Getting an entire organization to buy into strong cybersecurity practices is easier said than done. The remote work era has forced business leaders and employees to take cybersecurity much more seriously, but it’s also slowing IT hiring, according to a survey from the Canadian Internet Registry Authority. Day 2 began with the release of CIRA’s report, which also says that roughly 30 per cent of respondents say their organization has seen a spike in the volume of cyberattacks during the pandemic.
The latest Cyber Security Today episode features highlights from MapleSEC. Click the player above to listen, or read the full episode transcript here!
These are among the results of a survey of 500 workers with responsibility for IT security and who manage a minimum of 50 users of desktops or mobile devices for at least 20 per cent of their work.
Where do I start?
David Shipley, founder of Beauceron Security, stepped up to the plate next to shed light on what makes a good cybersecurity awareness campaign.
Shipley’s five steps for building a strong awareness campaign are:
- Develop a baseline
- Shape behaviour
Don’t jump into the education bit right away – developing that baseline is crucial, he emphasized. There are also several reasons these programs can fail: It’s seen as an IT-driven project – “oh it’s just those basement dwellers trying to push us around” – or the training is overly focused on phishing click rates. Look at reporting rates instead, Shipley encouraged. Find out how many knew they were being phished, and how many of them reported it to the right people.
A subsequent panel dug a bit deeper into what makes a good awareness campaign. That panel, moderated by Spencer Callaghan, communications and content manager, CIRA, at one point highlighted a “very effective” phishing campaign lodged against CIRA’s building management staff. According to Callaghan and fellow panellist Jon Lewis, the phishing hook contained a request for building staff to input certain tenants’ information, as well as a convincing parking spot reservation sign up sheet.
All of CIRA’s phishing projects are benchmarked to this one, said Callaghan.
Municipalities – you holding up okay?
Canadian municipalities have become targets of choice for ransomware. Yes, enterprises are still juicy targets, but municipalities can help criminals earn quick bucks. The City of Stratford, Ontario, learned it the hard way. In April 2019, cybercriminals hijacked part of the city’s computer servers, locking out several municipal employees. The attackers held hostage sensitive data and were demanding money in return for the release of that information.
“There’s no shame in admitting that you were hit with a cyberattack,” said Stratford Mayor Dan Mathieson, one of the panellists talking about municipalities combating ransomware.
According to research from antivirus software provider Kaspersky, Stratford is one of the 174 North American municipalities that suffered ransomware attacks in 2019. This represents a 60 per cent increase over the previous year.
Explore better partnership opportunities
Sometimes you don’t have the necessary skills or knowledge internally to advance the roadmap on a particular project. This is especially true with cybersecurity. Toronto Police Service Deputy Chief of police Shawna Coxon delivered a strong message about the value non-traditional partnerships can yield. Trace Labs, a non-profit group that helps find missing people, teamed up with TPS last year to gather clues about missing people during what organizers at the time called a “full day Hackathon.” The event was organized in tandem with Pride Toronto.
See you at 11 a.m.!