Strengthening your cybersecurity: From at-risk to resilient

* Recorded live on February 28, 2024. Since this recording, Covalence has been renamed to Field Effect MDR.

Strengthening your cybersecurity: From at-risk to resilient

Concerned about increasing cyber threats and the shortage of skilled professionals to combat them? Not sure how to prioritize cybersecurity best practices in a way that maximizes your time and resources?

Join us for our upcoming webinar where we will outline focused, prioritized actions you can take to make the biggest impact on your cybersecurity.

By tuning in above or reading below, you'll learn:

• How to optimize your cybersecurity return on investment
• What the growing threat surface means for your business
• Why outsourcing cybersecurity can help battle the skills gap

What is cybersecurity and why is it hard?

You’ve probably heard a lot about the importance of having a framework for your cybersecurity program. There’s constant noise in the world about how individuals and organizations should do A, B, or C to improve their defenses and guard against the latest threats.

According to the Canadian Centre for Cybersecurity, small and medium-sized organizations are the most likely to face cyber threat activity in the form of cybercrime. The impacts are often immediate—financial losses, privacy breaches, and harm to the people who work there, as well as to the clients and communities they serve.

It’s no surprise, then, that many organizations—especially small and medium businesses—struggle to figure out what they should do.

• Strategically, they ask: What should our approach be?
• Tactically, they wonder: How do we protect ourselves and our clients from harm?

If you looked up a definition of cybersecurity, it might describe the protection of a computer, network, and data against unauthorized access or attack. More detailed definitions expand on this, focusing on protecting the integrity of infrastructure and digital information, and on the technologies, processes, and practices an organization uses to prevent or respond to an incident.

At its core, cybersecurity is about ensuring three things: confidentiality, integrity, and availability—commonly referred to as the CIA Triad.

• Confidentiality means keeping information private.
• Integrity ensures information can’t be altered by an unauthorized party.
• Availability ensures that services remain accessible to the clients and communities who rely on them.

Modern cybersecurity programs are increasingly incorporating privacy considerations for the data they hold and safety considerations for the technology systems they depend on. The goal is reliability in providing services online and protecting sensitive information.

Cybersecurity, then, is an ongoing practice. For those of us in the business of providing cybersecurity services, it’s both a challenge and an opportunity. It’s not a one-and-done task—it’s an evergreen journey. At its heart, it’s about risk management: identifying risks, implementing controls to reduce those risks, and then accepting any residual risk that remains. The objective is to reduce risk to the lowest level possible for your organization.

The benefits of a strong cybersecurity program

A strong cybersecurity program brings a wide range of benefits, the most important of which is business continuity. At its core, cybersecurity helps prevent or minimize interruptions to your ability to operate and deliver services to your clients.

Another key benefit is data protection. This includes not only safeguarding confidential business information but also protecting the personal information your organization may hold. Protecting both is essential for maintaining trust and meeting regulatory expectations.

A well-developed cybersecurity program can also open new market opportunities. By demonstrating that your organization is safe, secure, and reliable to do business with, you increase your credibility and competitiveness in the marketplace.

Finally, good cybersecurity practices help limit financial and legal liability. In the event of a cyberattack, compromise, or data breach, organizations without proper safeguards are far more likely to face significant losses or regulatory consequences.

We’ll explore these elements in more depth as we move forward, but next we’ll look specifically at some of the challenges faced by small and medium-sized enterprises.

Managing residual risk

When it comes to cybersecurity, many people believe the goal is perfection—eliminating every possible risk. In reality, perfection isn’t achievable. Instead, organizations must learn to identify, manage, and accept a certain level of residual risk.

This process begins with identifying and understanding the risks your organization faces. From there, you correlate those risks with the protections, security controls, policies, and procedures you have in place. Each of these elements should ideally mitigate all or part of a given risk.

Even after controls are implemented, some residual risk will always remain. In many cases, this is acceptable because the likelihood of the risk materializing is low. What matters most is building resilience:

• Reducing the likelihood of an incident occurring.
• Increasing your ability to withstand and recover from an event if it does happen.

Cybersecurity isn’t about eliminating risk entirely—it’s about managing it in a way that makes sense for your organization, balancing practicality with protection.

The unique challenges for small and medium businesses

The cybersecurity challenges organizations face are largely the same regardless of size. However, for small and medium-sized businesses (SMBs), the issue is one of scale. These organizations typically have fewer resources, less in-house expertise, and less capacity to recover from a significant incident. They are also less likely to have a response plan in place before an attack occurs.

Cybersecurity is an adversarial environment. Threat actors are constantly working to defeat the controls organizations put in place to protect their systems and data. This means risk management practices must continually evolve to keep pace with new tactics, techniques, and procedures used by malicious actors.

For SMBs, the challenge is particularly acute. Small teams with limited budgets are tasked with keeping up in a rapidly changing environment that demands constant adaptation. Several factors make this difficult:

• Adversarial risk: Attackers are motivated and persistent.
• Technical complexity: Cybersecurity involves navigating an intricate IT landscape.
• Talent shortages: Expertise is hard to find and even harder to retain.
• Client understanding: Many clients don’t fully grasp the risks facing their systems, making it difficult to implement and prioritize solutions effectively.
• Cost pressures: Organizations want the right people with the right skills, but at a price that fits their budget.

Taken together, these factors create a challenging environment for SMBs trying to protect themselves from cyber threats.

The risks to business continuity

Media headlines and industry reports are full of stories about organizations across every sector falling victim to cyberattacks. One of the most common consequences is an interruption to operations—a disruption that comes with significant financial and reputational costs.

Cyberattacks can also threaten an organization’s intellectual property. This may include proprietary research, product development data, or sensitive sales information. For many businesses, losing control of this information could directly affect competitiveness and long-term viability.

Perhaps most critically, attacks pose risks to personal information. Employees and clients alike can be impacted when data such as financial records, banking details, or credit card information is exposed. These types of data are highly valuable to threat actors, making them prime targets in the cybercrime landscape.

Protecting business continuity, intellectual property, and personal information must therefore remain top priorities in any effective cybersecurity program.

What does it mean to be at risk?

As mentioned earlier, the Canadian Centre for Cybersecurity has warned that small and medium-sized organizations are the most likely to face cyber threat activity. These threats often come in the form of cybercrime, with immediate financial and privacy implications.

Among the many types of attacks, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals continue to refine and evolve their ransomware tactics within a growing and sophisticated ecosystem. Their objective is simple: maximize profits.

The impacts of ransomware go far beyond the ransom payment itself. A successful attack can:

• Halt operations by taking down critical systems.
• Damage or destroy valuable data.
• Expose sensitive information.
• Impose additional costs through lengthy recovery efforts.

Not surprisingly, ransomware is a primary concern for many organizations. Clients frequently express a strong desire to avoid being put in that situation.

So, what makes an organization more likely to be at risk? A few baseline principles apply across the board:

• Not knowing what information you hold or why it might be valuable to a threat actor.
• Not knowing where your information is stored or what threats it may face.
• Not monitoring your technology systems or network activity, such as who is connected, what they have access to, how that access is granted, and whether activity is being logged and retained for investigation.

In short, you can’t protect what you don’t understand or monitor. Awareness and visibility are the first steps in reducing your risk.

Understanding your risk

The way we use the internet and connected technologies continues to evolve. Many of us now work in hybrid arrangements—or entirely remotely—which creates new risks. Every new point of connectivity, whether for employees or clients, expands the threat surface of an organization.

To manage this effectively, you need to know:

• Who is using your systems.
• When and from where they are connecting.
• Why they are accessing certain systems.
• What devices, applications, or accounts they are using.
• How that access is being managed and monitored.

Your threat surface can be understood as the sum of all potential threats to your systems, minus the mitigation measures you have in place. In simple terms, it’s the size of the “target” you represent to a cybercriminal. The more connections and touchpoints you have with the outside world, the larger the target becomes.

By mapping your threat surface, you gain a clearer picture of where risks exist and how attackers might exploit them. Just as importantly, minimizing that surface—through security controls, access restrictions, and monitoring—directly increases your resilience against cyberattacks.

Understanding your risk comes down to three key realizations:

1. No one is immune. Every organization, regardless of size, is a potential target for cyber threat actors.
2. Your threat surface changes over time. New technologies, new people, and new solutions all expand or shift your vulnerabilities.
3. Continuous awareness is essential. Monitoring and reassessing your systems helps you adapt as your threat surface evolves.

In short: understanding your risk means understanding your threat surface—and taking steps to reduce it wherever possible.

Building cyber resilience

Resilience is one of the most important themes in cybersecurity. It’s not just about avoiding attacks—it’s about preparing for them, responding effectively, and recovering quickly when they happen.

How the threat surface evolves

Even if you’re using the same technology year after year, your threat surface can still expand. Why? Because technologies themselves are constantly being updated, patched, and integrated with new features or third-party services. These changes can introduce new vulnerabilities—even if you haven’t added a single new system to your environment.

This is why keeping applications, operating systems, and software up to date is critical. Automatic updates, where possible, reduce exposure to newly discovered vulnerabilities and help minimize your threat surface over time.

Why resilience matters

Most cybersecurity experts and authorities agree: it’s not a question of if an organization will face a cyberattack, but when. Attack attempts are continuous and persistent. That’s why resilience is essential. Resilient organizations acknowledge this reality and prepare to minimize the impact of an inevitable attack.

What makes an organization resilient?

Resilient organizations share several qualities:

• Adaptability: They prepare for incidents in advance, respond effectively when they occur, and maintain business operations throughout.
• Defense: They put measures in place to protect against malicious actions.
• Recovery: They recover quickly and efficiently from attacks, limiting long-term damage.

Resilience isn’t one-size-fits-all

Every organization can and should strive for resilience—but it won’t look the same everywhere. What resilience means for you will depend on:

• Your size and resources.
• The technologies, applications, and solutions you use.
• Your industry sector and the specific threats it faces.
• The partnerships and third-party relationships that may connect your systems to others.

Ultimately, resilience requires understanding your risks, defining your risk tolerance, and setting an acceptable level of resilience for your unique environment. It’s about tailoring your defenses and recovery strategies to your organization’s realities.

The four pillars of cyber resilience

When we talk about resilience, we like to frame it around four core concepts: monitoring, identifying risks and mitigations, prioritizing and implementing additional controls, as well as continuously improving.

1. Monitoring first

The first step in resilience is excellent monitoring. This addresses gaps in your security controls by giving you clear visibility into what’s happening inside your environment.

Monitoring is also the most cost-effective approach to resilience. By deploying monitoring technologies within your network—tracking traffic flow, endpoints, and activity—you can:

• Detect and remove existing malicious activity in your systems.
• Reduce the likelihood of new threats getting in.
• “Buy time” to implement new controls and measures in a prioritized way.

Without monitoring, it’s difficult to know what risks exist, let alone manage them effectively.

2. Identifying risks and mitigations

Once monitoring is in place, it becomes possible to identify security gaps and vulnerabilities. With that information, organizations can reduce risks by strengthening existing defenses and filling in missing protections.

3. Prioritizing and implementing additional controls

Resilience is a journey, not a one-time fix. It’s impossible to do everything at once, and trying to can feel overwhelming. Instead, prioritize the most important and impactful controls first.

This means reinforcing defenses through policies, processes, and procedures where needed—and focusing investments where they will make the biggest difference.

4. Continuously improving

Cybersecurity is not static. Threats are constant, persistent, and evolving. That means resilience requires continuous adaptation. It’s an ongoing cycle, not a one-and-done project.

Defense in depth: Layers of protection

Earlier, we introduced the concept of the threat surface as a bullseye. Defense in depth is about applying multiple layers of protection to make that bullseye as small as possible.

No single intervention will ever be perfect. But layering protections increases resilience and dramatically improves your ability to withstand attacks.

Defense in depth involves three interconnected elements:

• People: Cybersecurity awareness training, incident response preparation, and fostering a culture of security.
• Policies: Internal strategies, procedures, and day-to-day practices that guide how your organization operates securely.
• Technology: Solutions such as antivirus tools, email filtering, authentication systems, and monitoring technologies.

Together, these create overlapping defenses that make it harder for attackers to succeed.

Resilience means taking a punch and staying standing

The goal of cyber resilience isn’t to create an impenetrable wall—because no such wall exists. Instead, resilience is about preparing to take a punch and still be standing. Attacks will happen. Threat actors will continue to target organizations because the data they hold has value. What matters is how well you can withstand and recover from those attacks.

Where to start with resilience building

Resilience can feel overwhelming, but it doesn’t have to be. Here are some practical steps:

1. Ask for help. Expertise and solutions are available, and they can be tailored to your needs and budget.
2. Assess your threat surface. Understanding where your risks are will help you prioritize your resources.
3. Start with monitoring. This gives you visibility, removes immediate threats, and buys time to strengthen defenses.
4. Work from the core pillars: people, policies, and technology. Breaking resilience into these categories makes it more manageable.
5. Take it step by step. Each improvement increases your cyber resilience, even if the journey is ongoing.

Resilience is not a destination but a repeatable process. Every action you take strengthens your organization’s ability to withstand and recover from cyberattacks. By combining people, policies, and technology in a layered approach, resilience becomes not only achievable but sustainable.

Making resilience manageable starts with breaking the work into three practical themes: people, policies, and technology. Working from these concepts keeps the scope realistic and gives organizations a clear way to make steady progress.

People, process, and technology

People are the heart of every organization, and their role is crucial to defending against cyberattacks. Cybersecurity awareness is essential because, while people are a core strength, they’re also a primary target for threat actors.

Phishing remains a common and effective tactic, and business email compromise is something we frequently encounter during incident response with clients—clear evidence that attackers focus on people. Resilience grows when employees understand risks and threats and feel empowered in their roles to protect the organization and its information (and, by extension, themselves).

In practice, that looks like cybersecurity training for new hires within the first few weeks of employment and refresher training on a recurring basis. It also means senior leaders complete annual cybersecurity awareness training tailored to their responsibilities as decision-makers.

Planning and policies shape good practice, so they’re fundamental to resilience. Policies can set minimum standards for roles and responsibilities and give employees clear direction on cybersecurity awareness and best practices. For example, a password policy might prohibit reusing passwords across accounts and require multi-factor authentication wherever it’s available.

Plans and procedures establish the baseline for day-to-day processes. An incident response plan is integral to cybersecurity maturity and resilience because it provides coordinated, effective, and timely guidance when something goes wrong. It helps minimize disruption to high-value systems, defines who will respond—internally and among any external stakeholders—and outlines how internal and external communications and required reporting will be handled.

Technology reinforces information management and security practices. That includes ensuring appropriate access permissions and controls for the data you hold—documents, emails, and other information stored in applications or databases. Role-based access control helps limit exposure to only what users need, and multi-factor authentication should be enabled and required for all access to your systems.

Framing the work around people, policies, and technology makes resilience achievable. Each improvement in any one of these areas strengthens the others, turning resilience from an overwhelming goal into a manageable, ongoing practice.

Growing resilience with the right partner

We believe that resilience can be increased and sustained by working with the right partner. In our view, it’s a purposeful and collaborative exercise. Building on the themes of people, policies, and technology, finding the right team is very much about people. For smaller organizations in particular, that may mean adding external support to strengthen your own team and help you along your journey.

This is what it means to grow your team from the outside in—working with external experts like Field Effect to expand your knowledge, increase awareness, and build resilience. A good partner helps demystify the challenge of cybersecurity, simplifies complex issues, and provides clear guidance on what to prioritize.

The best partners complement your organization by enhancing your current cybersecurity posture. They help you assess where you are today and identify where you need to go. From there, you can focus on doing the right things at the right time, based on a clear understanding of your starting point.

Doing the right things means establishing strong processes and making smart technology choices that reinforce your policies and practices. The right technology solutions should backstop your people as another layer in a defense-in-depth strategy. Just as importantly, technology should not be a burden or annoyance. Instead, it should empower you with clear, concise insights into what’s happening in your environment, why it matters, and what steps to take next.

That’s why we recommend keeping these expectations in mind any time you engage with a potential cybersecurity vendor or supplier. Look for a partner that helps simplify your journey, prioritize your efforts, and strengthen your resilience without overwhelming your organization.

A resilience to-do list

You’ve probably seen lists before—top five, top ten, or even top twenty things to do to protect your network. We believe there is a resilience to-do list, but it doesn’t need to be overwhelming. It’s about focusing on the steps that matter most.

1. The first step is to get started with monitoring. Monitoring is the most cost-effective way to protect your organization. It should cover your endpoints—computers, laptops, and servers—as well as your network traffic, both in and out of your environment. And if your organization uses the cloud, monitoring must extend there too. With so much business now operating in the cloud, it’s critical to include it in your visibility.
2. The second step is assessment. This means evaluating your current cybersecurity posture by looking at your technology, your information management practices, and the controls already in place. An assessment helps uncover two key things: the strengths you should continue building on, and the gaps that need to be closed.
3. Once those gaps are identified, the third step is implementation. This could involve developing new policies or procedures, providing staff training, or deploying new controls and practices. The goal is to prioritize these actions so the most significant risks are addressed first. This is where advisors or external partners, like Field Effect, can help tailor a roadmap to your organization’s specific needs.
4. Finally, the last step is to repeat the process. Resilience is never finished—it’s an ongoing cycle. By regularly reassessing your threat surface and adapting your defenses, you maintain awareness and ensure your security measures evolve alongside the risks.

The resilience to-do list doesn’t need to be a long one. Monitoring, assessing, implementing, and repeating—these four steps, done consistently, form the foundation of a strong and sustainable cybersecurity program.

Q&A:

Q: We’re just starting to work on policies for our organization. Do you have a list of must-have policies, or what you think are the core ones every company should have?

Policies are one of the three pillars of resilience, alongside people and technology. The term “policy” can cover a wide range of documents, including cybersecurity strategies, plans, procedures, and guidance.

If I had to prioritize, the first and most important policy is an incident response plan. This sets guidance and structure around how your organization will respond to an incident if it happens. Being prepared in advance is critical to increasing resilience.

Beyond that, we work with clients to identify gaps in their policy frameworks and build from there. Common focus areas include:

• Password policies: Guidance on creating and storing strong passwords or passphrases, with an emphasis on avoiding password reuse across professional and personal accounts.
• Information management policies: Documenting what information the organization holds, where it’s stored, and how it can be accessed.
• Regulatory and compliance requirements: Ensuring policies address whether the nature of your data subjects you to specific rules on data retention, data disposal, or reporting obligations. For example, some regulations require notifying regulators or stakeholders if a data breach occurs.

Ultimately, the right policies depend on your environment. Our approach is to work one-on-one with organizations to understand what policies are already in place, where gaps exist, and how to build a framework that fills those gaps.

Q: What is the single most at-risk daily computer operation by employees that puts the organization at risk?

If I had to choose one, it would be email. Email is a major focus for cyber threat actors and one of the most common entry points for business email compromise. Because employees use it constantly, it’s also one of the easiest areas for attackers to exploit.

Having effective email security practices in place is one of the strongest ways to prevent or reduce the impact of incidents that originate from this vulnerability. Good practices include:

• Monitoring email access to detect suspicious activity and identify potential compromises early.
• Strong password practices, including unique passphrases that aren’t reused across accounts.
• Multi-factor authentication (MFA): Adding a second step of authentication is one of the most effective defenses. Even if an attacker steals a username and password, they still can’t gain access without the additional authentication factor.

Taken together, these measures make email much harder for attackers to exploit and significantly reduce organizational risk.

Q: We’re currently working on our data and information management policy and struggling a bit. Do you have any tips?

A: To be frank, this is something all organizations struggle with—so you’re not alone. Every client we work with faces challenges in building strong information management practices.

The pillars of a good information management policy start with setting clear principles:

• Your organization will have defined information management and security controls.
• You will identify and document the types of data you hold.
• You will define where that information is stored.
• You will establish the access controls required for users to interact with it.

For example, you should identify whether your organization holds personally identifiable information (PII), which always requires extra protection. You should also account for sensitive or confidential business information—such as research data, product information, or sales plans—that may deserve stronger safeguards.

A strong policy comes down to knowing what you have, where you keep it, and how you interact with it. From there, you can determine what protections are necessary. Some data may require additional measures such as encryption, both at rest and in transit. Your policy should also guide how long data is retained, how it is properly disposed of, and how it is protected during storage or sharing.

It’s also important to account for the jurisdictions where you operate. Different regions have different legal and regulatory requirements, including rules on data retention and breach notification. These may come from federal, state, or provincial authorities, depending on where your organization is based and where your clients are located.

Developing this kind of policy is challenging, but it’s foundational for resilience. For organizations looking for guidance, Field Effect can provide support in building frameworks and practices tailored to your specific environment and regulatory context.