“We’re just a small fish in the pond, these cyber-criminals aren’t going to go after us.”
Famous last words. In 2017—the most recent year for which data is available—more than one-fifth of Canadian businesses were hit with a cyber-attack, according to a survey by Statistics Canada. This meant lost productivity, lost time and lost revenue.
And one of the weakest links in the cybersecurity chain can be an organization’s own people. A 2018 survey by Ernst & Young found that “careless or unaware employees” were by far the greatest cybersecurity vulnerability Canadian employers face.
Recently, Microsoft Canada’s national Security Officer, John Hewie, sat down with cybersecurity expert Michael Ball, information Security Adviser and vCISO at TeamCISO to talk about the threats facing Canadian businesses and other organizations, and what can be done to shore up cybersecurity protections
John Hewie: One of the things that I’ve seen develop over the last several years is that small and medium-sized businesses are targets now. I think the perception in the past was “we’re just a small fish in the pond, these cyber-criminals aren’t going to go after us.” What’s your view on that
Michael Ball: You need to look at it from the standpoint of supply chain. The criminals, or the threat actors, understand that large enterprise invests heavily in defensive steps. They can either try and get through that, or they can find a supply chain partner that doesn’t have the funding for proper cybersecurity and get access to them. The bad guy is thinking, “If I invest just a little bit and work with one or two or three suppliers of my actual target, my money is better spent.
I was a virtual CISO for a wealth management company, and it took me a good year to get that message through, because their senior executives were asking “why would anybody want to look at us as a cyber-attack target?” Meanwhile, their clients each had more than $1 billion dollars in net assets
JH: I see a lot of organizations in Canada that are not doing the fundamentals that well, in terms of the things we can do as a community to help increase the cost of attack for attackers. Patching, employee training, getting away from passwords, implementing multifactor authentication. Historically, productivity and security were viewed as mutually exclusive. At Microsoft, we advocate that in order to get people to follow the right security rules, you’ve got to give them tools that work, and productivity features that work. What’s your view of the workplace and the things that are important to security?
MB: I talk to a lot of security architects, and I tell them that they need to go back and re-educate themselves. Because everything that’s going on the cloud is not the same architecture that we had on-premise. There is a whole new suite of opportunities that is developing in the cloud, where the security tooling is already embedded, and they need to take advantage of that.
One of the things that I really like that Microsoft is doing now is taking things like Office off the desktop. So, from an enterprise or a small business perspective, the challenge has always been keeping things up to date and properly patched. So, you have legacy systems like Windows 7 boxes kicking around – and by taking the Office products off of there and into Office 365, it’s going to continue patching as part of that licensing agreement. I love that. It takes the onus off the IT team and allows them to do other things. If more vendors moved in that direction, where everything is cloud-based first, then a lot of the threats that we find inside of the network just aren’t going to be there.
JH: This notion that “just because you know the password you get access” is not a great strategy in 2019, and beyond. In order to make a risk-based access and authorization decision, we really need a lot more context in this mobile world, where we have to assume that every access request is coming from the open internet.
MB: I worked with one provider where if the end user was sitting at a corporate machine, on the corporate LAN, authenticated in, he had rewrite access to his files. However, if he logged in from Starbucks on a public network – still using his credentials – he had view access. And if he was on an unknown network, he may have view access, but we would disable print functions and save functions. Those are the things that need to be done in this day and age.
JH: You speak with a wide range of customers and clients. What are the greatest risks or threats you see coming and small and medium-sized businesses?
MB: I hate to harp on ransomware, but that’s the biggest one right now. I have three types of clients: one that’s already been attacked by ransomware, is remediating, and looking to put a program into place. It’s funny how money for security falls out of the sky after an event! The second one, they’ve had a breach: intellectual property, or a PII had leaked; and then the third one is a company that has gone for cybersecurity insurance, but they’re turned down because they don’t pass the compliance criteria.
JH: What’s your view on how much of this rests with employees? What’s their role in keeping the organization secure? And how do we build a culture of security so that it’s everybody’s job?
MB: Actually, I have scrapped the annual security awareness presentation. I don’t see value in providing a security awareness PowerPoint deck and 15 questions once a year. Instead, every week, we’ll put out one little statement and a couple of questions for them to think about. Something nice and light: maybe a cartoon, maybe a comic strip, just something that’s a little snippet in front of them. We try to make it relevant – not only to them and their business – but to their family as well. So, things like protecting email, anti-phishing: go talk to your children about this. Go talk to your spouse about this. If they’re doing this kind of hygiene at home, they’re building a practice around it, building a habit, and bringing it back to the office. That’s way more effective.
JH: I hear you. At Microsoft we’ve invested in excess of $2 million in Canada this year to help customers skill up through online learning and roadshows we’ve been running across the country in major cities. There are a lot of opportunities, and a lot of the work in the security space is about out-innovating the bad guys and raising that cost of attack for them, and helping customers really make those secure configurations by default and then making it easy for them on an ongoing basis. So, I really appreciate the insights that you’ve taken the time to share with us in this critically important area. Thanks so much, Michael.
MB: Well, I really appreciate your efforts on this as well. The fact that I’m comfortable sending a Windows 10 workstation to a client with just Microsoft security on it speaks volumes!
To learn more about the current state of cybersecurity and how small and medium-sized businesses can better protect themselves, visit here.