IT World Canada recently interviewed Managing Director of Cyber Breach Response Ed Dubrovsky on the importance of understanding the state of cyber security during this important Cyber Security Awareness Month and how organizations should be prepared. Read part of the article below.
“According to Ed Dubrovsky, managing director for cyber breach response at the Toronto-based consulting firm Cypfer, the number of breaches in Canada is rising because threat actors are more motivated to attack than organizations are to protect themselves. “Over the last year, ransom demands have spiked by almost 300 per cent on average,” he noted in an email interview, “and in some cases (and specific industries) multi-million dollar demands are the norm. These payouts are increasing the motivation of cyber criminals to successfully attack and cripple organizations.”
Businesses are only now starting to realize that cyber security budgets should be increased and additional focus is needed, he wrote. “However, there is a disconnect between what organizations are willing to invest in security programs versus what it will take to provide minimal acceptable level of security services to protect data and jobs. Organizations of all sizes are still failing to invest strategically in their security programs. How do you introduce a fundamental shift in thinking from purely operations to allowing security and cyber-risk a seat at the table?”
He urges organizations to develop what he calls a modular approach to mitigate or reduce risks. “By modular I mean that the whole plan does not need to be thrown out the window every time there is a change. Strive for incremental improvements, this is not a sprint.”
In brief, his advice is “protect perimeters (plural), protect data, reduce permissions and manage credentials, and patch systems.”
Organizations need to understand the specific risks associated to them, not generic risks, he says. Then shift risk management processes to include these specific cyber risks. Regularly critically assess the firm and re-evaluate risks — don’t focus on one-time products or activities.
As for security awareness training, make sure it relates to the risks the organization faces.”