Positioning cybersecurity as a leading business risk

February 24, 2022

Boards are increasingly aware that cybersecurity is a leading business risk. Recent efforts to adapt and digitize have introduced greater levels of risk into the most agile of organizations. New technology, from remote working to e-commerce capabilities, have left many companies more advanced, but potentially more vulnerable. With increased attack surfaces, cybersecurity measures may need to play catch up.

Global ransomware attacks have increased by 151% since the first half of 2020. And, in Canada, the average cost of a data breach is $6.35M According to Rocco Galletto, National Cybersecurity Leader at BDO Canada, “the risks to business are very real, but we can’t let them slow down progress.” The rapid emergence of new ransomware, the ease of targeting organizations, and the growth of the cyber underground have forced organizations and their boards to look for immediate answers.

“Technology transformation is occurring faster than ever before and it has opened the door to a whole new generation of threat actors who can halt your business’ operations, damage your clients’ privacy, and tarnish your company’s reputation. The way forward is to manage technology and cyber risk from the start of your journey and throughout the technology lifecycle.”
—Rocco Galletto, National Cybersecurity Leader

When an organization depends on the management policies set by the board of directors, what happens when it faces a “ransomware epidemic?” One of the biggest challenges is communication. Security professionals and their business leaders must know how to translate the complex world of cyberthreats into a language that the board of directors can understand. To help the c-suite lift this conversation to board-level understanding, we sat down with Rocco Galletto to learn more about the challenges he’s seeing in the marketplace and the strategies he’s helped implement across different industries.

We asked him five key questions about cybersecurity and how organizations should be approaching their cyber strategy.

1. Are Canadian organizations currently dealing with a “ransomware epidemic” and how should this affect their cyber strategy?

Rocco Galletto – Yes, there is a ransomware crisis that continues to accelerate at an alarming rate and affects more and more organizations in Canada. On the one hand, Canada is a top geographic target, simply because it’s one of the most digitally advanced economies. On the other, threat actors are multiplying because criminal groups have made it easier to perpetrate attacks. A threat actor can now leverage ransomware-as-a-service (RaaS) and attack multiple organizations in a single hit. The crisis has taken on “epidemic” proportions due to the proliferation of cyber criminals now using RaaS. With very little background in cyber or IT, it is now possible to perpetrate a very lucrative attack.

Organizations need to understand this new reality and respond accordingly. Automating controls and ensuring there are strong backup strategies are crucial for weathering the current ransomware storm. Zero trust strategies and software-defined perimeters are also on the horizon and offer a lot of promise, but it will take time for organizations to adopt these solutions.

The key thing to understand about ransomware and digital extortion is that it’s a very opportunistic and timely attack. Companies have undergone massive digital transformations in the past few years and are more vulnerable than they have ever been. Technological enablement has resulted in many more access points that cyber criminals can exploit. The emergence of RaaS platforms is a direct response to this. Threat actors can pay a monthly fee, access support, automate, scale, and attack thousands of organizations at the same time. If successful, a threat actor will typically lock a significant portion of these businesses out of their systems and encrypt their data until they pay a ransom, almost always in cryptocurrency. Extortion tactics are also becoming more severe as many attacks leverage the sensitive data they steal from an organization.

2. What are the most common pitfalls or blind spots you see when assessing different organizations’ cyber risk management strategy?

RG – Because cybersecurity is an ever-evolving landscape, it may force some organizations into a chain of reactions that complicate their cyber strategy. The resulting infrastructure can often be piecemeal and disconnected. Organizations can fall into a whack-a-mole situation when it comes to patching bugs, responding to specific threats, and involving third parties. Cyber strategy really needs to be architected at the get-go, as new technologies are being explored, and before they are implemented. A sound cyber strategy helps you implement the right tooling and capabilities so you can protect and grow your business at the same time.

Another very common blind spot is the confusion between digital maturity and digital resilience. Many organizations have a high degree of maturity: their security team is in place, they have enabled cyber processes and documentation, and have invested in new technologies that help drive innovation and growth. An example would be a human capital software solution, which enables digital transformation, but also increases an organization’s risk ratio. This new capability introduces a whole new dimension of personal data that the business will need to protect. It’s why tech enablement needs to happen in tandem with cyber risk management. This is probably the biggest area of vulnerability for most companies right now.

3. For companies who have already invested significantly in cybersecurity, how should they be approaching their investment amid the ransomware crisis?

RG – When it comes to assessing your cybersecurity investment, optimizations should really focus on moving toward a risk-based approach, which means that your cyber strategy moves to the centre of your risk management framework and avoids the trap of developing disconnected, albeit digitally advanced monitoring systems in response to different types of threats. All businesses are currently undergoing some form of digital transformation. Part of this shift is ensuring that cyber is closely aligned to the unique business profile it is designed to protect.

Oftentimes clients will ask if they are overspending on cyber. My answer is that cyber has become one of the leading business risks for Canadian organizations. You’re either not spending enough on cybersecurity or spending in areas where you may not receive the largest return. I often hear about organizations who “have transformed” their cyber programs and implemented new processes and control points and this is fantastic news. But the next step is to ensure your cyber strategy continues to evolve alongside the business. With every change, new partnership, new technology, and new service offered, the organizations’ threat profile changes and those changes need to be understood and assessed for new risks.

4. Many organizations are engaged with third parties and assume they will manage risk on their behalf. How do you help your clients clarify the roles and responsibilities to ensure nothing slips through the cracks?

RG - It’s a daunting task for many companies, who often assume that third parties, by default, have controls in place to protect their data. Or, when organizations migrate to the cloud, it is assumed the third party will manage all cyber risks. Cybersecurity isn’t always discussed between the vendor and the client, and often, control points are only assumed to exist. This is when bad things can happen. In our experience, we have found that many cloud providers have capabilities, but the baseline control requirements are often missed. The truth is, it’s the organization’s responsibility to ensure that third-party vendors or cloud configurations have the minimum controls in place and compliance to standards is maintained so that the sensitive data is well protected. A lot of the work we do for our clients focuses on managing their data flows within and outside of their organization and helping them optimize and stratify their relationships with third parties in a secure way.

5. What are the challenges of communicating cybersecurity issues to a board of directors?

RG – In general, most boards are already very attuned to the idea that cyber risk is business risk. Organizations can no longer afford to deploy cyber strategies that are disconnected from business objectives or core principles of risk management. But there are always challenges. The first challenge is that not all boards necessarily understand how cyber risk is being managed or how to properly delegate the risk management to the right operational staff. The second challenge is that security professionals themselves may not be able to articulate in non-technical language how their efforts affect the business’s most valuable workflows or how to effectively report the status of cyber risk management upline. When companies come to us for help, we start by understanding the business profile first and then we insert cyber into their transformation journey and growth targets. The idea that cyber is a cost centre or an insurance is outdated. Cyber is about protecting the business and, most importantly, enabling that business.

How BDO can help

Your organization’s business goals need to be reflected in your overall cyber strategy. The next stage of cybersecurity is moving toward a risk-based approach that focuses on your organization’s most valuable workflows, while cutting out waste and eliminating ineffective controls. BDO’s cybersecurity team can help you assess and manage this risk, no matter where you are on your digital transformation journey, so that your business can focus on what it does best.

Contact us for more information.

Rocco Galletto, National Cybersecurity Leader

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.