In his role as Chief Technology Officer for Security at Scalar, Theo provides cybersecurity leadership for Scalar’s National Security practice. This includes the strategic direction, planning, and service launches related to cybersecurity consulting and managed security services. Theo has also taken on the role of being the security spokesperson for Scalar through various media and speaking engagements. Theo has spent the last 18 years in the Cyber Security arena working with customers to address their IT security and risk challenges. Starting with data risk in mind, Theo advises and guides customers to develop a balanced security approach, ensuring the recommended security solutions enable their Governance, Risk and Compliance program while supporting the needs of IT Operations.
As Chief Technology Officer at Scalar, what can you tell us about the importance of cybersecurity for an organization?
Cybersecurity is really all about protecting the longevity of an organization and should be a vital component of any business, no matter the size.
It’s no secret that organizations are experiencing cyber attacks every single day, whether they know it or not. In fact, in the 2019 Scalar Security Study, we found that 100% of the organizations surveyed encountered some form of a security incident or attack over the past year – at an average of 12.5 attacks.
For me, the most important component of a robust cybersecurity plan has evolved from prevention to resilience. It is important to recognize that no organization is immune to cyber-attacks and that they must adapt to the ever-evolving cyber threat landscape by analyzing new ways to prepare for, defend against and respond to threats.
When analyzing your organization, first consider your resiliency. In the event of a cyber-attack, would your business be prepared? Would you be able to continue your day-to-day operations, even while experiencing an incident?
Once you understand your business’ attack surface and processes, you can leverage a risk-based approach to identify critical assets and data. It will now be significantly easier to find the solutions and partners who can help create and implement a bespoke plan for your business.
It’s especially important for small and medium-sized enterprises to instill a culture of prepare, defend and respond from the very beginning in order to set a sustainable precedent for cybersecurity as you grow.
What are some of the procedures/initiatives that business owners should take to protect their company from cyber threats?
To protect any organization and mitigate cyber threats, business owners should focus on a prepare, defend and respond approach.
When considering preparation, investigate how your business and users leverage information, technology assets, services, and data.
• Complete a threat/risk assessment that will allow the business to understand how different threats and threat actors can attack and impact your systems and data.
• Develop an Incident Response Plan to ensure effective protocols are in place to address an incident.
The insight gained through these steps will allow the business to prioritize spending in the defense and response phase to ensure maximum security effectiveness and resilience. During this phase, many consider working with a security partner to ensure a well-balanced and successful outcome.
Employee training – for preparation at work and at home – is another important component of cyber resilience that often goes unaddressed.
In our inaugural Digital Citizen Survey, we found a growing disconnect between how prepared Canadian employees feel towards cybersecurity in the workplace, compared to the amount of training they receive from their employers. Of the respondents, 75% felt they were prepared to deal with cybersecurity threats in the workplace, but only 60% received training from their employers.
These figures are especially concerning because employees are often the first and last line of defense in a cybersecurity strategy. In fact, the threat landscape has evolved to a point where cyber attacks are no longer isolated to the workplace and are frequently experienced in employees’ personal lives. In the Digital Citizen, we uncovered that one quarter (25%) and one third (31%) of respondents indicated they were the target of cyberattacks in the workplace and at home, respectively.
So, why not provide employees with cybersecurity training so that they can implement best practices in both their professional and personal lives? This is a substantial opportunity for employers to address this imbalance of sentiment versus reality and create a sustainable, security-minded workforce.
After thoroughly preparing, the business can now effectively focus on defense in the event of a cyber attack. The best processes and technologies to help secure your business can now be implemented and will usually include considerations for your network, end-users, cloud, and data. It is also important to determine in this phase whether you have the in-house skills to monitor and maintain the tools you’ve deployed before an incident occurs. Hiring a third-party provider to handle management and monitoring services can alleviate pain points in this part of the process.
The response portion is a culmination of successful planning and defense in the event you do experience a cyber-attack or incident. It is here that business owners, or your third-party providers, need to be able to:
• Identify how the incident occurred and contain it to minimize damage and loss;
• Ensure your Incident Response plan is invoked and executed as required;
• Restore data, network, endpoints, and cloud to a trusted state; and• Return the organization to the normal course of business with key learnings and a plan to upgrade or improve where necessary.
Would you say with the advance of technology, cybersecurity has become more of an issue today than it was let’s say 5 years ago?
Cyber threats were a very real problem for businesses five years ago. However, the organizations of yesterday didn’t always have the toolsets to detect and monitor threats as accurately. Prevention was the focus, and the skills and technology to detect threats were often lacking.
Today’s organizations are becoming more proactive in generating cybersecurity plans. This is largely due to the realization that cybersecurity doesn’t just protect networks, it protects the users and valuable and sensitive data within those networks. Technology has greatly improved over the last five years, which means our ability to protect against, detect and respond to threats has advanced – if deployed and used correctly.
However, a rise in advanced cyber attacks has created a need for automated and adaptive technology in the workplace, as these threats become more prominent in our day to day lives – and can potentially stay undetected in our networks for extended periods.
Dwell time for cyberattacks often ranges from 70 to over 200 days, meaning that bad actors are increasing their exposure to network data for much longer before organizations notice. As we continue to adopt new technologies and normalize security best practices in our lives – both professional and personal – our ability to detect threats, correctly deploy tools and quickly respond will improve.
“Dwell time for cyber attacks often ranges from 70 to over 200 days, meaning that bad actors are increasing their exposure to network data for much longer before organizations notice. As we continue to adopt new technologies and normalize security best practices in our lives – both professional and personal – our ability to detect threats, correctly deploy tools and quickly respond will improve.”
What are some of the different ways that Canadian organizations should be preparing their employees to avoid security breaches and cyber security threats?
After analyzing the findings out of the Digital Citizen, we came away with three forward-looking recommendations that Canadian organizations should consider as you work to better future-proof your employees:
• Understand and emphasize the importance of training;
• Increase cloud security training; and
• Implement measures to protect remote workers.
Other popular cybersecurity improvements, focusing on the users and their devices, that were highlighted in the survey include adding two-step verification processes to access devices, locking computer screens, encrypting hard drives, frequent password changes, and virtual private network (VPN) access.
Canadian organizations can also look to frameworks such as the National Institute of Standards and Technology (NIST) frameworks, which provide strong recommendations to guide end-user training. Recommended training topics include:
• Learning how to use provided security tools;
• Proper identification, care and use of sensitive data;
• Maintenance of company-supplied assets and
• Identifying attacks, which includes clear incident response protocol.
It’s essential that organizations stay away from workplace fear-mongering when it comes to cybersecurity. Instead, encourage employees to be actively aware of cybersecurity in the workplace.
In your expert opinion, what is the biggest effect a cybersecurity attack can have on an organization and how can they overcome it?
The biggest risk an attack can have impacts on an operational or financial scale, where the business can no longer continue and is no longer viable.
Less extreme, but also damaging, effects are financial loss, impact on day-to-day operations, loss of brand equity and reputation.
To avoid this, organizations much ensure they have a well-defined and relevant cybersecurity program in place. Respecting all of the elements of a prepare, defend and response approach is an excellent starting point.
Should small organizations try to tackle this issue by themselves or rely on other parties?
Most organizations significantly benefit from taking on a collaborative third-party partnership to protect their data and resources. The nature and complexity of cybersecurity can be challenging. A good partner will help your organization become resilient through the deployment of successful cyber protection, defense and response plan while allowing you to get back to your actual business.