The Canadian Problem – increasing cyber-attacks and damages
In its 2020 Cybersecurity Report, the Canadian Internet Registration Authority [CIRA] confirmed –
- “Fewer organizations expect to increase human resources dedicated to cybersecurity in the next 12 months with one-third planning to do so, down from 45% in 2019.
- About three in 10 organizations have seen a spike in the volume of attacks during the pandemic.
- Slightly more than half of organizations implemented new cybersecurity protections directly in response to COVID-19.
- One-quarter of organizations experienced a breach of customer and/or employee data last year. Another 38% don’t know if they did or not.
- Organizations are less likely than in 2019 to inform a regulatory body of a data breach, with only 36% doing so compared to 58% last year –
- Decision-makers are divided in their concern about changes to PIPEDA, with 54% saying they are concerned.”
This is troubling news on several fronts. In summary, while criminals are gearing up on cyber-attacks, many Canadians are failing to make good business decisions.
The criminal-attack part of this is not just a Canadian phenomenon.
- 36% of data breaches in 2020 involved phishing and 16% involved stolen credentials
- Some human element played a part in 85% of all breaches, while 10% incorporated ransomware
- The average ransomware payment in Q121 was $220,298
On the other hand, other nations are expanding cybersecurity governance and business initiatives. Gartner stated –
“Nearly half of all board directors surveyed by Gartner in 2020 saw cybersecurity as a top source of risk for their enterprise. And the risks are only growing.”
The Canadian Solution – increasing basic defensive actions
Here, we are talking about creating simple habits that do not cost much money and increase your organization’s cybersecurity. Cybersecurity has a chance to excel when it is embraced by business leaders, who lead by example. They lead with good habits, including planned communication of cybersecurity messages that will be shared throughout their organization.
U.S.-based Gartner provides three recommendations:
- If your cybersecurity awareness efforts are ad-hoc then develop a list of signature behaviors.
- Considering the statistics gathered by CIRA, Canadians are not doing what needs to be done to prevent cyber-breaches and are failing to comply with Canadian laws.
- Basic defensive actions are affordable, and they work. Decide which behaviours you want to work on at your organization. Don’t go overboard. A short list performed well is better and more sustainable than a long list that is not acted upon.
- If your cybersecurity awareness efforts are stuck in a compliance mindset then measure outcomes, not activities.
- From the CIRA results, it doesn’t look like Canadians have got to the point of being stuck in a compliance mindset. Rather, Canadians are avoiding compliance. It is an unfortunate situation when laws exist and are not followed. One way or the other, that needs to change.
- There’s a lot of debate about the value of focusing on “outcomes” versus “activities”. I favour focusing on activities and using well-planned techniques designed to develop good habits. I find James Clear’s approach “Atomics Habits” is a winning strategy.
- If your leadership doesn’t see value in awareness then connect awareness to business benefits.
- Awareness is the critical starting point for generation of action. We must help people be aware of our organizations’ cybersecurity needs, without numbing them with ‘doom and gloom’ messages. We must deliver inspiring messages.
- Awareness of business benefits is a good thing. Yet, on its own, these messages might not appeal to enough people. Leaders who lead by illustrating good examples attract awareness and inspire people to copy good behaviours. We need to inject personality.
Of the three pieces of advice, #1 [develop signature behaviours] should yield immediate improvements. People want to do the ‘right thing’. When it comes to cybersecurity there is a very long list of right things and people cannot do them all. So, pick three things you would like to build as your organization’s best cybersecurity behaviors. For example, you could choose to build behaviours that ensure:
- Good ‘password management’ habits.
- Good ‘stop phishing attacks’ habits, and
- Good ‘private, personal data management’ habits.
These good habits are affordable and can be accomplished with user-friendly education and training programs. If you can increase good habits in these three areas, you will significantly reduce your organization’s cyber-risk.