Almost all working Canadians (92 percent) believe it’s important to protect work devices from cybersecurity threats, according to a new CDW survey. But over one quarter (26 percent) rarely or never check their cybersecurity or privacy settings. This is just one of the many troubling data points in CDW’s survey about the risks for Canadian tech companies.
Speaking with BetaKit, Theo Van Wyk, Head of Solutions Development and Cybersecurity at CDW Canada, explained why he thinks there’s such a large discrepancy between awareness of the risks and willingness to take action – and what should be done to close the gap.
Out of sight, out of mind
Among those who rarely or never review their device security or privacy settings, most (38 percent) say this is because they simply hadn’t considered it. And, perhaps more troubling, 29 percent of working Canadians say they do not know how.
The statistics paint an even grimmer picture of cybersecurity awareness as a whole: more than half (52 percent) of working Canadians claimed not to know if their organization has a cybersecurity plan that includes all third-party apps.
To Van Wyk, this circumstance is unfortunately normal because of how IT departments used to be structured. He said that IT departments traditionally operated in the background so that “business” could happen in the foreground. In such an environment, most employees are not told anything about cybersecurity, which results in a troubling lack of awareness.
Further, Van Wyk said this old-school approach to IT creates a mindset among many individual employees that they have nothing of value to steal. If they did, so the thinking goes, the company would have taken more action.
To the credit of organizations, Van Wyk said corporate messaging around cybersecurity has shifted from “fear mongering” to helping people following incidents.
However, things are different now. Technology sits at the forefront of how most employees work, whether at a tech company specifically, or using employee-facing technologies to serve customers. The problem, said Van Wyk, is that many employees still behave as individuals with nothing of value to steal.
While that might be technically true, said Van Wyk, hackers use individuals to gain access to corporate networks. He gave an example: when CDW does risk assessment penetration testing with clients, they most often get in through “social engineering” – targeting specific individuals likely to give up confidential information – versus brute force attacking the company’s network.
“Humans are the first and last line of defence,” said Van Wyk, adding that one slip could cause a massive incident.
Resilience is your best security backup
To the credit of organizations, Van Wyk said corporate messaging around cybersecurity has shifted from “fear mongering” to helping people following incidents.
While this increase in awareness is good, it’s also not quite enough, because attackers are getting smarter too. For instance, from March of 2020 to March of 2021, 19 percent of organizations surveyed by CDW were the target of a ransomware attack. Speaking more broadly, 24 percent of Canadians said a potential cybersecurity threat – whether or not anything was breached or stolen – has stopped or interrupted operations within their organization.
For Van Wyk, the reason increased awareness isn’t translating to more secure organizations is because companies focus too much on security and not enough on resilience. As he describes it, security is about doing everything you can to stop an attack from happening. Resilience, on the other hand, is making peace with the fact that security isn’t binary and it’s likely that something bad will happen at some point. Knowing that, resilience becomes the contingency plan a company puts in place to minimize damage and speed up recovery.
Van Wyk said that operating with both a security plan and a resilience plan enables a more flexible, human-centred approach to cybersecurity. By taking into account how the working world actually operates, the organization ends up much safer overall.
Right-sizing your cybersecurity approach
When advising startups on their cybersecurity strategy, Van Wyk is cautious to not recommend any one tactic or framework, because each business is unique.
“The last thing you want to do is shoehorn your business into a framework,” said Van Wyk.
Instead, he recommends starting from a place of intent. That requires, looking at the intent of a specific security framework or regulation and applying it to your organization based on the risks it faces.
This might, for example, mean different roles have different security and compliance training, such as finance learning more about money laundering while customer service and HR learn more about handling personally identifiable information (PII).
Van Wyk also noted that this training can impact product development, as a secure product or platform is essential to cybersecurity overall. However, this can cause additional challenges as companies think more deeply about usability and user experience.
“You cannot get away from the fact that as you increase security, you decrease the convenience of using a platform,” said Van Wyk.
The solution he recommends is to find a balance between the security you need, based on your most potentially damaging threats, and the usability your customers need with your platform. Combined with a resilience plan, this approach to security is what Van Wyk calls “right-sizing” versus outsized reactions that don’t meet your needs (or keep your business safe).
Rapid iteration
Van Wyk said the fact that security and resilience are iterative processes is actually a good thing. While it means you can’t ever really “win” because you’ll always have more to do, it’s much easier to get started than most people think.
Since anything is better than nothing, Van Wyk said even small improvements to your business’ general backup, recovery, and compliance practices will put your company on the right path.
“Even just considering these at a high level puts you in the right direction,” said Van Wyk.