Corporate cybersecurity: best practices you need to know
Recent headlines tell the story: no company is really immune from cyberattack. The question is not when your organization will get hit, it’s how hard. What your business can do about it is all contained in our Fonds de solidarité FTQ Cybersecurity Toolbox.
These days software is constantly being updated by its publishers, and it’s not just because they’re trying to make it better. It’s because hackers are constantly prying open new security weaknesses they can exploit. This endless cat and mouse game makes cybercrime almost impossible to eradicate completely: despite efforts at prevention, cyberattacks against individuals and organizations have become a daily occurrence.
Hackers favour four methods of attack:
- Ransomware, which means locking out an organization from its own data until they pay for a decryption key, or your data will be lost forever or even released publicly;
- Phishing, where fake emails and websites are used to trick you into divulging confidential information like usernames and passwords;
- Credential stuffing, where robots make multiple attempts to connect using user authentication data previously stolen in data breaches;
- Targeting configuration errors made by users or administrators of online services.
When it comes to choosing victims, criminals do not discriminate between small and large organizations or sectors of activity. Recent coverage of Quebec cybercrime cases is filled with well-known organizations like Desjardins, Revenu Québec and Cégep de Saint-Félicien, but according to a 2019 CIRA study, over 71% of Canadian organizations said they were victims of at least one cyberattack that affected their activities in the last year. Even if you think your data isn’t worth all that much, every system is worth hacking in the eyes of a criminal, even if it only serves as a pathway to attacking another more lucrative system.
No one is safe
The financial implications can be substantial, as was the case with a Terrebonne concrete component maker whose machines were knocked offline by hackers with $250,000 in losses. Or the $120,000 extorted from a Sherbrooke machinery manufacturer in a ransomware attack. In both of these 2020 cases, the targeted businesses survived. For others who are less financially solid, a cyberattack can mean going out of business.
The coronavirus crisis has only increased the risk of attack, as massive adoption of remote working necessitates the use of third party collaboration tools, which increases an organization’s exposure. What’s more, hackers have been quick to exploit coronavirus anxiety: since the start of the pandemic, one quarter of Canadian organizations have become targets in the form of fraudulent emails linked to Covid-19 testing. Just one click and you’re caught.
In response to these challenges, the Fonds de solidarité FTQ has been investing in firms that are working to strengthen the security of information systems in Quebec’s major companies, stabilizing the economy in the process. This was the case with Montreal’s NoviFlow, which offers security services to telecomm operators, and with TerraNova, a Laval company that provides cybersecurity awareness services.
However, despite mounting the very best defenses, no one is immune from cyberattack. In fact, companies are often better off looking at information security as cyber resilience, in which it is presumed that an attack will eventually occur and plans are at the ready to limit the damage.
In addition to financial risk, there is also an element of competitive risk to cyberattacks, especially if one competitor is well protected while another is set back significantly by an attack. The threat also impacts the confidence level of a company’s clients, investors and suppliers. This is why cybersecurity clauses are becoming standard in business contracts.
Where to start ?
“I recommend that similar organizations in terms of region, size and industry join forces to help each other, especially when internal resources are limited. When it comes to security, competition doesn’t count!” says Marc-André Drapeau, engineer and chief information security architect at the Fonds de solidarité FTQ.
After presenting a webinar on December 2, Mr. Drapeau put together the Cybersecurity Toolbox we’re bringing you today. This practical document is based not just on accepted concepts in cybersecurity but also on Mr. Drapeau’s cybersecurity team’s firsthand experience. In it you’ll find best practices divided into five categories you can apply immediately to quickly improve your cybersecurity posture, as well as 20 procedures you can implement long term for increased peace of mind.
“To make cybersecurity a company priority, you need to designate a person specifically for information security, set up dashboards to that end, and get the topic on the agenda with your board,” he says. “You don’t have to reinvent the wheel. Make use of established references from world authorities like the ISO, NIST or CIS. Read reports from sources like Verizon on the cybercrime outlook and recommendations for different business sectors.”