and how will it affect you? p05 p07 p09 CYBER SECURITY · leader in information security Robert...

A sponsored feature by Mediaplanet

C Y B E R S E C U R I T Y

According to Forbes, cybercrime costs are projected to reach $2 trillion by 2019. Global investors lose billions of dollars to cyberattacks, as per CNBC’s coverage.

For example, The Guardian report-ed massive cyberattacks could cost Nurofen and Durex maker $100 million. Fortune Magazine al-so reports that cyberattacks cost companies $400 billion every year. Cyberattacks cost companies 20 percent of their revenues in 2016, according to economictimes.in-diatimes.com. Statistically, these figures might sound theoretical, but someone is directly feeling the heat. The shareholders remain the direct beneficiaries of the traded organization’s prosperity, but they are also the first victims of their woes. It’s high time investors pay attention to the warning signs and step up their efforts in ensur-ing companies adopt comprehen-sive cybersecurity programs and deployments. Despite the flurry of global cyber-attacks and incessant security in-cidents targeting organizations of various capacities in revenue, workforce, and international pres-

Warning Signs for Investors — The Cost of Cyberattacks ence, some global firms continue to act in denial of the crushing im-pact of cyber attacks. Unfortunate-ly, those that wait or hesitant are doing so at their peril. Hackers are working around the clock trying to figure out how to crack your pass-word, get inside your demilitarized zone, and tear apart your firewall, all while many c o m p a n i e s spend months or years with-out a cogent de-cision on their c y b e r s e c u r i -ty program. This leaves them, and their shareholders, at the mercy of hackers. Why are companies hesitating to invest in comprehen-sive cybersecurity programs that ensure a defence-in-depth of infra-structure, protecting the “lifeline” of their enterprise?

Organizations globally are facing difficulty in protecting their criti-cal infrastructure and in dealing with the complexity of unknown or anonymous perpetrators. Organiza-tions must deal with two “demons”

of our time — innovation and tech-nology. I discussed this in my article Security in the World of Wiki-Leaks. The advancements are beneficial to the world, but they also create poten-tial security gaps and vulnerabili-ties. Therefore, the onus is strictly on security-conscious organizations to prevent, detect, and correct vul-

nerabi l i t ies that might be exploited by threat agents.Just recent-ly, Bell Cana-da requested all their sub-scribers to re-set their pass-words because of a cyberat-tack targeting its customers.

Nothing was said about the cost to all stakeholders. While we may not know the absolute costs of such cy-berattacks, it’s safe to guess that the damage can be severe. The impact of Bell Canada’s security incident is not unique; LinkedIn, Visa, Mas-terCard, Proton, Google, Facebook, Yahoo, Trump Tower, government agencies, and many others have been served cyberattacks.

Traditionally, investment deci-sions were made by measuring an organization’s sustainability and investment viability relative to its profitability (bottom line), but nowadays, in addition to the or-ganization’s prosperity, investors must also consider the state of a company’s cybersecurity and its exposure to threats and hacking. For due diligence and investment protection, here are the ten ques-tions to consider to evaluate the extent of an organization’s vulner-abilities to cyberattacks. ▶ Does the organization have a com-

prehensive cybersecurity program?▶ Are all IT-related applications and

systems up to date? ▶ Does the organization have re-

sources dedicated to IT/IS security?▶ Has the organization aligned its cy-

bersecurity policies with the overall corporate business objectives?

▶ Has the organization invested in security in proportion to its risk exposure and tolerance?

▶ Is there any record of recent cyber-security attacks? What was the re-sponse by the management?

▶ Does the organization have a com-prehensive cybersecurity policy?

▶ When was the last time an audit was carried out on the cybersecu-

SEPTEMBER 2017 | INDUSTRYANDBUSINESS.CA

EMERGING SECaaS Who is pioneering security as a service and how will it affect you? p05

DON’T PAY HACKERS! How to keep your data and your finances safe from ransomware. p09

TIME FOR A CHECKUP Learn 5 ways to improve your organization’s cyber health. p07

Get Informed. Be Aware. Take Action.

Toronto, November 7-8icsic.ocmtontario.ca/

registration

How This Corporate Shark Is Leading the Attack on CybercrimeDynamic entrepreneur, best selling author, and global leader in information security Robert Herjavec shares his insight on how Canadian SMEs can build a robust cybersecurity strategy.

Read more on p06

rity compliance, and what were the findings?

▶ Have the executives and senior management prioritize the cy-bersecurity program with the evi-dence of sufficient funding and or-ganizational structure?

▶ Is there an executive position for the security leader?

Depending on the size of your invest-ment, consider hiring the services of a cybersecurity expert to investi-gate past cybersecurity attacks, or to determine the possibility of immi-nent cyberattack, threats, or vulner-abilities that might jeopardize your investment. Second, equip yourself with at least basic knowledge of cy-bersecurity. Third, understand the investment the company is making, or has made, in response to a compre-hensive cybersecurity and deploy-ment program. Fourth, create time to attend cybersecurity conferences where new threats, global best prac-tices, and solutions are discussed. Fi-nally, remember, your due diligence can never be over-ambitious when your money is at stake.

Yomi Olalere, CISM, CISA, CRISC, SAP, Committee Chair, 2017 International Cybersecurity and Intelligence Conference

“ Why are companies hesitating to invest in comprehensive cybersecurity programs that ensure a defence-in-depth of infrastructure, protecting the “lifeline” of their enterprise?”

2 INDUSTRYANDBUSINESS.CA

B y successfully ma-king the leap to a knowledge-ba-sed economy, Ca-nada is embar-king upon a time of unprecedented

innovation and opportunity, but al-so one of unprecedented threats. In this new digital world, one of big-gest threats facing organizations today, and tomorrow, is cyber risk.

“We always refer to it as the dua-lity of technology,” says Marc MacK-innon, a partner at Deloitte Cana-da who leads the company’s Cyber Strategy practice. “The same tech-nology that is used to create for good can, in the wrong hands, be used to mount cyber attacks.”

According to Microsoft Secure Blog The Emerging Era of Cyber Defen-se and Cybercrime, by the year 2020 the world will need to cyber-defend 50 times more data than it does today. Cybersecurity Ventures also pre-dicts global cybersecurity spending will exceed $1 trillion cumulatively from 2017 to 2021.

Managing Cyber Risk Essential in New Digital WorldThe World Economic Forum recognized cyber risk as one of the top commercial risks facing the world today in its 2017 report Global Risk.

Marc MacKinnonPartner, Deloitte Canada

Cyber risk is more than an IT issueCyber risk is no longer just an IT issue; it is a business issue. And cybersecurity is a strategic impe-rative for organizations of all in-dustries and sizes. Innovators in every sector must take the lead by constantly striving to strike a ba-lance between the need to protect the organization from cyber thre-ats and the need to lay the ground-work for future success by capitali-zing on digital technology.

That is why taking the lead on cyber capabilities means doing more than addressing the threats that exist now. As new technologi-es drive digital disruption, they in-troduce entirely new kinds of cy-ber threats and amplify existing ones — requiring additional next-level capabilities that companies must start building now.

“In response to recent large and well-publicized attacks across a number of sectors, there is a gre-ater sense of organizations now starting to better appreciate what

the risks are and putting the app-ropriate measures in place,” says MacKinnon. “We’re definitely trending in the right direction.”

The value of cyber risk servicesThe most effective way for an or-ganization to maintain the neces-sary levels of security is through partnering with external experts in cyber risk management to ta-ke the lead on cyber risk. Levera-ging teams of global cyber risk ad-visors, these organizations work with clients to build effective cyber risk strategies based on a thorough understanding of their business and industry. The result is a secure, vigilant, and resilient strategy that enables organiza-tions to grow, share, and trust wit-hout deferring compliance.

“One of the challenges that or-ganizations in all industries face today is the talent shortage and the time it takes to fill open posi-tions,” says MacKinnon. “Retain-ing an external cyber risk mana-

gement service provides quick ac-cess to a high volume of qualified, highly skilled resources, as well as best practices and deep industry knowledge that can provide valua-ble insight.”

To protect itself from both evol-ving and emerging cyber threats, an organization needs to ensure it has established basic cyber ca-pabilities that can repel today’s threats, while at the same time investing in future-proof capa-bilities that can protect it from whatever threats might emerge. While digital disruption and cy-bersecurity present serious chal-lenges, those challenges are not insurmountable.

“The threat landscape continu-es to change,” says MacKinnon. “But the good news is that there are a lot of services out there that can help organizations maintain cyber hygiene basics, while also effectively managing their cyber risk profile.”

Gavin Davidson

“ Taking the lead on cyber capabilities means doing more than addressing the threats that exist now. ”

Publisher: Kaileigh Baines Business Developer: Samantha Blandford Managing Director: Jacob Weingarten Production Director: Carlo Ammendolia Lead Designer: Matthew Senra Web Editor: Camille Co Contributors: Steve Biswanger, Paul Butcher, Kathryn Chamberlain, Robert Csernyik, Gavin Davidson, Allen Dillon, Bashir Fancy, Ali Ghorbani, Adam Hatfield, Matthew Hoerig, Scott Jones, Ted Kritsonis,

Bertrand Labelle, Marc MacKinnon, John Menezes, Colleen Merchant, Yomi Olalere, Iva Peric-Lightfoot, Scott Smith, Jim Stechyson, Ken Taylor, Danny Timmins Cover Photo: Lesley Bryce Photo credits: All images are from Getty Images unless otherwise accredited. Send all inquiries to [email protected] This section was created by Mediaplanet and did not involve National Post or its Editorial Departments.

Please recycle after readingStay in Touch facebook.com/MediaplanetCA @MediaplanetCA @MediaplanetCA pinterest.com/MediaplanetCA

SecTor 2017Canada’s Premier IT Security Conference, MTCC, November 14-15, 2017

Register now at SecTor.ca

iTech 2017Vancouver, Edmonton, Calgary, Toronto this October-November

Register Today at itechconference.ca

UPCOMING EVENTS

By 2019, the cybersecurity industry will be

short 2 MILLION people.

We’re working on the solution.Fredericton, New Brunswick is Canada’s epicentre for cybersecurity education, research, and training.

Home to the University of New Brunswick’s Canadian Institute for Cybersecurity and the Canada’s only HoneyNet cybersecurity research lab, our city is producing the next generation of cyber thought leaders,

problem solvers, and skilled workers.

Today’s cybersecurity industry leaders choose Fredericton:

ignitefredericton.com (506) 444-4686 [email protected]

ONLINE EXCLUSIVE

Ignite FrederictonFind out why Fredericton, NB is Canada’s cybersecurity epicentre.

MEDIAPLANET 3

THE ESSENTIALS

Cybercrime has skyrocketed in 2017, with ransomware attacks rising by 250 percent since 2016 and denial of service attacks also increasing in frequency. According to the Canadian Chamber of Commerce, cybercrime extracts 15 to 20 percent of the $3 trillion global internet economy, and costs Canada 0.17 percent of its GDP — equal to $3.12 billion per year.

Small businesses have the false impression that they are insig-nificant to cybercriminals, even though nearly half of all small and medium sized businesses (SMBs) have been the victim of a cyber-attack. In fact, StaySafeOnline.org states that SMBs account for over 70 percent of data breaches, while Visa Inc. reports that 95 percent of credit card breaches are from small business customers.

“Cyberattacks on large organ-izations garner most of the atten-tion,” says Ken Taylor, President of the International Cybersecurity Protection Alliance for the Amer-icas. “However, when you dig deep-er, you realize cybercriminals are penetrating small businesses and using them as a conduit into big-ger organizations.”

“Small businesses are often used as a back door into global supply chains,” agrees Scott Smith, Direc-tor of Intellectual Property and In-novation Policy at the Canadian Chamber of Commerce. “But cyber-criminals also realize that going af-ter a number of small targets results in higher profits and a lower profile than going after one big target.”

Why small businesses are attractive to cybercriminalsSMBs are attractive to cybercrim-inals by their lack of resources, readily available information of value, and partnerships with lar-ger businesses. As the Canadian economy is made up predomin-antly of small businesses, and be-cause many do have a relation-ship in larger supply chains, ex-posure to cyberattacks at the SMB level presents a threat to the lar-ger economy.

“The overconfidence that SMBs are not a target puts them in a very weak position, and they be-come a major risk to the en-terprise groups that are work-ing hard to protect their infra-structure,” says Allen Dillon, Managing Director at CyberNB. “All of the enterprise companies in some way do business through the supply chain with SMBs. Without adequate security they become the entry point for crim-inals into the enterprise system.”

The primary concern for SMBs when it comes to increasing cybersecurity is resources — most have limited finances available to address the challenges presented by cybercrime and little inclin-ation to invest in protection. As a result, according to the Canadian Chamber of Commerce, 74 percent of micro-sized businesses are cur-rently making no investments in cyber training.

This is a statistic that Dillon finds concerning. He feels that Canada must “get to a place where society and our businesses are at least fundamentally educated on how to operate in a secure and re-sponsible way.”

The importance of a cybersecurity standardThis is the goal of the international standard Cyber Essentials certifi-cation program. Launched in Can-ada earlier this year, Cyber Essen-tials Canada, and the toolset The Cyber Highway, is a globally ac-cepted standard to help all busi-nesses prevent and respond to cyberattacks. Cyber Essentials Canada is cost-effective and lacks complexity, and therefore is an ap-pealing solution for SMBs. Cyber Essentials Canada is one of a num-ber of IT security certifications available to Canadian businesses.

“The value of earning certification is self-reliance and self-defence — the more difficult you make it, the less of a target you are,” says Smith. “The whole point is to lower your target profile and to be resilient, so if you do end up in an attack situation you’ll be able to get back up and running at the least cost in the least amount of time.”

“By addressing security issues and increasing awareness, certifi-cation can address 80 percent of the cybercrime targeting small busi-nesses,” agrees Taylor. “But the most important thing businesses can do is take accountability and respons-ibility for their cybersecurity.”

Small Businesses and the Threat of Cybercrime

Gavin Davidson

SPONSORED

“The more difficult you make it, the

less of a target you are.”


EXPERT INSIGHT

A recent study from IBM con-cluded 95 percent of suc-cessful cyberattacks are the result of human error. Why is it that we’ve been treating better technol-

ogy as the solution to cybercrime when it’s the people who are the last line of defence for cyberattacks within organizations?

The role of technologyTechnology certainly does play a role in pro-tecting companies, patching software, and having security measures in place make cyberattacks more difficult. Because of this, the status quo in the security world has been focused on creating better technology. For dec-ades, it was declared we simply needed to buy better anti-virus and firewalls. But technology is only part of the solution.

The role of peopleFacebook CSO Alex Stamos highlights that more harm comes from behaviours, business processes, and assumptions users have about cybersecurity. To a room full of cybersecurity experts at the Black Hat 2017 conference, Alex proposed relationship building and education as a solution to the ever-increasing cybercrime.

“The truth is that the vast majority of harm comes from the simple problems that are difficult to solve, such as the rampant reuse of passwords.”

To create a pan-organizational conversa-tion and awareness of security, all individ-uals need to understand their role within cybersecurity; there needs to be an ongoing conversation across all departments; and business processes need to take cybersecur-ity into account — but how?

Best practices for organizationsTo take tangible steps to incorporate cyber-security into an organizational culture, cybersecurity expert and CEO of CyberGRX Fred Kniep recently published a list of best practices in Compliance Week for organiza-tions to implement.

(1) Ensure a security representative is attending all board meetingsThis requires a company to designate one (or several) individual(s) to own the security pro-gram. Secondly, that security must be priori-tized at the very top of the organization. If the executives don’t recognize the value in cyber-security, it’s unlikely that the rest of the or-ganization will.

(2) Educate security representatives on how to effectively communicate cyber riskEffective communication. The security rep-resentative(s) will need to be able to translate the technical jargon into concepts that other departments can understand.

(3) Provide security representatives with business contextFred emphasizes that there needs to be a two-way conversation. The security representative needs to understand the pressures and motiv-ations of the different departments.

(4) Clearly differentiate between cyber-risk management and complianceBeing compliant is a snapshot in time. Cyber-risk management is like managing any other business risk — it involves taking daily steps to get to a comfortable level of risk.

It’s everybody’s businessSuzie Smibert, CISO at Finning International, summarized this well in a recent interview with Ben DiPetro at The Wall Street Journal:

“Cybersecurity is not just an IT issue, it’s everybody’s business... You can’t just buy tools and hope they work; there are lots of processes and human elements to having a proper risk management and cybersecurity program. It takes training — and boards and executives need to attend and participate.”

Kathryn Chamberlain

CYBERSECURITY IS EVERYBODY’S BUSINESS

SPONSORED

Contributed by Kathryn Chamberlain. Kathryn is a business development officer at Beauceron and a Venture for Canada Fellow. Beauceron is a cybersecurity company that empowers organizations of any size to measure, monitor, and manage their cyber risk by taking people, process, culture, and technology into the equation. Kathryn holds an honours Bachelor of Commerce with a minor in Mathematics from Mount Allison University (’17). Her research interests include organizational behaviour and culture. She can be found on Twitter @_kachamberlain.

KNOW YOUR ENEMYTop Tips from a Hacker

Mediaplanet What originally drew you into the world of hacking?Kevin Mitnick Challenge — pursuit of knowledge, seduction of adventure. In high school, I met this other kid who could per-form magic with the telephone. It was called “phone phreaking,” and it facilitated my other great passion: pulling pranks. As the phone company started using computers to control devices, such as phone company switches, my interest in hacking began.

When I started, it was completely legal and hacking was cool. Hackers were considered the whiz kids. My favorite hack of all time, still to this day, was when I was young, hack-ing the McDonald’s drive-through window. Truthfully, my passion for hacking has al-ways remained the same. Businesses hire my company to try and break into their organiz-ations to test their security. It’s like living in a heist movie. What’s not to love about that?

MP What are the biggest barriers a hacker faces when attempting to access private information?KM Not much. Private information is free-ly available if you subscribe to the right databases, typically used by information brokers. These databases allow you to query a person’s social security number, birth-date, current and past addresses, and cur-rent and past phone numbers. Once this in-formation is obtained, it’s not too difficult to obtain the target’s credit report online.

As far as gaining access to enterprise infor-mation, the biggest barrier is layered security controls, meaning I would have to compromise several layers of security to break in. I travel the world and demonstrate live hacking at many conferences and speak to people of all walks of life. Lately, I’ve been showing how easy it is to steal someone’s personal identity in about 60 seconds! By accessing some databases, I’ll know an individual’s mother’s maiden name, social security numbers — a whole bunch of stuff.

MP How does security for mobile devices differ from that of corporate services and PCs?KM Most people don’t even use security on their mobile phones, such as adding a pass-code. The majority of people blindly use pub-lic Wi-Fi in public spaces. If there is one thing anyone can take away after reading this — use a virtual private network (VPN) service. One thing people should consider is purchasing a VPN subscription so that they can secure-

ly connect when using public Wi-Fi. Basic-ally, if you aren’t using a VPN, your internet traffic may be monitored, or worse, you may be hacked when using open wireless networks.

MP Information security breaches have been a hot topic in the past couple months with Equifax, Petya, and WannaCry. What steps would you tell organizations to follow to improve their cybersecurity measures?KM There are two important and easy steps that will provide much, much better cybersecurity for any organization.

Get tested regularly. Smart organizations are using the progressive strategy known as “red teaming.” This is a rewarding practice of using external, independent teams to challenge or-ganizations to find ways to improve their ef-fectiveness. The red teaming strategy encom-passes and parallels the military use of simu-lations and war games, invoking references to competition between the attackers (the red team) and the defenders (the blue team).

For cybersecurity, this is known as sec-urity penetration testing, the use of third-party penetration testers to simulate at-tacks by real intruders against systems, infrastructure, and staff. The ultimate goal is to provide organizations with a thorough analysis of their current security.

Secondly, train all your staff on what social engineering is and how to detect it. People are the weakest security link. They can be ma-nipulated or influenced into unknowingly and innocently helping hackers break into their organization’s computers, and they can be manipulated into handing over the keys the kingdom. Social engineering is a tech-nique used by hackers and con artists that leverages your tendency to trust. Providing security awareness training for staff is abso-lutely crucial in light of social engineering.

Finally, I know that the “business” of cyber-security is new and growing, and I don’t ig-nore the irony that I’ve been able to turn lem-ons into lemonade. But I do see a problem with cybersecurity business as it’s now be-coming a modern-day gold rush with its own versions of fake claims. There is no silver bul-let for security; there is no such thing as ab-solute security, nor is there any automated tool that even comes close to the skills of a motivated hacker probing for an organiza-tion’s vulnerabilities. The truth is simple. It takes one to know one.

World-famous hacker-turned-security expert Kevin Mitnick shares best practices for staying

safe in an increasingly exploited digital universe. Ask Kevin Mitnick and he’ll tell you that there is a silent war happening

everywhere around us. You could even be a casualty right now, and more than likely not even know it — most don’t. As he writes, “One of my team told me recently: ‘It’s almost a Cyber World War now, but

barely anyone knows it, and those that do actually don’t know at any given time know who, or why they are fighting.’”

In this one-on-one with Mediaplanet, the renowned computer security consultant opens up the tool kit of today’s hackers for us to better

understand and stay protected against them.

MEDIAPLANET 5

THREAT INTELLIGENCE

Stratejm Cyber Intelligence Centre. Photo | Submitted

By moving their network secur-ity needs to the cloud and lever-aging Secur-ity-as-a-Service (SECaaS) provid-

ers, Canadian businesses can in-crease efficiency and save money. Canadian enterprises and business-es of all shapes and sizes are fall-ing victim to an increasing num-ber of cyberattacks. Simultaneously, they’re also facing numerous chal-lenges in the implementation and application of effective and efficient cybersecurity controls.

“Cybersecurity has become a major problem for all enter-prises, large and small,” says John Menezes, President and CEO of Stratejm, a Canadian firm that has pioneered the use of a cloud-based Security-as-a-Service in Canada. “Meanwhile, the trad-itional methods of fighting cyber-crime are becoming increasingly expensive, difficult to implement and operationalize.”

According to Cybersecurity In-siders’ latest Cloud Security Report, based on a comprehensive online survey of more than 1,900 cyber sec-urity professionals, data breaches are at an all-time high, while a lack of qualified security staff and outdated security tools remain the top issues for cyber security professionals.

This is despite the fact that Can-adian businesses are spending in-creasingly substantial sums of money to protect their business-es and data from cybercriminals. Even with substantial investment, the ever-evolving threat landscape ensures that determined adversar-ies are always one step ahead. New

threats and methods of attack have forced Canadian enterprises into a never-ending game of cat and mouse. The resulting costs and operational complexity associated with this ap-proach are simply unsustainable.

Taking it to the cloudThankfully, it’s not only the bad guys that are making use of new technology to stay ahead of the game. Recent advancements in cloud-based computing have given rise to SECaaS offerings. Designed from the ground up to provide clients with robust, en-terprise-grade cybersecurity solutions in an innovative and cost-effective manner, SECaaS is a security management model wherein cloud service providers offer security services along with IT infrastructure on a subscrip-tion basis.

“Cybersecurity is composed of many different components, and enterprises must undertake sig-nificant costs to purchase and in-tegrate each component,” says Menezes. “Security-as-a-Service brings all the foundational ele-ments of any security program together and offers a single pack-age as a monthly subscription ser-vice, resulting in lower costs and fewer worries.”

Many advantages to cloud-based securityThe advantages of using a SE-CaaS solution are myriad and in-clude increased agility, reduced complexity, consolidated control, and a reduced need to hire hard-to-find security professionals. In 2016, 46 percent of organizations reported a shortage of cybersecur-ity skills in their staff, according

to ESG Research. One of the most important benefits to using a SE-CaaS solution is access to highly trained staff, along with the abil-ity to get those resources up and running very quickly.

Using an SECaaS solution offers real integration and event correla-tion between applications, serv-ers, and network and security de-vices. It also provides a full range of network performance monitor-ing and reporting features, which maximizes your efficiency and minimizes the capital obligations associated with continually pur-chasing new preventative secur-ity technology.

“With this type of service, busi-ness owners no longer need to worry about evolving technology, hiring qualified staff, or constantly upgrading equipment and capabil-ities,” says Menezes. “All the trad-itional challenges associated with an in-house security program are removed. The cloud-based service takes care of everything and pre-sents it to you in an easy-to-navi-gate user interface.”

With cyberattacks on the rise, every organization a potential tar-get, and none but the biggest of or-ganizations able to adequately fi-nance increasing security needs, now is the time to consider pla-cing responsibility for the security of your network and assets into the hands of a SECaaS provider.

Gavin Davidson

Moving Security to the Cloud Saves Time, Money, and Headaches

Enhancing Security Operations with Threat Intelligence

Managed Cyber Threat Intelligence (MCTI) from Stratejm

Stratejm’s MCTI curates the data to ensure that the output is contextual and actionable. Security analysts are able to improve the speed and accuracy of detection while simultaneously improving response times and significantly enhancing security operations.

A New Way Forward: Security-as-a-Service (SECaaS)

Intelligent SIEM

Vulnerability Management

24x7x365 Cyber Intelligence Centre

Asset Management

Real-Time Cyber Threat Intelligence

Network Access Control (NAC)

Risk Analysis

Incident Management & Response

@stratejmfacebook.com/Stratejm

Contact [email protected]

Connect Online

Data Sovereignty: Your data is resident in Canada

No Hardware or Software Required

Actionable Intelligence

Machine Learning & Advanced Data Analytics

Visibility Across ALL of your IT Assets

Rapid Deployment

Recorded Future arms security teams with threat intelligence powered by patented machine learning to lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context that’s delivered in real time and packaged for human analysis or instant integration with existing security technology. Visit us at www.recordedfuture.com.

John Menezes President, CEO, Stratejm

“ Designed from the ground up to provide clients with robust, enterprise-grade cybersecurity solutions in an innovative and cost-effective manner.”


How Safe is Your Business from a Cyberattack?

Canadian small and mid-sized businesses report decreasing confidence in protecting their data from cyberattacks.

of employees are very confident that their organization would be able to keep their business and its information safe from a cyberattack. This represents a seven-point drop year-over-year.

of employees believe their business is at risk of experiencing a cyberattack.

of employees recognize that they do not spend enough time and money on cybersecurity.

of employees believe cyberattacks on businesses have increased within the last year alone.

A lack of education, training and money means companies are not prepared for a cyberattack:

Don’t spend enough in cybersecurity protection systems.

Don’t know how their organization could be attacked.

Don’t know how their organization is currently being protected.

Don’t spend enough time on staying current with cybersecurity issues.

26% 46%

14% 73%

23%

For more information on how to ensure your business is protected against a cyberattack, visit eset.ca/cybertraining to access free cybersecurity training for your employees.

35% 24% 19%

Source: Ipsos/ESET Cybersecurity Survey, September 2017

THREAT INTELLIGENCE

to do this without an expert partner is extremely challenging.

MP How do you feel about the implementation of the General Data Protection Regulation (GDPR) in Canada? Will it affect cybersecurity strategies for SME owners?RH Compliance is a key driver in the cybersecurity space. We’ve seen direc-tives and regulations like PCI, HIPAA, and PIPEDA change how business is done globally, and now Canadian organ-izations that do business with the EU will need to adapt to the GDPR.

On May 25, 2018, the GDPR will start being formally reinforced, aiming to regulate how businesses manage data breaches and prioritize data privacy in order to protect consumers. The regula-tion will apply to enterprises in all coun-tries across Europe, as well as any global enterprise collecting, storing, sharing, or processing data on EU citizens. Failure to comply with the GDPR can result in a fine of €20 million or 4 percent of annual global turnover, whichever is greater.

This will change how businesses on all sides manage their customer infor-mation. Increased diligence and control will be required, including in database management and security protocols.

MP When is the right time to outsource vs. do it yourself? Where have pain points been seen most often in a DIY model? RH Outsource vs. in-house is always a tough decision for any company, es-pecially at the SME level. We’ve seen some organizations leveraging inter-nal IT resources for things like net-working and storage, but outsourcing specialized work on the security side, such as managed security services, in-cident response, and threat hunting. It’s absolutely a balance of resource availability, expertise, proactivity, and budget requirements. Labour avail-ability and expertise are really the big-gest issues. We’re seeing the demand for cybersecurity services, particular-ly managed security services provid-ers, grow exponentially across Can-ada. When you DIY, you don’t know what you don’t know — sounds simple, but it’s true. It’s challenging to stay on the cusp of emerging trends and to have the bandwidth to complete mul-tiple projects. How do you prioritize? How do you learn industry standards, best practices, or what is going on across other organizations? Outsourc-ing can generate economies of scale and powerful cross-client correlation benefits in the long term.

SET YOUR BUSINESS UP FOR SUCCESSCybersecurity provides a stable foundation and allows you to stay competitive.

(1) Assess your risk How you run your business, and the kind of data you hold, impacts the level of risk to your business. Organizations of all sizes generate and store data that could be of interest to cybercriminals. Consider how valuable, or sensitive, each set of data is by performing a security audit, to determine the unique mix of software, solutions, IT policies, and procedures needed to achieve appropriate protection.

(2) Educate your staffEmployees are a business’ first line of defence, so training them in cybersecurity best practices and developing a proactive security plan is integral to building confidence with your customers. ESET experts have developed a free cybersecurity awareness training program, which is available for download and distribution by any organization to its employees, regardless of whether they use ESET’s software or not. The program takes less than 90 minutes to complete and provides progress tracking and certification.

(3) Deploy a multi-layer, multi-vendor security solutionThe best strategy is to make an attacker’s job as difficult as possible by having security at every level to prevent breaches. For reliable and strong cybersecurity defences, companies should opt for a solution that offers multiple complementary technologies, with high detection rates, and a low number of false positives. That way, if one technology layer is bypassed, an array of others are in place to take action and keep information protected.

How updates make your security solution strongerAnti-malware software installed on endpoints, such as computers and mobile devices, must be kept up to date so that they are equipped to recognize and defend against the latest threats. A great feature of ESET products is that software updates are made automatically, keeping devices always current with the most recent protection available. In addition to lower false positive rates, the updated solution can use data to create a reliable threat database stored in the cloud. By sharing with all recognized devices, this can protect users from a wider array of malicious items.

Outsource IT supportOne way to ensure attention is focused on the growth and development of your company is to consider outsourcing IT. IT partners and trusted tools can provide proactive preventa-tive support that allows you to scale and upgrade security ser-vices to fit your business’ growing needs. Doing so will free up space and time to invest in your business and employees.

Mediaplanet How would you say that your organization or industry values data?Robert Herjavec Data is paramount to everything we do. Basically, data is power. In the world of cybercrime, data is currency. There is a value there, wheth-er it’s an email address, financial trans-actional information, personal records, or what have you. Data is being used as a weapon today, and we’re seeing data loss and security breaches become regular headline news. Data is central not just to the cybersecurity industry, but across all industries. As a cybersecurity servi-ces provider, it is our job to protect cus-tomers’ data, and also to enrich the data received for trend analysis and defence against future cyber threats.

MP What would you say are the biggest knowledge gaps SMEs are facing when it comes to their vulnerability to cyberattacks?RH The biggest knowledge gaps for SMEs are first of all, not understand-ing the threats they are facing, and, second, not having the right IT skill to defend themselves against these cyber threats. Attack vectors are constant-ly evolving, and it’s very hard to find trained security professionals to keep up with the threat landscape. Trying

How This Corporate Shark Is Leading the Attack on CybercrimeA dynamic entrepreneur, in 2003 Robert Herjavec founded Herjavec Group, a global leader in information security, currently ranked #1 on the Cybersecurity 500 as the world’s most innovative cyber firm. HG specializes in managed security services, consulting, delivery and incident response for enterprise-level organizations. Robert’s ability to interpret industry trends and understand enterprise business security demands has helped him achieve the profile of a global cybersecurity expert. He shares his expertise with other entrepreneurs each week as a leading Shark on ABC’s Emmy Award-winning hit Shark Tank.

Iva Peric-LightfootESET Country Manager

TIPS

MEDIAPLANET 7

5 WAYS TO IMPROVE YOUR ORGANIZATION’S CYBER HEALTH

TIPS

With recent headlines announcing large-scale ransomware attacks on multinational corporations, including the theft of 150 million credit reports and personal information, the awareness of cybersecurity has never been higher. A cyber attack could result in significant financial losses, cause permanent damage to your brand and reputation, put you at risk of fines and prosecution and compromise your intellectual property.

While there are many areas of cybersecurity which merit your attention, these are five key areas you should focus on:

(1) Cybersecurity Health CheckA cybersecurity health check helps you understand where your business is at greatest risk of an attack. It outlines what you could lose and ensures your investment and resources are properly allocated to provide the greatest protection.

When completing a health check, ask yourself what is most at risk: ▶ Do you store personal data or use proprietary research

or technology?▶ What would cause the most damage, financially or

reputationally, to your customers? ▶ What would be of greatest value to the attacker?

Once you have completed your health check, initiate an action plan to better secure the highest-risk areas of your technology infrastructure. Review this process annually at a minimum.

(2) Focus on PreventionNew threats are evolving faster than traditional defences can keep up. Therefore, a strategy completely focused on protection will always be a step behind. Organizations need to direct more of their cybersecurity budget toward preventative measures which help them see where they are vulnerable and where defences must be strengthened. These can help you scan your infrastructure for known exploits employed by cybercriminals and model how they could compromise your existing cybersecurity controls.

(3) Have a PlanJust as your office has safety procedures in the event of a fire, your business should have an incident response plan to defend your data in the event of a cyberattack.

This plan should include:▶ A legal team to provide guidance and communicate

cybersecurity matters within the court system.▶ A communications plan or team to develop messaging

for both your clients and the media, if necessary.▶ A cybersecurity firm to help contain and eliminate

the threat and conduct digital forensics once the attack is resolved.

▶ An incident response plan dictating the actions of key employees and outlining how to respond to the threat. This plan should be practiced frequently.

(4) Education and Training All staff play a role in ensuring your organization’s cybersecurity. Frequent education is critical. Your training programs should include▶ Leadership involvement and role-modelling.▶ Overview of long-term cybersecurity plan and goals.▶ Personalized training plans based on role and

access level.

(5) Understand and Limit Access to InformationEnsuring the safety of your data means knowing who has access to your information and frequently reviewing whether certain permissions are required to do business. This will also include third-party service providers. An annual review of their security posture and access rights should be completed.

Assessing and prioritizing data:▶ Who should have access to this information? ▶ What information is private and sensitive? ▶ What qualifies as intellectual property and how tightly

is it guarded?▶ What controls and agreements do you have in place?

In this constantly evolving technology landscape, it is important to understand where your organization is vulnerable to cybersecurity threats. An impartial third-party assessment is an effective first step for identifying gaps in your cyber defence strategy and learning what you can do to protect your information.

Danny Timmins

Danny Timmins, CISSP, is National Cybersecurity Leader at accounting, tax and consulting firm MNP. He has more than 20 years’ experience working with organizations to improve awareness, reduce risk, and implement effective cybersecurity strategies.

MP With the ever-increasing amount of smart technologies and the IoT, how are cloud security solutions evolving to support more interconnected networks?RH Cloud computing is the future for one main reason — scale. Just think about everything we have that’s connected: computers, cell phones, cars, thermostats, even your fridge! Every-thing has an IP address (or a few!) and that data needs to be stored somewhere. As the amount of storage that’s required for all the data being collected grows, we’re seeing more compan-ies move toward the cloud model. It’s scalable, grows with your business, and we are dispelling the myths of the unsecure cloud.

MP What do you see as this industry’s greatest challenge over the next five years?RH Complexity is the enemy of execution, and the cybersecurity industry thrives off complex-ity! Over the next five years, there will be more complexity in all areas – more connected devices, more vulnerability, and more risk. The more com-plex things gets, the more vital it becomes for pro-active cybersecurity measures. You’ve got to bal-ance people, processes, and technology. It sounds simple, but you can’t ever let up on the basics. You should train your employees on why security matters and what to look out for. You should have documented processes, escalation plans, data re-covery plans, incident response plans, asset clas-sification plans (you get it – PLAN), and you should

have a proactive security technology approach so that you’ve got the right services and prod-ucts to support your security posture. The great-est challenge is staying ahead of the bad guys while you do all this, and still supporting your business’ objectives.

“ Data is being used as a weapon today, and we’re seeing data loss and security breaches become regular headline news.”


CYBER COMPLIANCE

R obert Gordon believes that technology isn’t the key to making businesses safer. Rather, the Executive Dir-ector of the Canadian Cyber Threat Exchange (CCTX) says

that it’s companies of all sizes sharing cyber-attack information with each other that helps to protect them. We want to increase cyber resilience across the economy.

“The richer the dialogue, the more you start to get really powerful capabilities to go after the bad guys,” says Gordon.

This need for collaboration is why the CCTX was launched in April 2016. Initial-ly funded by nine corporations, it now fea-tures members of various sizes and indus-tries from across Canada.

The CCTX will be partnering with the Can-adian government’s Canadian Cyber Incident Response Centre (CCIRC) and Communica-tions Security Establishment (CSE) to provide broad, contextually rich data to its corporate members which can be rendered into action-able intelligence. This helps companies stay on the cutting edge of the latest cyberattacks and vulnerabilities.

The more technology evolves, the more ways there are for cybercriminals to find their way inside networks through cyberespionage, phishing, and ransomware attacks.

Spotlight on Corporate CybersecurityCompanies build stronger networks through the Canadian Cyber Threat Exchange.

That’s why the collaborative approach of the CCTX helps members assess how secure their systems are by informing members about what’s happening to other compan-ies in Canada.

Not just stealing informationIn the past, cybercriminals wanted to steal information, says Gordon, but now the trend is for them to deny information that’s im-portant to you.

Even though many companies say they don’t have a lot to hide, he says everyone has something of value — such as billing records and client rosters — that could fall victim to a ransomware attack.

Gordon says one important measure to consider is dwell time — the length of time cybercriminals stay inside of networks. He says it can go up to 200 days or more, and breaches aren’t easy to come across.

“It can be like finding a needle in a hay-stack,” he says, of trying to find an intruder in your network. “But exchanging best practices can help reduce that time and stop damage.”

Strength in numbers Gordon believes there is strength in num-bers, as today’s cybercriminals have in-creased patience and sophistication when plotting their attacks.

“Besides,” he says, “the bad guys do a lot of collaboration among themselves.” We want to drive up the costs for the attackers.

That’s why he feels it’s necessary to have what he calls a “cyber-mature” understanding of collaboration among Canadian companies. In Gordon’s view, open dialogues create a more level playing field to work from and give a bet-ter understanding of how best to use people and processes to combat cybercrime.

“It’s no longer the case that you have to engage in a cybersecurity strategy alone,” says Gordon.

Robert Csernyik

Government cybersecurity expertise is now available to the Canadian public.Nobody is immune from the cyberattacks that are on the rise worldwide — not even the Canadian government. That’s why the Communications Security Establishment (CSE) plays a vital role in our national security.

While defending the Canadian government against cyberattacks and protecting Canadians’ information is the CSE’s main goal, Deputy Chief of IT Security Scott Jones says another priority is emerging.

“With the internet powering the economy, it’s important to share cybersecurity tools and technology that we might have previously used just to protect government systems, ” he says.

In the past the CSE was a quiet arm of the government, but with the rise of the importance of cybersecurity, it’s taken on a more prominent role. The Government’s proposed national security legislation, Bill C-59, includes the CSE Act, which is designed to more clearly outline the organization’s ability to defend important cyber networks across Canada and undertake cyber operations within strict limits.

“We’ve been code makers and code breakers for 70 years,” says Jones, although today there’s a real need to share their knowledge with the private sector and other Canadians.

Resiliency through collaborationJones says many Canadians would be surpri-sed to know how willing the CSE is to speak out and collaborate with others to make a stronger cybersecurity ecosystem.

“Making Canada more resilient to cyberat-tacks is going to be done through collabora-tion,” he says. “And we have the willingness and desire to engage others.”

Jones says this includes collaborating with multiple sectors such as the government, academia, non-profits, and the private sector. CSE offers specialized cybersecurity training to government organizations, and freely shares cybersecurity tools with the private sector and best practices with the Canadian public.

Government Shares Best Practices for Better Cybersecurity

“ It’s companies of all sizes sharing cyberattack information with each other that helps to protect them. We want to increase cyber resilience across the economy.”

Scott JonesDeputy Chief of IT Security, Communications Security Establishment

SPONSORED

To learn how your company can benefit from a Canadian

Cyber Threat Exchange membership, visit cctx.ca

Robert (Bob) Gordon Executive Director,

Canadian Cyber Threat Exchange

SPONSORED

You can learn more about these critical actions and how to apply them to your company by visiting

the Communications Security Establishment website today at

cse-cst.gc.ca.ca

Top 10 cybersecurity toolsSmall- and medium-sized enterprises don’t always have the capacity for a large inter-nal cybersecurity force. This is where using CSE’s special cybersecurity materials, based on their own best practices, really has an im-pact on the security of a business.

“We have gained a lot of experience defen-ding the government from online threats,” Jones says. “It’s not theory for us, it’s reality.”

The CSE website features a large number of educational articles and videos to help share their cybersecurity knowledge and techniques.

Jones says one of the most critical things a company can do is follow the CSE’s Top 10 IT Security Actions list to improve cybersecurity. While this list currently focuses on actions for the government, CSE will be releasing updated advice for everyone in the coming days.

The top 10 actions are:(1) Use Shared Services Canada (SSC)

internet gateways(2) Patch operating systems and applications(3) Enforce the management of

administrative privileges(4) Harden operating systems(5) Segment and separate information(6) Provide tailored awareness and training(7) Manage devices at the enterprise level(8) Apply protection at the host level (9) Isolate web-facing applications

Implement application whitelisting

Rob Csernyik

Communications Security Establishment (CSE). Photo | Submitted

MEDIAPLANET 9

To learn more visit hostedbizz.com/phishinginfo

CLOUD SECURITY

Ransomware has become the threat-du-jour for organizations of all sizes as IT teams, CISOs, and CIOs struggle to keep up with the rapidly changing threat landscape and barrage of attacks from cybercriminals and hackers.

While IT teams face the daily challenge of securing networks and servers, end-users face regular cyber threats such as phishing, vishing, whaling, and other internet villainy. Just when we thought we had escaped the latest in that long

list of threats, along comes ransomware to test out corporate IT security defences and preparedness like never before.

“It is hardly surpris-ing that ransomware has become so ubi-quitous and success-ful — it’s a booming business for cyber-criminals,” says Paul Butcher, who, along with co-founder Jim Stechyson, runs Can-ada’s fastest growing cloud service provid-er, HostedBizz. “Ran-somware has an im-pressive ability to evolve, sneaking past

existing defences like secure email gateways and desktop anti-virus with ease and tricking users into running its viral payload.”

Like most malware, ransomware finds its way into an organization through malicious code often referred to as a Tro-jan. Once launched, the ransomware at-tacks the organization, locks down data access, and demands a ransom payment to regain access. “Cybercriminals work tirelessly to improve their product,” says Stechyson. “Using sophisticated methods to both avoid detection and

WHAT IS IT?

Spammedemails

Othermalware

Compromisedwebsites

*Not guaranteed that victim will regainaccess to their systems or �les

HOW DOES DATAKIDNAPPING GO?

HOW DOES THE FILEENCRYPTION WORK?

HOW IS THE RANSOMPAID?

Ransomware: Locks the screen

Crypto-Ransomware: Finds certain �les and encrypts them

Arrives in user’s computer Displays the ransom note

Victim receives a ransomnotewith instructions onhow to pay through Bitcoin.

Victim purchases Bitcoin* andtransfers it to the attacker’s Bitcoin address.

Victim sends the Transfer ID to the attacker as proof of payment.

Once transaction is complete, the attacker will send the decryption* instructions to the victim.

*Ransom ranges from US$ 24 to US$ 6000+

Once inside a system,crypto-ransonware connects to randomly generateddomains to download a public key.

It searches for importantproductivity �les like .doc, .xls, and .pdf.

It generates a key for each�le then encrypts them.

The crypto-ransomwarethen writes the encryptedkey at the beginning of all �les.

HOW DO YOU GET INFECTED?You can be infected when you unknowingly download ransomware from:

Ransomware is a serious security threat that has data-kidnapping capabilities. It limits access to �les or system functions, or even renders systems totally useless. Then it forces victims to pay ransom to regain access to their �les/systems.

HOW CAN YOU PROTECT YOUSELF?An antidote to a ransomware infection has yet to be discovered.

However, one can certainly avoid falling victim to it with the following practices:

Practice the 3 - 2 - 1 rule: Three backup copies of your data on two di�erent media, and one of those copies in a secured seperate location - a cloud backup service is recommended.

Check the sender’s email address against your contacts before opening any link or downloading anything from your email.

Bookmarking frequently visited and trusted websites will prevent you from typing in a wrong address.

An up-to-date security software addsan extra layer of protection. Update itregularly so it can protect you againstthe latest ransomware variants.

Update Your Security Software

WHY RANSOMWARE? - THE NUMBERS

1 1

1

2 2

2

2

3 3

3

4 4

RANSOMWARE 101 What, How & Why?

Annual Ransomware Revenues: $1 Billion +Infection Rate: 4000+ DailyAverage Ransom Demand: $3500 - $6000Average Downtime caused: 24 Hours

Virtualization

LaptopMalware

FirewallWAN

LANMobile

Private

RansomwareDRaaSPhishing

Disaster RecoveryCyber

Security

Remote Desktop

DRaaS

VPN

Desktop as a Service

Employee Education

IaaS Cloud Backup

CLOUD

Applications

Attack

BusinessContinuityScalability

Elastic

InfrastructureComputing

2FA

Data

CIO

PaaSCLOUD PROVIDER

SPAM

DESKTOP

DATA CENTRE

Technology

SaaS

Public

Public Cloud Computing

SOFTWARE

Hardware

HYBRIDCLOUD

DESKTOPCLOUD

Remote Access

24/7/365

3-2-1

Innovative Canadian Cloud

www.hostedbizz.com ... 1.855.464.6783HostedBizz is powered by Veeam and NetApp

The Latest Cybercrime Boom and How to Prepare for it

RANSOMWARE ensure execution of the ransom-ware, these ransomware authors are proving themselves to be for-midable adversaries.”

Ransomware attacks are in-discriminate, with all industries potentially vulnerable to this type of cyberattack. The frustra-tion of those affected by these problems is palpable, and most are now looking at a broader cross section of strategies and tactics to protect themselves and, more importantly, to recover post-at-tack, rather than rely on pure-play security solutions alone.

HostedBizz believes that a multi-layered approach is re-quired to protect any organ-ization. “While most small to mid-sized organizations em-ploy basic security such as fire-walls, antispam, and antivirus software, they lack essential systems and processes that as-sess vulnerabilities, educate end users, and ensure data recovery - simply put the basics are insuffi-cient to protect”.

Part of the layered approach in-cludes an ability to identify the presence of malware/ransom-ware and to notify IT so that the instance can be isolated and eradi-cated — “the end user plays a big part in reducing vulnerability”.

HostedBizz suggests using the following tactics to augment an organization’s security and defence:

Use a third-party provider to conduct simulated phishing email campaigns, a safe and secure method to assess vulnerability at the end-user level by sending emails disguised as legitimate to employees with fake malicious links or attachments. These simulations provide real-time and valuable information regarding employee behaviour and assist management in understanding corporate risk.

Implement a cybersecurity education and testing program that raises awareness and trains users to be more cyber alert and how to react to potential threats. More important than perpetual education is an ongoing management commitment to test the effectiveness of it. Similar to phishing simulations

these education programs are often available through the same provider and are surprisingly affordable.

ware preparedness and protection strategies can’t simply contain steps to stop ransomware from entering the organization. To be truly prepared, plans should include measures that allow any infected data and systems to be put back into a productive, pre-ransomware state. Implementing data backup policies that provide offsite data storage provides 100% confidence for data recoverability. “Having the offsite copy with a Disaster Recovery as a Service (DRaaS) provider gives added assurance that critical systems can be recovered in the cloud in a timely manner in the event of a significant corporate-wide security breach.

Co-founders of HostedBizz Jim Stechyson (left) and Paul Butcher (right)

An up-to-date security software adds an extra layer of protection. Update it regularly so it can protect you against the latest ransomware variants.

HOW CAN YOU PROTECT YOURSELFVictim receives a ransom note with instructions on how to pay through Bitcoin.


CLOUD SECURITY

The cloud offers an innovative solution as evolving cybersecurity threats require businesses to protect themselves with sophisticated tools.Cybercrime has spiked significantly in recent years, particularly with ransomware attacks, which have skyrocketed 250 percent in the past year. More and more, small- and medium-sized en-terprises (SMEs) are being targeted. The Canadian Cyber Incident Response Centre (CCIRC) recently found that while 90 percent of SMEs believe a cy-berattack would have a serious impact on them, 50 percent also believe they wouldn’t be targeted.

SMEs make up an incredible 98 percent of Canada’s business landscape, and cybercriminals could target any one of them at any time. SMEs are vulnerable to the same cybersecurity threats as larger companies, and in fact are often more vul-nerable due to a lack of awareness and resources. Cloud-based services can help to fill those gaps.

Third-party cloud security providers have evol-ved to try to meet cyberattackers’ increasing sophistication by offering services tailored to bu-sinesses in any sector or industry.

“Most small, medium enterprises (SME’s) pro-bably have some kind of unified threat manage-ment system in place which may include fire-wall and intrusion prevention systems, but in the cloud, you’re able to consume a broader ar-ray of cloud services,” says Matthew Hoerig, Pre-sident of the Cloud Security Alliance in Cana-da. Costly enterprise services such as data loss prevention (DLP), federated identity, and more contemporary offerings such as block-chain se-curity, suddenly become feasible to SME com-panies because of the pay-as-you-go costing mo-del. During contract negotiations with the cloud provider or CASB’s both parties should determi-ne the kind of services an SME may require over

the life of the contract. In an IaaS service model, the SME should be able to orchestrate whatever services the client deems necessary which then simply becomes part of the on-going subscrip-tion fees paid by the client.

Hoerig adds that these capabilities can be deli-vered in a highly scalable manner depending on the service delivery model (IaaS, PaaS, and SaaS) employed. Data protection is probably the most important area for an SME to consider when ma-king the determination as to which cloud provi-der to engage with. With SaaS applications, the cloud provider may bear more of the responsibi-lity for the protection of client data. However re-gardless of the exposure the provider may be sub-ject to, an SME client cannot abdicate or abrogate its responsibility or liability — it is still the data owner. Due diligence is required on both sides to ensure that privacy, security controls, and audit requirements (where applicable) are considered.

Cloud 1.0 to 2.0Hoerig adds, “currently a widely held view is that we are undergoing a transition from Cloud 1.0 to Cloud 2.0.” Currently Cloud 1.0 includes (but not necessarily limited to) elastic and scalable com-pute and storage infrastructure, canned security services, and typically monthly service subscrip-tion fees. Cloud 2.0 will incorporate many addi-tional client benefits such as more granular pay-as-you-go models (per second billing), machine learning, and tools developed to mine the reams of data produced by IoT applications and sensors.

“These tools can help drive value by analyzing large amounts of data that can be monetized, pro-viding greater value to the organization,” says Ho-erig. “With Cloud 2.0 the ability to be more pre-dictable and precise with billing, while enhancing services and security, may make cloud services a much more attractive option for SME clients.

Safety in numbersCCIRC has monitored growth on all sides of the equation, working with all levels of governme-nt and the private sector. The Government of Ca-nada created the national public awareness Get Cyber Safe campaign, to educate Canadians, in-cluding Canadian business owners, about inter-net security. Get Cyber Safe has put out a Guide for Small and Medium Business that provides practical advice on how businesses can protect themsel-ves and their employees from cybercrime.

“Some organizations are extremely advanced and well prepared, with proactive policies from top to bottom so they know how to respond. Oth-er organizations aren’t that sophisticated, and it cuts across all industries and sectors at various sizes,” says Adam Hatfield, Senior Director of the CCIRC. “If you’re following all of CCIRC’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions, you’re probably mitigating as much as 85 percent of the threat you face on any given day.”

Covering the balance is where the danger still lies, he adds, and that means being vigi-lant. For example, the WannaCry ransomwa-re that made headlines exploited unpatched (that is, lacking the latest security updates) Microsoft Windows computers.

“If you’re a client who’s looking for a service, ask the security questions. Ask what the provider do-es for security, and what happens when there’s a breach. Ask how quickly you would be informed. Find out what liability is accepted by them ver-sus what you’re responsible for,” says Hatfield. “If you’re not satisfied with the answers or they’re slow in coming, you may want to look elsewhere.”

SMEs using cloud-based services and providers are showing initiative and foresight when it co-mes to cybersecurity. That’s just good business.

E nterprises need to enable faster and better decisions. “Digitization” is the answer: taking advantage of big data and machine-learning techniques to analyze large amounts of information. For

companies with significant physical assets such as transportation, utilities, and manufacturing, digitization is best accomplished by installing sensors on these assets. Connect these sensors together on a network and you have an Internet of Things (IoT.)

To be useful, companies need to install many IoT sensors. To be practical, the devices must be inexpensive. To meet this goal, device manufac-turers are forced to make compromises that are not seen in traditional enterprise computing equipment. These compromises lead to unique risks that require very different security models to address their shortcomings.

One source of security risk arises from how these devices work together. While manufactu-rers do consider the need for their own products to work together, there are no standards to en-sure inter operability among devices from dif-ferent companies. An enterprise environment will always be a mix of systems as new systems are added alongside existing equipment, ma-king integration of IoT devices a unique chal-lenge. Trying to connect devices that weren’t designed for this from the start requires additio-nal layers of equipment that end up adding com-plexity, additional points of failure, and unex-pected vulnerabilities. Protecting the operation of any IoT network requires architectural stan-dards for inter operability. Deployment of addi-tional IoT devices should be restricted to ones that meet those standards as often as possible. It’s also important to have mechanisms to keep an inventory of IoT devices on your networks.

A second source of risk can be attributed to the point raised earlier: IoT devices are often built with minimal hardware capabilities to keep costs down. This means that standard en-terprise security controls and even the most ba-sic anti-virus software can’t be accommodated

in the devices. The result is thousands of un-derpowered servers with no inherent security. The costs of this weakness were demonstrated in late 2016, when hackers compromised mil-lions of internet-connected webcams and launched a Distributed Denial of Service (DDoS) attack, disrupting key DNS services and rendering some of the largest internet properties unavailable. That same destructive capabili-ty can be turned against any target, even corporate IoT de-vices targeting corporate as-sets. Since there is no way to secure IoT devices, they should never be directly accessible from the in-ternet. Other security controls must be conside-red — starting with the network.

Another security risk inherent in currently available devices is rooted in the multipurpo-se nature of the equipment. Devices that are in-stalled to measure the speed of a conveyor also

contain a web server. Risk assessment of a read-only sensor is quite different from a web server. It’s difficult to determine exactly what’s vulne-rable on IoT devices when thousands are being

installed. To protect against these risks, devices must be subject to robust evalua-tions prior to deployment, or flexible and robust controls must be employed to anti-cipate the unexpected. The inventory of devices men-tioned earlier is again im-portant here.

With thousands (or mil-lions) of IoT devices deploy-ed, the value of information

from any single one is limited. However, once that information is aggregated it begins to have value, and after analysis it can provide a com-petitive advantage. Also to be considered, then, are the risks to the information as it travels th-rough new systems, gaining value along the way. The risks grow with the increasing value.

THE BENEFITS AND RISKS OF THE DIGITIZATION OF ENTERPRISES

Businesses Look to the Cloud for Help from Cyberattackers

Colleen Merchant Government of Canada,

Director General, National Cybersecurity

Adam Hatfield Senior Director of the

Canadian Cyber Incident Response Centre (CCIRC)

Matthew Hoerig President, Cloud Security

Alliance, Canada

This article is written by Steve Biswanger, Director of Information Security, Encana Corporation, and President of the CISO Division, CIO Association of Canada. The CIO Association of Canada recently added a Chief Information Security Officer division to its membership, recognizing this role as pivotal in today’s digital business. Steve is a founding member of this new division. CISOs interested in connecting with a like-minded group of professionals can contact Steve through [email protected].

“ Enterprises need to enable faster and better decisions.”

For more information on the CISO Division and the CIO Association of Canada or

to join, please contact [email protected]

We’re in the early stages of the In-ternet of Things, so standards, de-fault secure configurations, and the ability to remediate issues are still developing almost as quickly as the number of devices is growing. Th-rough these vulnerable times, en-terprises need to consider how to protect this fast-changing space without slowing its growth, or limi-ting its value to the business.

Steve Biswanger

Ted Kritsonis

MEDIAPLANET 11

T he prospect of Canadian enterprises being at-tacked by cybercriminals or rogue foreign agents grows each year, and Can-ada’s GDP is already los-ing $3.12 billion a year to

cybercrime. There is a digital transform-ation underway, fuelled by organizations moving their data to the public cloud. If done securely, Canadian organizations can prevent expensive cyber breaches and keep their sensitive data from getting into the hands of dangerous adversaries.

International Data Corporation (IDC) pre-dicts that nearly a third of all organizations will embrace the public cloud by 2018. The lure of flexibility, speed, and scale that the cloud offers also means an expanded attack surface area, resulting in increased risk of breaches. “When planning to embrace the cloud, whether incrementally or all at once, organizations need to consider their secur-ity strategy in the initial conversation,” says Mark Anderson, President of Palo Alto Net-works, the next-generation security com-pany. “Companies that think about security early and focus on what will generate posi-tive outcomes are the most successful.”

Cyber adversaries and their attack meth-ods continue to evolve, creating new sophis-ticated and automated techniques in order to gain access to sensitive data in any or all

Securing the Cloud Doesn’t Have to Be ComplicatedHow to avoid the vendor conga line while capitalizing on the benefits of the cloud.

With Forrester’s recent prediction that every business will become either a “digital predator” or “digital prey” by 2020, many Canadian businesses are eager to jumpstart their migration to the cloud.

However, while making a digital transfor-mation can help businesses improve their operational agility, it can be risky. The U.S. National Cybersecurity Alliance estimates that six months after suffering an attack, 60 percent of companies go under — it’s not an issue to be taken lightly.

While most companies have a great deal of expertise in their respective fields, they may not have extensive knowledge about secure-ly managing customer data, making them ea-sy targets. When it comes to data storage and management, they need to look to the experts.

Here are four questions businesses need to ask data management providers when they’re looking to undergo digital transformation and partner with a third-party cloud provider:

Digital Transformation Should Never Come at the Expense of Data Security

Is there flexibility within the solutions offered?It’s not only about moving to the cloud. What companies really need is the expertise to help them find the right solution for their business.

For maximum portability and value from their existing business investments, compa-nies should look for a partner that has a wide array of solutions and is focused on helping them identify whether their workload is best suited to a managed solution on physical in-frastructure, or a cloud solution that meets their specific needs. Ultimately, this often be-comes a hybrid solution.

How secure is the data when in transport? While most physical data centres offer Fort Knox-like protection, many third-party cloud providers are guilty of leaving their network exposed. This would be akin to a bank protec-ting millions of dollars with a secure vault, on-ly to then transport the money in a sedan.

If your customers’ personal details and cre-dit card information are unsecure in transit, then you haven’t secured any of your data. Bu-

sinesses need to choose a provider that opera-tes a robust network, so there’s the same le-vel of security across the network as there is around the physical building.

Will important customer data stay in Canada?With data sovereignty now a hot-button issue, it’s vital for Canadian organizations to know exactly where their customer data is at all times, where it’s being transferred, and how it’s being used. This includes both the physical data centre and the network. To keep your customer data protected and in compliance with Canadian residency requi-rements relevant to your business, you need to ensure it doesn’t pass through any net-works that could be subject to international data laws or, even worse, unwanted surveil-lance. Choose a provider that takes a natio-nal cloud approach to data storage.

How proactive is the provider when it comes to protection? Organizations need a solution designed to pro-tect without impeding the speed of business.

While your data and applications need to be sa-feguarded by multiple layers of security, this should not come at the expense of performance.

Using the earlier analogy, while it would be ultra-secure to seal off a bank completely, it wouldn’t be helpful for customers. A more progressive view toward security is to make sure the people coming into the bank are in fact customers, and do it in a way where it doesn’t take three hours for a customer to make a withdrawal.

How you set up the security infrastructure needs to be forward-looking. Flexible, scala-ble technology is essential. Businesses need a partner that offers proactive, built-in secu-rity end-to-end, so that as they grow, their applications, tools, and systems grow along with them, keeping them well protected.

Bertrand Labelle

Bertrand Labelle Vice President,

Marketing & Innovation

“With data sovereignty now a hot-button issue, it’s vital for Canadian organizations

to know exactly where their customer data is at all times, where it’s being transferred,

and how it’s being used.”

SPONSORED

corners of your network: your data centres, network devices, private or public clouds, or within SaaS applications.

Unfortunately, the cloud security market hasn’t been doing organizations any favours by releasing point products that solve on-ly one of the many attack methods. As a re-sult, organizations are left with a confusing and complex “conga line” of products that need to be strung together and independ-ently managed — leaving gaping holes in their security posture and requiring expen-sive resources to operate. When considering the cloud, customers have yet another set of tools and policies to absorb, further com-pounding the issue. What they often miss is that cloud vendors protect the cloud infra-structure, but it is the customer’s respons-ibility to protect the data. This is called the

“ Finding a solution that provides protection not only in the cloud, but also across your entire network, including your data centres, endpoints, and SaaS applications, means you can kiss the conga line goodbye.”

shared security model. Finding a solution that provides protection not only in the cloud, but also across your entire network, including your data centres, endpoints, and SaaS applications, means you can kiss the conga line goodbye.

“As data becomes more and more distrib-uted across data centres, private and pub-lic clouds, and SaaS applications, having complete visibility and consistent security measures becomes increasingly important to protect data no matter where it resides,” says Anderson. “It doesn’t have to be wild-ly complex.”

When considering a move to the cloud, smart Canadian organizations will include security as part of their initial planning and strategy, and will consider solutions that re-duce complexity, require fewer vendors and

Mark Anderson President, Palo Alto Networks

resources to manage, and protect their data no matter where it resides. Following this course will keep our organizations from lan-guishing in the conga line of confusion and help them quickly take advantage of all the benefits cloud computing has to offer.

Ted Kritsonis

SPONSORED


EDUCATION

The global job market for cybersecurity talent is expected to rise by about 1.5 million people by 2020.

With a talent gap for Canadian IT pro-fessionals in the cybersecurity indus-try and a growing market for cyberse-curity startups, universities and col-leges are now offering more niche programs in areas such as network security, data analytics, and software development, while also increasing-ly focusing on a multidisciplinary ap-proach to cybersecurity.

New Brunswick is Canada’s cybersecurity hubThe Canadian Institute for Cyberse-curity at the University of New Bruns-wick is one institution that has played a critical role in expanding cybersecur-ity innovation. Led by Dr. Ali Ghorbani, it is the first institution to bring togeth-er researchers from across the academ-ic spectrum to share innovative ideas and carry out ground-breaking re-search into the most pressing cyberse-curity challenges of our time. The insti-tute focuses on comprehensive multi-disciplinary training that draws on the expertise of researchers in science, business, computer science, engineer-ing, law, and the social sciences.

“We view cybersecurity as a prac-tical problem that requires practical solutions,” says Dr. Ghorbani, a veter-an industry leader who has been pi-oneering research in cybersecurity at

the University of New Brunswick and launched the institute this year.

“We have been doing research and de-velopment in this area non-stop for the past 17 years,” says Dr. Ghorbani, who is also a Tier One Canada Research Chair in Cybersecurity at the university. “Cyber-security is no longer just an IT problem; it is a business problem. Therefore, it re-quires multidisciplinary solutions.”

With one of the strongest core com-puter science programs in Canada, the institute has the research and develop-ment capabilities to create and grow industry-disrupting innovations. It of-fers a variety of tech-inspired gradu-ate programs that Dr. Ghorbani says are accessible to almost any student, as well as networking opportunities for entrepreneurs looking to create star-tups in New Brunswick.

“We are heavily focused on innova-tion and entrepreneurship at the Uni-versity of New Brunswick, and as a re-sult, we have spun off a number of com-panies,” says Dr. Ghorbani. “The biggest one is Q1Labs, which was acquired by IBM in 2012 and now is the main focus of the IBM security systems division.”

Developing the next generation of cybersecurity professionalsRealizing the importance of develop-ing the next generation of cybersecur-ity professionals, organizations such as the Canadian Information Process-ing Society (CIPS) — a world leader in IT professionalism, ethics, and indus-try governance that works to safeguard Canadian public interest in matters of

IT — are working hand-in-hand with institutions like the Canadian Insti-tute for Cybersecurity to keep young people engaged.

CIPS has recently created a youth board program to give millennials a voice in the industry, while also pro-viding both current and former stu-dents the ability to work closely with their professors for networking oppor-tunities. With a focus on continuing education, CIPS ensures students re-main engaged after graduation and continue to update their knowledge throughout their career.

“The bad guys don’t sit still,” says Bashir Fancy, the Chairman and CEO of the Canadian Information Pro-cessing Society. “So we want to make sure, through ongoing education, that people keep their skills upgraded so they are constantly learning.”

Together, organizations like CIPS and the Canadian Institute for Cyber-security are working tirelessly to make IT programs as attractive as possible to a wide range of potential students, while also raising awareness about the ongoing and increasing need for IT professionals to safeguard the Can-adian internet infrastructure from cybercriminals.

“There are not many careers out there like IT,” says Fancy. “Not only can it give you the opportunity to work in any industry you want, not only can it change your financial situation by tak-ing a career in IT, you have the poten-tial to change the world.”

Gavin Davidson

Why New Brunswick Is Canada’s Cybersecurity Hub

Q&A

Mediaplanet What inspired you to pursue a career in cybersecurity?Ehsan Mokhart Keeping cyberspace safe and secure at a time where technology is booming across the globe seemed like an interesting challenge for me. Cyberse-curity is dynamic, complicated, fun, and rewarding; this combination is rare, which I very much appreciate about this field.

MP How did your university mentor you for a successful career?EM At the University of New Brunswick, our research group held weekly meetings with industry partners and collaborated on different projects with multiple entities. Working with leading-edge companies not only enticed me to pursue an entrepreneurial journey but also gave me valuable insight into where the current challenges exist.

MP How has the cybersecurity ecosystem evolved since you began your journey as an entrepreneur in the industry?EM Cybersecurity is an ever-changing domain. It has become more dynamic and exciting day by day. Since I started my journey in this field, there seems to be no downtrend for cybersecurity in the foreseeable future.

MP What would you identify as key areas aspiring cybersecurity entrepreneurs should focus their services on in order break into the Canadian marketplace with a unique advantage?EM There are huge national and international oppor-tunities ahead for the Internet of Things and in artifi-cial intelligence.

MP Why did you choose to start your business in Fredericton? EM There is a high-quality talent pool with the Uni-versity of New Brunswick’s top-notch computer sci-ence graduates. Local investors — like the New Bruns-wick Innovation Foundation and Technology Venture Corporation — are very supportive of innovative entre-preneurs. And with the Government of New Brunswick recently launching a cybersecurity initiative, and with the new Canadian Institute for Cybersecurity at the university, this seemed like the ideal spot to start an entrepreneurial journey.

10237-UNBR National Post_Half-Pagename: Agnes / Cornelia date: 2017-09-21 colours: 4 media: National Post

description: Half Page Print Ad trim size: 10.34" x 9.78"

C M Y K

market/city: Canada

publication: National Post

insertion date: TBD

shipping date:

ad #:

client: UNB safety/live: n/a

build size: 100% bleed size: n/a

# # # ## of sides: 1 folded size:

380 wellington st. west toronto ontario canada m5v1e3 t 416 203 3470 Laser output may not be to size.

INTERNAL APPROVALS DATE SIGNATURE CLIENT APPROVAL SIGNATURE

Account Services #1

Account Services #2

Art Director | Designer

Creative Director

Print Production

Copywriter

Studio

Over 75 programs. Two campuses. A one-of-a-kind experience. UNB.ca

Accelerating clean energy research with industry leaders Partner with IBM on cybersecurity projects Lead partner with Terry Fox Research Institute

Research partner with NASAHome to Canada’s leading institute for cybersecurity research Developed technology used by Google

Co-founder of Sentrant Security, Ehsan Mokharti credits his entrepreneurial success to the cybersecurity ecosystem in New Brunswick. New Brunswick Tech Hub

Takes Multidisciplinary Approach to Cybercrime

Date post:	17-Mar-2020
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times

and how will it affect you? p05 p07 p09 CYBER SECURITY · leader in information security Robert...

Documents