Organizations still fall short on cyber security, Canadian breach response expert tells privacy conf

Daniel Tobok
E: [email protected]
Posted on: March 20, 2019

There’s a reason serious criminals are called ‘organized crime:’ Because they’re well-organized.

Here’s how well: According to Ed Dubrovsky, managing director at
Cypfer, a large Canadian breach response company, some groups have “mind-blowing” capabilities, including running analytics against merged lists of stolen personal data.

Unfortunately, he also told a privacy conference Tuesday, despite years of warnings organizations are still sloppy at cyber security.

“I strongly believe in fundamentals,” he told the
annual Privacy and Data Security Compliance Forum in Toronto put on by the Canadian Institute. “You need technologies — and policies and process and governance that address the fundamentals” of security.

People need to be trained in security awareness, he said, “but not with a PowerPoint [online presentation] but what is relevant to what is happening out there so they understand. If you use PowerPoint, trust me employees are clicking next, next, next. It has to be effective, relevant.”

An organization needs a breach response plan tailored to its risks and threats, he added. It has to understand not only where corporate data is stored, but how to classify it for protection.

“I talk to many SMBs on a regular basis and tell them they need to do all these things, and they go, ‘Why, nobody cares about my data.’ And my question to them is. ‘Do you care about your data? ,,, Your data means a lot to you.”

In an interview Dubrovsky said the fundamental mistake organizations make is focusing on the company’s operations — meaning getting IT projects out the door — versus security. Instead they should want to get applications working and secure.

‘”Security still doesn’t have the respect and a seat at the table, the way it should have,” he complained. Why? Because — as many other experts have said — many infosec pros still can’t explain their needs to management in terms of risk reduction. “We’ve got to talk their language.

“This is changing for the better,” he admitted, “but when I talk to IT people they still say talking to the C-suite is still very challenging.”

If you want to buy a security product, he advised, tell management it lowers risk of a breach which could lower revenue or damage the company’s brand. “These elements need to be communicated clearly, so you get, ‘Yes, go ahead.'”

As for awareness training, it would help if employees got the message from their parents or in primary school. Otherwise, he said, organizations have to make sure trainers are experienced. “I think it has to come from individuals that actually experience the results if cyber attacks, how it gets into systems, he said.”

Trainers also have to remember everyone learns differently. “And it has to have a little bit of fun. Gamification goes a long way,”