
Webinar
Webinar
* Recorded live on February 28, 2024. Since this recording, Covalence has been renamed to Field Effect MDR.
Concerned about increasing cyber threats and the shortage of skilled professionals to combat them? Not sure how to prioritize cybersecurity best practices in a way that maximizes your time and resources?
Join us for our upcoming webinar where we will outline focused, prioritized actions you can take to make the biggest impact on your cybersecurity.
By tuning in above or reading below, you'll learn:
You’ve probably heard a lot about the importance of having a framework for your cybersecurity program. There’s constant noise in the world about how individuals and organizations should do A, B, or C to improve their defenses and guard against the latest threats.
According to the Canadian Centre for Cybersecurity, small and medium-sized organizations are the most likely to face cyber threat activity in the form of cybercrime. The impacts are often immediate—financial losses, privacy breaches, and harm to the people who work there, as well as to the clients and communities they serve.
It’s no surprise, then, that many organizations—especially small and medium businesses—struggle to figure out what they should do.
If you looked up a definition of cybersecurity, it might describe the protection of a computer, network, and data against unauthorized access or attack. More detailed definitions expand on this, focusing on protecting the integrity of infrastructure and digital information, and on the technologies, processes, and practices an organization uses to prevent or respond to an incident.
At its core, cybersecurity is about ensuring three things: confidentiality, integrity, and availability—commonly referred to as the CIA Triad.
Modern cybersecurity programs are increasingly incorporating privacy considerations for the data they hold and safety considerations for the technology systems they depend on. The goal is reliability in providing services online and protecting sensitive information.
Cybersecurity, then, is an ongoing practice. For those of us in the business of providing cybersecurity services, it’s both a challenge and an opportunity. It’s not a one-and-done task—it’s an evergreen journey. At its heart, it’s about risk management: identifying risks, implementing controls to reduce those risks, and then accepting any residual risk that remains. The objective is to reduce risk to the lowest level possible for your organization.
A strong cybersecurity program brings a wide range of benefits, the most important of which is business continuity. At its core, cybersecurity helps prevent or minimize interruptions to your ability to operate and deliver services to your clients.
Another key benefit is data protection. This includes not only safeguarding confidential business information but also protecting the personal information your organization may hold. Protecting both is essential for maintaining trust and meeting regulatory expectations.
A well-developed cybersecurity program can also open new market opportunities. By demonstrating that your organization is safe, secure, and reliable to do business with, you increase your credibility and competitiveness in the marketplace.
Finally, good cybersecurity practices help limit financial and legal liability. In the event of a cyberattack, compromise, or data breach, organizations without proper safeguards are far more likely to face significant losses or regulatory consequences.
We’ll explore these elements in more depth as we move forward, but next we’ll look specifically at some of the challenges faced by small and medium-sized enterprises.
When it comes to cybersecurity, many people believe the goal is perfection—eliminating every possible risk. In reality, perfection isn’t achievable. Instead, organizations must learn to identify, manage, and accept a certain level of residual risk.
This process begins with identifying and understanding the risks your organization faces. From there, you correlate those risks with the protections, security controls, policies, and procedures you have in place. Each of these elements should ideally mitigate all or part of a given risk.
Even after controls are implemented, some residual risk will always remain. In many cases, this is acceptable because the likelihood of the risk materializing is low. What matters most is building resilience:
Cybersecurity isn’t about eliminating risk entirely—it’s about managing it in a way that makes sense for your organization, balancing practicality with protection.
The cybersecurity challenges organizations face are largely the same regardless of size. However, for small and medium-sized businesses (SMBs), the issue is one of scale. These organizations typically have fewer resources, less in-house expertise, and less capacity to recover from a significant incident. They are also less likely to have a response plan in place before an attack occurs.
Cybersecurity is an adversarial environment. Threat actors are constantly working to defeat the controls organizations put in place to protect their systems and data. This means risk management practices must continually evolve to keep pace with new tactics, techniques, and procedures used by malicious actors.
For SMBs, the challenge is particularly acute. Small teams with limited budgets are tasked with keeping up in a rapidly changing environment that demands constant adaptation. Several factors make this difficult:
Taken together, these factors create a challenging environment for SMBs trying to protect themselves from cyber threats.
Media headlines and industry reports are full of stories about organizations across every sector falling victim to cyberattacks. One of the most common consequences is an interruption to operations—a disruption that comes with significant financial and reputational costs.
Cyberattacks can also threaten an organization’s intellectual property. This may include proprietary research, product development data, or sensitive sales information. For many businesses, losing control of this information could directly affect competitiveness and long-term viability.
Perhaps most critically, attacks pose risks to personal information. Employees and clients alike can be impacted when data such as financial records, banking details, or credit card information is exposed. These types of data are highly valuable to threat actors, making them prime targets in the cybercrime landscape.
Protecting business continuity, intellectual property, and personal information must therefore remain top priorities in any effective cybersecurity program.
As mentioned earlier, the Canadian Centre for Cybersecurity has warned that small and medium-sized organizations are the most likely to face cyber threat activity. These threats often come in the form of cybercrime, with immediate financial and privacy implications.
Among the many types of attacks, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals continue to refine and evolve their ransomware tactics within a growing and sophisticated ecosystem. Their objective is simple: maximize profits.
The impacts of ransomware go far beyond the ransom payment itself. A successful attack can:
Not surprisingly, ransomware is a primary concern for many organizations. Clients frequently express a strong desire to avoid being put in that situation.
So, what makes an organization more likely to be at risk? A few baseline principles apply across the board:
In short, you can’t protect what you don’t understand or monitor. Awareness and visibility are the first steps in reducing your risk.
The way we use the internet and connected technologies continues to evolve. Many of us now work in hybrid arrangements—or entirely remotely—which creates new risks. Every new point of connectivity, whether for employees or clients, expands the threat surface of an organization.
To manage this effectively, you need to know:
Your threat surface can be understood as the sum of all potential threats to your systems, minus the mitigation measures you have in place. In simple terms, it’s the size of the “target” you represent to a cybercriminal. The more connections and touchpoints you have with the outside world, the larger the target becomes.
By mapping your threat surface, you gain a clearer picture of where risks exist and how attackers might exploit them. Just as importantly, minimizing that surface—through security controls, access restrictions, and monitoring—directly increases your resilience against cyberattacks.
Understanding your risk comes down to three key realizations:
In short: understanding your risk means understanding your threat surface—and taking steps to reduce it wherever possible.
Resilience is one of the most important themes in cybersecurity. It’s not just about avoiding attacks—it’s about preparing for them, responding effectively, and recovering quickly when they happen.
Even if you’re using the same technology year after year, your threat surface can still expand. Why? Because technologies themselves are constantly being updated, patched, and integrated with new features or third-party services. These changes can introduce new vulnerabilities—even if you haven’t added a single new system to your environment.
This is why keeping applications, operating systems, and software up to date is critical. Automatic updates, where possible, reduce exposure to newly discovered vulnerabilities and help minimize your threat surface over time.
Most cybersecurity experts and authorities agree: it’s not a question of if an organization will face a cyberattack, but when. Attack attempts are continuous and persistent. That’s why resilience is essential. Resilient organizations acknowledge this reality and prepare to minimize the impact of an inevitable attack.
Resilient organizations share several qualities:
Every organization can and should strive for resilience—but it won’t look the same everywhere. What resilience means for you will depend on:
Ultimately, resilience requires understanding your risks, defining your risk tolerance, and setting an acceptable level of resilience for your unique environment. It’s about tailoring your defenses and recovery strategies to your organization’s realities.
When we talk about resilience, we like to frame it around four core concepts: monitoring, identifying risks and mitigations, prioritizing and implementing additional controls, as well as continuously improving.
The first step in resilience is excellent monitoring. This addresses gaps in your security controls by giving you clear visibility into what’s happening inside your environment.
Monitoring is also the most cost-effective approach to resilience. By deploying monitoring technologies within your network—tracking traffic flow, endpoints, and activity—you can:
Without monitoring, it’s difficult to know what risks exist, let alone manage them effectively.
Once monitoring is in place, it becomes possible to identify security gaps and vulnerabilities. With that information, organizations can reduce risks by strengthening existing defenses and filling in missing protections.
Resilience is a journey, not a one-time fix. It’s impossible to do everything at once, and trying to can feel overwhelming. Instead, prioritize the most important and impactful controls first.
This means reinforcing defenses through policies, processes, and procedures where needed—and focusing investments where they will make the biggest difference.
Cybersecurity is not static. Threats are constant, persistent, and evolving. That means resilience requires continuous adaptation. It’s an ongoing cycle, not a one-and-done project.
Earlier, we introduced the concept of the threat surface as a bullseye. Defense in depth is about applying multiple layers of protection to make that bullseye as small as possible.
No single intervention will ever be perfect. But layering protections increases resilience and dramatically improves your ability to withstand attacks.
Defense in depth involves three interconnected elements:
Together, these create overlapping defenses that make it harder for attackers to succeed.
The goal of cyber resilience isn’t to create an impenetrable wall—because no such wall exists. Instead, resilience is about preparing to take a punch and still be standing. Attacks will happen. Threat actors will continue to target organizations because the data they hold has value. What matters is how well you can withstand and recover from those attacks.
Resilience can feel overwhelming, but it doesn’t have to be. Here are some practical steps:
Resilience is not a destination but a repeatable process. Every action you take strengthens your organization’s ability to withstand and recover from cyberattacks. By combining people, policies, and technology in a layered approach, resilience becomes not only achievable but sustainable.
Making resilience manageable starts with breaking the work into three practical themes: people, policies, and technology. Working from these concepts keeps the scope realistic and gives organizations a clear way to make steady progress.
People are the heart of every organization, and their role is crucial to defending against cyberattacks. Cybersecurity awareness is essential because, while people are a core strength, they’re also a primary target for threat actors.
Phishing remains a common and effective tactic, and business email compromise is something we frequently encounter during incident response with clients—clear evidence that attackers focus on people. Resilience grows when employees understand risks and threats and feel empowered in their roles to protect the organization and its information (and, by extension, themselves).
In practice, that looks like cybersecurity training for new hires within the first few weeks of employment and refresher training on a recurring basis. It also means senior leaders complete annual cybersecurity awareness training tailored to their responsibilities as decision-makers.
Planning and policies shape good practice, so they’re fundamental to resilience. Policies can set minimum standards for roles and responsibilities and give employees clear direction on cybersecurity awareness and best practices. For example, a password policy might prohibit reusing passwords across accounts and require multi-factor authentication wherever it’s available.
Plans and procedures establish the baseline for day-to-day processes. An incident response plan is integral to cybersecurity maturity and resilience because it provides coordinated, effective, and timely guidance when something goes wrong. It helps minimize disruption to high-value systems, defines who will respond—internally and among any external stakeholders—and outlines how internal and external communications and required reporting will be handled.
Technology reinforces information management and security practices. That includes ensuring appropriate access permissions and controls for the data you hold—documents, emails, and other information stored in applications or databases. Role-based access control helps limit exposure to only what users need, and multi-factor authentication should be enabled and required for all access to your systems.
Framing the work around people, policies, and technology makes resilience achievable. Each improvement in any one of these areas strengthens the others, turning resilience from an overwhelming goal into a manageable, ongoing practice.
We believe that resilience can be increased and sustained by working with the right partner. In our view, it’s a purposeful and collaborative exercise. Building on the themes of people, policies, and technology, finding the right team is very much about people. For smaller organizations in particular, that may mean adding external support to strengthen your own team and help you along your journey.
This is what it means to grow your team from the outside in—working with external experts like Field Effect to expand your knowledge, increase awareness, and build resilience. A good partner helps demystify the challenge of cybersecurity, simplifies complex issues, and provides clear guidance on what to prioritize.
The best partners complement your organization by enhancing your current cybersecurity posture. They help you assess where you are today and identify where you need to go. From there, you can focus on doing the right things at the right time, based on a clear understanding of your starting point.
Doing the right things means establishing strong processes and making smart technology choices that reinforce your policies and practices. The right technology solutions should backstop your people as another layer in a defense-in-depth strategy. Just as importantly, technology should not be a burden or annoyance. Instead, it should empower you with clear, concise insights into what’s happening in your environment, why it matters, and what steps to take next.
That’s why we recommend keeping these expectations in mind any time you engage with a potential cybersecurity vendor or supplier. Look for a partner that helps simplify your journey, prioritize your efforts, and strengthen your resilience without overwhelming your organization.
You’ve probably seen lists before—top five, top ten, or even top twenty things to do to protect your network. We believe there is a resilience to-do list, but it doesn’t need to be overwhelming. It’s about focusing on the steps that matter most.
The resilience to-do list doesn’t need to be a long one. Monitoring, assessing, implementing, and repeating—these four steps, done consistently, form the foundation of a strong and sustainable cybersecurity program.
Q: We’re just starting to work on policies for our organization. Do you have a list of must-have policies, or what you think are the core ones every company should have?
Policies are one of the three pillars of resilience, alongside people and technology. The term “policy” can cover a wide range of documents, including cybersecurity strategies, plans, procedures, and guidance.
If I had to prioritize, the first and most important policy is an incident response plan. This sets guidance and structure around how your organization will respond to an incident if it happens. Being prepared in advance is critical to increasing resilience.
Beyond that, we work with clients to identify gaps in their policy frameworks and build from there. Common focus areas include:
Ultimately, the right policies depend on your environment. Our approach is to work one-on-one with organizations to understand what policies are already in place, where gaps exist, and how to build a framework that fills those gaps.
Q: What is the single most at-risk daily computer operation by employees that puts the organization at risk?
If I had to choose one, it would be email. Email is a major focus for cyber threat actors and one of the most common entry points for business email compromise. Because employees use it constantly, it’s also one of the easiest areas for attackers to exploit.
Having effective email security practices in place is one of the strongest ways to prevent or reduce the impact of incidents that originate from this vulnerability. Good practices include:
Taken together, these measures make email much harder for attackers to exploit and significantly reduce organizational risk.
Q: We’re currently working on our data and information management policy and struggling a bit. Do you have any tips?
A: To be frank, this is something all organizations struggle with—so you’re not alone. Every client we work with faces challenges in building strong information management practices.
The pillars of a good information management policy start with setting clear principles:
For example, you should identify whether your organization holds personally identifiable information (PII), which always requires extra protection. You should also account for sensitive or confidential business information—such as research data, product information, or sales plans—that may deserve stronger safeguards.
A strong policy comes down to knowing what you have, where you keep it, and how you interact with it. From there, you can determine what protections are necessary. Some data may require additional measures such as encryption, both at rest and in transit. Your policy should also guide how long data is retained, how it is properly disposed of, and how it is protected during storage or sharing.
It’s also important to account for the jurisdictions where you operate. Different regions have different legal and regulatory requirements, including rules on data retention and breach notification. These may come from federal, state, or provincial authorities, depending on where your organization is based and where your clients are located.
Developing this kind of policy is challenging, but it’s foundational for resilience. For organizations looking for guidance, Field Effect can provide support in building frameworks and practices tailored to your specific environment and regulatory context.