Intended Consequences, the official podcast of the StrategyCorp Institute of Public Policy and Economy, discusses practical provincial and federal policy ideas that achieve the actual goals they are designed to achieve with interesting guests and experts.
The host, Sébastien Labrecque, recently invited Field Effect experts and Jennifer Quaid (Executive Director from the Canadian Cyber Threat Exchange) to talk about all things cybersecurity.
During the episode, they touch on several timely cybersecurity topics, including:
- Bill C-26 and what constitutes a good cybersecurity program
- The most effective ways government can help businesses improve their security
- Important steps to take during a cybersecurity incident (and if cyber drills matter)
- Mitigating the cyber risks stemming from the Internet of Things
You can listen to the full episode here or keep reading for four key takeaways all businesses should know about cybersecurity.
Cybersecurity is more than just phishing emails
A cybersecurity incident is any unauthorized access or interference with your IT and IT assets.
Thinking about unauthorized access in 2023, our minds often immediately go to external attackers or threat actors that are outside of our network. However, it's important to remember that sometimes the threat originates from within your network in the form of an "insider threat."
Regardless of where the attack stems from, cybersecurity often comes down to three simple principles:
- Confidentiality. Can you prevent unauthorized use or disclosure of information?
- Integrity. Are you sure that information is accurate, complete, and unaltered?
- Availability. Do authorized users have reliable, timely access to core information and systems?
When you look at cyberattacks, they really target one or more of those three principles.
Two factors hindering the adoption of cybersecurity solutions
Even today, one of the greatest challenges in adopting cybersecurity is having a business owner or network operator understand and appreciate that they have a cyber security problem.
Everybody understands that cyber threats exist; we've all read the stories in the news. But, for a lot of organizations, there's this sense that cybersecurity doesn't apply to them. They may believe it's more an issue for governments or big organizations with more valuable data than they believe they have.
But your data doesn't have to be of value to somebody else to be appealing, it has to be of value to you. For a ransomware attack to be considered successful, for example, all a threat actor has to do is make important data inaccessible to you, so you're inclined to pay the ransom.
The other challenge is that, given how dynamic the cyber threat landscape is and how diverse the digital world is, it's easy to not know where to begin. There's this sense that cybersecurity is an impossible problem, so why bother trying?
The reality is actually quite the opposite. There are many cybersecurity best practices that, if you get them right, you significantly improve your ability to implement a strong defense.
What can municipalities do to protect against cyberattacks?
What municipalities can do to prevent cyberattacks is exactly the same as what corporations, charities, hospitals, school boards, not-for-profits, and every other organization out there can do.
For the most part, municipalities face the same challenges as other organizations. What differs is that, in addition to typical IT systems, municipalities may be responsible for critical infrastructure systems such as water treatment plants.
Municipalities don't get extra investment for cybersecurity, but they do operate infrastructure that has potential for a much larger impact if something were to go wrong.
In terms of making an investment, though, there is some good news. A lot of attacks rely on basic techniques, things like phishing or password-guessing, that can be largely prevented by:
What's the role of cyber insurance?
Cyber insurance has certainly evolved over time. In the early days, people equated cyber insurance with cyber security, which didn't work.
Cyber insurance is like any other insurance in your life, it's to handle the unforeseen and the unpredicted. And what we've seen is that insurance companies have started to see pretty significant losses from their policies that they've issued and, as a consequence, are now looking to organizations to demonstrate that they're doing the basics in cybersecurity.
Even if an organization qualifies for insurance, they're finding that the premiums are significantly higher than they were in the past. So cyber insurance is something that we strongly recommend and is a really important part of an organization's overall cybersecurity practices. However, it is only one element, and it doesn't eliminate the need for a threat detection and response solution.
Want to hear more? Listen to the full podcast episode.