying these best practices in our policies are being done.”
Another key defence is assessing third party/supplier risk, Doel said. “You can outsource an operation but not risk,” he noted. He believes few companies do a good job of this. While they may do an initial risk assessment but not update it. The infamous 2013 Target breach was accomplished by hacking the chain’s ventilation (HVAC) consultant, he pointed out, which had network access.
