Most companies rely on technology to function and in most ways, this has been beneficial. Something as simple as storing information on computers or in the cloud has greatly reduced costs for many businesses by eliminating the need for extensive physical storage space. So, what’s the downside? Maintaining cyber security for all those sensitive files.
According to Tech Times, cyber security “is the array of measures you take to protect [your company] from unauthorized access to its systems.” Maintaining your company’s cyber security is crucial, since failing to do so and falling victim to a breach will have serious consequences, such as the proliferation of private company information to unknown parties outside of the organization.
Since cyber security is such an important topic for companies of all sizes, Business in Edmonton magazine contacted two experts operating in Edmonton— an IT company and a risk management company—to shed some light on the issue.
Pro-Active IT Management Inc.
Pro-Active IT Management has served as technology guides for over 15 years, looking after that critical part of today’s business so the client’s team doesn’t have to. For 1-50 person teams, they are there when you need them, and you only pay for what you need. Catherine Vu, chief uptime officer of Pro-Active IT notes, “We work with clients to assess their weaknesses, inform them of new and existing threats and make recommendations based on their needs.” By doing so, Pro-Active IT ensures that its clients are prepared to identify and deal with potential cyber threats before they become a problem.
According to Vu, one of the main reasons that companies fall victim to cyber breaches of security is because they think they are too small for hackers to want to attack them. It is important that companies, regardless of their size, take the proper measures to ensure they are protected from cyber threats.
Vu also points out that many companies don’t have a culture that questions user authentication. If an employee is not trained to question the authenticity of an email, for example, that employee could be tricked by a phishing scam. By disguising themselves as trustworthy companies or individuals, hackers can easily obtain sensitive information by simply sending a company’s employee an email asking for information, such as passwords or banking information. Regardless of how many security systems are in place, if an employee is not properly trained to identify and avoid cyber threats on their own, the company’s security stands a good chance of being breached.
Vu knows that companies can improve their cyber security in a number of ways. By having a unified threat management firewall with advanced filtering capabilities, a centrally managed anti-virus program, promoting a strong password policy in the workplace and limiting employees’ access to strictly work-related resources and applications, companies can protect themselves from most cyber threats.
Knowing, however, that it is ultimately up to the employees of a company to truly protect their cyber security, Vu believes that, “Educating staff on the risks [of cyber threats] and providing practical testing and training are vital steps that a company can and should take.”
Pro-Active IT provides a service that sends white hat phishing emails to all staff within an organization, and then tracks which users click on the link. After doing so, Pro-Active IT provides the company with the report so they can train their employees based on the results of the test and improve their overall security. While this is an effective test to determine the weak points of a company’s cyber security, Vu also recommends, in general, that companies educate employees to know that if something seems suspicious, they should ignore it and warn others in the company of the potential risk. Most importantly, they should make sure they have multiple backups of data.
Marsh is an insurance brokerage and risk management company with offices across Canada and in 130+ other countries around the world. When working with clients, Marsh works hard to analyze, measure, and help manage multiple risks in order to reduce each client’s total cost of risk.
Julien Ducloy, senior vice president of Marsh Canada and cyber consulting lead, knows companies often fall victim to breaches of cyber security because, “The internet was initially designed to be more ‘open’ than ‘secure.’ Even though most people have realized by now that hackers with malicious intentions can easily take advantage of poor cyber security, fixing the issue is actually a race between attackers and security teams.”
Despite efforts by companies to improve their cyber security and protect their digital assets, hackers are still able to get in. While patching a system to fix areas where it’s vulnerable, or installing software to protect servers and workstations against malware can be very helpful, Ducloy argues that, “There will never be a malware or virus scanner, nor employee training, that will be good enough to stop all attacks.”
He continues, “Avoiding cyber security breaches requires many elements in place with constant maintenance to keep up to speed with attackers.”
This constant struggle to protect themselves against hackers can be difficult for smaller companies with less resources to manage the risk effectively, making them easier targets. According to Ducloy, while there are potentially hundreds of security measures a company could take to protect themselves against attackers, they should focus on adopting a cyber security framework, such as NIST CSF or CIS CSC, and regularly evaluate their posture against it while also defining a roadmap to improve their practices.
“By implementing a variety of security systems to protect against cyber threats, companies will have defense in depth,” Ducloy says. “Even if an attacker can go through the first layer of protection, they will likely be stopped by another one before the attack can have a negative impact on the organization.”
However, even with a variety of security systems in place to protect against potential cyber threats, it is not always obvious that a breach of cyber security has occurred or is in the process of occurring. Ducloy explains, “If you don’t try to detect security breaches, you might never be aware of them.”
While there are several security systems that a company can put in place to detect breaches, it is possible that a company may only become aware of a breach of security after it has happened—for example, when the authorities contact them about it, or when the attacker contacts them to ask for a ransom. If a company realizes there has been a breach of their cyber security, they should respond immediately. However, as Ducloy notes, “Dealing with a breach is not a ‘do-it-yourself’ activity or a process that you can improve when the breach occurs.” Companies should have a plan in place to deal with these sorts of incidents, which “generally involves third parties like an insurer (if you have a cyber insurance policy), a breach coach or privacy lawyer, an incident response firm and a number of internal stakeholders, depending on the extent of the breach.”
If the attack proves to be serious, the company may lose a great deal of valuable information or money if they are not properly prepared with adequate security measures and training in incident response, or if they do not have a solid incident recovery plan. After falling victim to a breach of cyber security, the main way that a company can correct their mistake, is, according to Ducloy, by identifying the source of the breach and remediating the issue when it’s possible, and ultimately looking at how to improve the company’s overall security posture.
With the threat of cyber attacks ever present, it is important that companies remember to be proactive internally and to keep up their security measures in order to dispel potential breaches. Professionals in Edmonton offer a range of products and services to help keep your company and your data, safe.