Small and medium sized businesses in Canada still have blinkers on when it comes to being fully prepared for cyber breaches, says security experts.
That was the consensus from a number of speakers last week at a workshop in Toronto for customers of a law firm and an accounting an enterprise risk consulting agency.
When asked about data breaches clients say “that happens in the U.S., not to us,” Katherine Thompson, a senior advisor in consulting firm MNP LLP’s cyber security practice who is also chair of the Canadian Advanced Technology Alliance (CATA) cyber council.
One of the reasons for this denial is the lack of good data about the number and kind of breaches organizations here suffer, she added. In part that’s the fault of victim companies reluctant to disclose successful attacks, she said.
“The reality is until we get to the point where we’re going to start sharing that information and be more open about the current state in Canada we can’t move the needle forward,” she added.
In an interview after the session Thompson said awareness of the risks of cyber breaches is still poor. She noted Public Safety Canada’s public consultation on a national security framework has been extended twice because the government wasn’t getting the response from certain sectors, specifically small and medium business. The final deadline for submissions is this Thursday.
“We need to increase the level of awareness for all Canadians,” Thompson said. “It’s getting better but it’s still not where it should be.”
The session also heard a member of Toronto Police’s computer cyber crime intelligence service urge organizations to contact local law enforcement agencies long before a breach — when they are drafting breach response and disaster recovery plans.
While organizations plan what to do in a crisis, staff – including IT – have to understand what not to do to protect possible evidence, said Det. Const. Kenrick Bagnall.
“Use us an external resource,” he said in an interview, “because in the event of a breach the priority is to get the system up and running. But there’s potentially misuse of computers, data loss … If we’re called three weeks later it severely decreases the odds of a successful outcome to the (criminal) investigation.”
“Contacting (police) pre-breach they’re aware of our capabilities to investigate, they can get some advice on best practices on what they should be doing, what they should be logging because there are certain bits of digital evidence we may be interested in after the fact they may not even be interested in.” And police can be another source of standard information on securing networks, he added, like reminding of the importance of a patching policy and taking unpatched systems offline.
The workshop was sponsored by MNP and law firm Miller Thomson.
Panellists were asked to recommend quick tips to quickly improve an organization’s cyber security:
–Bagnall: Understand what ‘normal’ looks like on the network so odd activity is identified. For example, one company in the U.S. with a number of Internet-connected surveillance cameras didn’t recognize the importance of an increase in the frame rate on one of the devices. It turned out an attacker was trying to use the camera as an entry point.
–Thompson: Tighten up corporate security procedures. Also, demand third party suppliers prove they are cyber secure.
–Imran Ahmad, a partner in Miller Thomson’s cyber law practice: Make sure senior management is informed about cyber security policies strategy so they are protected in case the organization is sued for a breach. Also, find out if suppliers have a plan on when they will notify you if they are breached. –Eileen Greene, vice-president of HUB International, an insurance broker: Check with the company’s insurer to see what is – and isn’t – covered by the standard policy for data breaches. Also, test your disaster recovery plan and make sure contact phone lists are up to date and quickly available.
–Ahmad: Make sure a lawyer is part of the disaster recovery team and reviews all information. That way the lawyer can claim solicitor-client privilege for certain documents and prevent them from being seen by opposing lawyers.
–Thompson: Communications with customers and the public is critical. In the 2013 Target stores breach call centre agents weren’t prepared to handle customer calls. By comparison the CEO of Canada’s McCain Foods was up front with the media a 2008 meat recall and effectively protected the company’s reputation.
–Greene: Ensure all stakeholders are at the table to handle a post-breach crisis.
–Bagnall: “Remain calm.