Sacha Blasiak-Priestley:
Sometimes it can take companies up to years to actually recover all of those systems. So they might have those core systems that are up, but it could take years to get the supporting systems adjusted and fixed to be operational again.
Narrator:
Welcome to Accounting for the Future, a BDO Canada podcast for financial leaders to navigate change, and achieve business growth. We'll uncover the challenges financial leaders may not have dealt with yesterday, but will definitely have to manage for the future.
Anne-Marie Henson:
Hello, and welcome to Accounting for the Future. I'm your host, Anne-Marie Henson. I'm happy to welcome our guest today, Sacha Blasiak-Priestley, who's the national leader of cloud security for BDO's cybersecurity team. She's an experienced cyber leader with over two decades of experience in cybersecurity. Her expertise includes cloud security, security operations, and offensive security with a focus on protecting organizations from digital threats. And we're going to find out much more about what you do in this podcast. So really happy to have you, Sacha.
Sacha Blasiak-Priestley:
Thank you so much. Thanks for having me.
Anne-Marie Henson:
Surprisingly, we've not done an episode on Accounting for the Future on cybersecurity, which we keep on seeing more and more in the news, in current events, with clients, and I'm sure you have lots of experience and stories to share with us today. So I wanted to just start with setting the stage for our listeners. If you could tell us a little bit about what are the trends that you've noticed in the types of cybersecurity threats that you've seen emerge more and more say in the past year or two?
Sacha Blasiak-Priestley:
Absolutely. One of the main threats I think that we've seen and that you'll hear a lot about on the news is ransomware. So ransomware is when an organization has a type of what we used to call a computer virus that encrypts the files, making them unusable. And what happens is that the threat actors will actually hold those for ransom, which is where the name comes from, and in order to access your data or make your systems operational, again, you have to pay them a certain amount of money, usually in the form of cryptocurrency or Bitcoin. We're seeing that hit a lot of organizations. Typically, the way that that comes into an organization is through phishing emails.
So I know that a lot of users of systems are probably a little fatigued from hearing from their organizations about the importance of being cautious about clicking on links or sharing their information, but truly that is how we're seeing a lot of these attacks happen and how they come into an organization.
Anne-Marie Henson:
Yeah, thanks for sharing that. I know we, even ourselves at the firm, not only do we have a great cybersecurity team, but we also have cybersecurity training that we have to follow to avoid those types of traps. So in 2024 and even 2023, we've seen really large companies like AT&T, London Drugs, Christie's, and then some Canadian companies as well such as Bombardier face really serious cyber attacks.
And it shows that any company, no matter their size, is susceptible to cyber risks. So I wanted to ask you a bit about what are some of the common vulnerabilities that businesses may be overlooking today and what are the three most common types of cybersecurity threats? I know you talked about ransomware, so that's definitely one that we've seen a lot. I'm sure there are others, so I'd love to hear your thoughts on that.
Sacha Blasiak-Priestley:
Absolutely. I think you said it in your intro, a lot of organizations don't believe that they're targets. So a lot of organizations think, “I don't have data that's worth stealing. No one would come after me. I'm not even a large organization.” But the truth is that a lot of these attacks are really opportunistic, which really means that if an attacker can find a way in, they're going to do it.
When we talk about ransomware specifically, there's what we call ransomware as a service. And it's become so easy for someone to purchase ransomware from an organization, and they're set up like businesses. They have help desks. They have tech support lines that you can call, and you literally purchase the ransomware. You can purchase a list of perhaps targets that you can try.
And you can try yourself, your hand at ransomware to see if you can make some money. So again, it's not really a targeted type of an attack saying, "Hey, you're a big bank, or you're an organization I don't agree with, so I'm going to hit you." It's really just opportunistic. So I think organizations really have to understand that if they do business on the internet, which all of them do, then you're going to be a target of attack.
Anne-Marie Henson:
And I know some of these examples, Sacha, were really large companies, but we've seen a lot of situations ourselves with clients who are very small, less than 100 employees, or even non-profit companies that have been targeted as well. So they don't discriminate is what you're saying.
Sacha Blasiak-Priestley:
Absolutely. And it's not always about the data. I know I mentioned that that they hold your information, but the other impact that it can have is to operations. So what we saw with London Drugs where they weren't able to even open their stores for multiple days because obviously all of their transactions are done on those systems. I think sometimes organizations overlook the operational impact that something like ransomware can have for them.
Anne-Marie Henson:
Yeah, no, absolutely, I think that's something that definitely companies will overlook. It's not just the initial threat that you have to deal with. It's the operational issues that cause you a lot of even bigger problems in the future.
Sacha Blasiak-Priestley:
Absolutely. And I know you asked also about the top three threats that we're seeing. So I did mention ransomware. Phishing is another threat. So as we're seeing companies... Again, everyone has an email address. It's probably been in some of these large-scale breaches, and you've probably heard of things like Adobe, LinkedIn had a large breach. And what happens is they gather up those usernames and in some cases passwords as well, and they start using those.
So they start crafting messages, especially around the breach because they know you've probably been notified that your account was compromised. So they'll craft their emails very similar to that to say, "Oh, you are part of the LinkedIn breach. Click here to reset your password." And as you do that, you're, again, inadvertently giving up your credentials again, perhaps your new credentials.
The other thing that we're seeing when it comes to email is what we call business email compromise. We're seeing a lot of frauds that are perpetrated by asking, "Hey, I'm your regular supplier, but I need you to change my banking account information or wire me this money somewhere else." We’ve talked to many clients that have a victim of that attack. It can be very unsophisticated. It's just typically email to you to say, "Hey, I really need you to change my banking information." No problem, change your banking information, and then by that point that money is gone.
Anne-Marie Henson:
This actually you're reminding me of a situation I've seen, so I just want to add that in. It's really interesting what you say about the banking supplier changing the banking information, which occurred to a company I know. And unfortunately, the insurance that they had, they thought they were covered and ultimately the claim was denied because they said that that was a control issue.
So even though someone intercepted an email and it was really a cyber issue, at the end of the day, the insurance company determined that actually there was human error that occurred because there weren't proper controls in place.
Sacha Blasiak-Priestley:
Absolutely. Absolutely. We've heard of that as well.
Anne-Marie Henson:
Well, that's really interesting.
Sacha Blasiak-Priestley:
And the other one that we also talk about is supply chain risk or third-party supply chain risk. So again, a lot of organizations are doing all of the right things. They're putting in security controls in place, but then they're either sharing their information with a third party. They have connections into a third party's environment, and you lose sight as to how those third parties are protected, what controls do they put in place.
We're really encouraging our clients to ensure that their contracts are up-to-date with those third party suppliers, that they have contractual obligations around security, and then also trying to perform audits on those third parties that they work with to make sure that those security controls that they have in there are at the same level or better than the ones that they have themselves.
Anne-Marie Henson:
Well, that's really interesting actually what you're saying because I think when we hear of these really large companies being attacked and having cybersecurity issues such as say London Drugs, which is one that was talked about for a long time, we often think about the end consumer, us, the individuals who go to the pharmacy and purchase goods or prescriptions. But you're right, I hadn't thought of it from the other side, which is all the suppliers to London Drugs who've now had their information compromised. So I guess that's what you mean with the supply chain issues.
Sacha Blasiak-Priestley:
Absolutely. And historically, and I think this is one that we talk about a lot in cyber that happened years ago, but the Target attack. So, if you'll remember, Target was also a victim very early on of a very large breach, and it wasn't Target itself that was breached. They had an HVAC or air conditioning system within their stores that they were using that was connected back to a third party.
That third party was compromised, and the threat actors were able to move through that third party all the way into Target's systems and take the data that way. So that's something else to consider is, again, how are you connecting all of the systems to maybe some of these other third parties? And again, are they secure and are they putting the right things in place?
Anne-Marie Henson:
Wow. It's definitely a lot of things for companies to consider.
Sacha Blasiak-Priestley:
Absolutely, absolutely.
Anne-Marie Henson:
Can you talk to us a little bit about what some of the more significant long-term consequences are with regards to these types of security breaches? You mentioned the initial interruption, which could last for a day, sometimes several days or a couple of weeks. There's the ransomware that is typically demanded when these things happen, but what are some of the other long-term implications of a cyber attack that we don't necessarily think of until after it's happened?
Sacha Blasiak-Priestley:
Absolutely. So, there's a few things. So one, like we said, we'll use ransomware as an example, if the ransomware itself let's say is resolved, removed from the systems, the systems are operational again, sometimes it can take companies up to years to actually recover all of those systems. So, they might have those core systems that are up, but it could take years to get the supporting systems adjusted and fixed to be operational again.
There's also regulatory fines that some organizations are subject to. So depending on the industry that the organization is in, if there is a breach that occurs, they could be subject to fines by the regulators, like you said, even in the example around the business email that certain controls weren't in place, that companies weren't doing all of the necessary things that they were supposed to and they could have fines associated with that.
The other thing that we talk about is reputational impact. So, when it comes to something like a London Drugs where they have some of your most sensitive information, they might have prescription information, health information, now that they've had an attack like that, some users may feel or some customers may feel that they're not secure enough and that they don't want to use them anymore as a customer. So that could be something else that organizations face.
Anne-Marie Henson:
Yeah, no, absolutely. All really good points to make sure you consider going forward. When Netflix makes a series that's loosely based on a cybersecurity attack, you know that it's common and it happens quite a lot. There was a recent show called Leave the World Behind, and the premise for those who haven't seen it is a family that's dealing with a cyber attack.
I'm curious to see your thoughts on that. How accurately do you think that these portrayals really reflect real life and what actually happens, and what do you think that this provides in terms of information to your average viewer of a show like that?
Sacha Blasiak-Priestley:
So I will admit, I haven't fully seen the entire movie, but I understand the premise. There was quite a lot of failures, I believe, in the movie, so everything from critical infrastructure. So there was no electricity. There was no cellular service. And then of course, you're going to get locked out of your own technology. So I think, of course, these shows maybe tend to sensationalize some of it in that all of those things happened in one timeline and to such a large group of people.
We'd like to say that that typically doesn't happen. But again, we've seen here, even in Ontario, we had the blackout that was I think about 10 or 12 years ago now, but we also had a telecommunications outage with Rogers just a few years ago where a lot of people were affected. Because as we really move our whole lives into the digital realm, we're very reliant on not only the technology itself, where this information is stored, but the infrastructure that helps us support it.
So I think what it does is bring awareness to that, understanding that maybe we think about... for the Rogers one specifically, we've talked to organizations around maybe you don't want to have your entire workforce on one provider. So that if the provider itself was to go down, half the workforce can work and maybe half are down. So having those contingency plans in place I think is important to start thinking about.
Maybe some misconceptions again around maybe the severity of it, but I think overall it's really just a way to start thinking about how we use technology and our reliance on all the infrastructure that supports it.
Anne-Marie Henson:
Yeah, no, it's really important for us to consider that, right? It's, well, diversifying your risk at the end of the day.
Sacha Blasiak-Priestley:
Absolutely. Absolutely. Yep. Yep.
Anne-Marie Henson:
And speaking about mitigating risk, because I imagine you can't ever completely eliminate cybersecurity risk, but are there new types of technologies, I'm thinking about artificial intelligence or blockchain, that we can use today to help us combat cybersecurity, to help mitigate that risk of being attacked?
Sacha Blasiak-Priestley:
On the defense side, we're using AI to help us quickly detect patterns to identify perhaps misconfigurations or some suspicious behavior. Within cyber, we've been using AI and what we also call machine learning for a lot of years now to help us detect those behavioral type things. With the advancement of AI, that helps us go a little bit deeper. Our main goal really is to, again, identify when something has happened and shut down or eradicate that threat quickly.
And we can do that more efficiently using things like AI. But again, as the defenders start to use AI or continue to use AI, the threat actors are also coming along. I've had clients that have spoken to me and said they've had the voice impersonation, so it sounds like Sacha. I trusted that phone call. I believed her when she told me to change the banking information, and they've fallen victim to that as well. So it's a difficult landscape right now to navigate.
Anne-Marie Henson:
Yeah, no, it absolutely must be because you think these are great new types of technologies that can be used to help in your defense, but the flip side of that is bad actors and people who are exploiting this technology are at the same time learning it as quickly as everyone else to commit more cybersecurity attacks.
Sacha Blasiak-Priestley:
Absolutely.
Anne-Marie Henson:
I had like to talk about what companies can be doing proactively today to help them prepare for these more sophisticated cyber threats that we're seeing, and not just large companies that perhaps have really big budgets that they have the chance to work with.
Sometimes that seems to be a big concern of smaller companies is how do they protect themselves with the same level of risk but less resources to do so. I'm sure you've worked with organizations of all different sizes, so I'd love to hear your thoughts on how companies today can do better to prepare for these attacks in the future.
Sacha Blasiak-Priestley:
Absolutely. I think number one is be weary of any cyber vendor that says that they can sell you the single solution to all of your security problems. If you buy this one tool or this one piece of software, you're protected, you're safe. Really what organizations need to do, and again, this goes back to a concept we've been talking about in cyber for 20 years now, and we like to talk about defense in-depth.
So it's kind of the same scenario of your house. You have locks on multiple doors. Maybe you have your extra valuable things locked in maybe a safe, or you have your documents stored in a filing cabinet with a lock. The idea is the same when it comes to cyber. Organizations can help protect around the sophisticated attacks by making sure that they have controls all along the different ways.
So that goes all the way from having technology controls to even people, like we talked about earlier, everyone is a line of defense for the threat actors. We want to make sure that if they do manage to get in, that they don't get very far, that maybe they don't have access to the most sensitive data. Again, it's really just making sure that you have a variety of components in place.
The other thing that organizations can really do is keep up with what we call cyber hygiene. So it's making sure that your systems are patched and up to date. And what happens is if you have a piece of software, that software vendor will typically release what we call patches or updates to that software code because they've detected maybe a security flaw in it.
They're continually evolving to make sure that it's safe. Organizations should continue to apply those patches and make sure that they're up-to-date with the latest software because that could also help. We see vulnerabilities or attackers exploiting those vulnerabilities for maybe old code or something that hasn't been updated. They can take advantage when it comes to the use of the cloud.
They can take advantage of those built-in security controls that the cloud offers. Through COVID, we saw a lot of organizations really move a lot of their operations to the cloud to help whether it was remote workers work from home or helped to deliver services to their customers, but there's controls within the cloud that are pretty advanced that they can take advantage of and making sure that they have certain things like that turned on. Encrypting the data as it's stored in the cloud, for example, is an easy one that organizations can take advantage of large or small.
I think the other thing too is like we talked about, if something happens, it's very important that organizations have a plan. As someone who used to do incident response, all of these things happen at 2:00 AM. You're not probably at your best at 2:00 AM.
So having a documented plan that you can literally open a binder and say, "Okay, step one, what do I do," really can help organizations. The key also to that plan is to make sure that you're testing it regularly. We walk through it with clients where we sit down typically in a boardroom and we say, "Okay, you've been hit by a ransomware attack. Your systems are down. The media is calling. What do you do?"
And we walk through their plan to make sure that they've thought about all of the different steps. And as we've done this with clients, some questions come out, what would I do in this scenario? And it helps to refine it in an environment that is less chaotic than an actual incident that's not 2:00 in the morning. And then again, you can refine it. So that if something does happen, you have that playbook.
You can go to it quickly. And again, when it comes to an incident, the goal is timeliness. We want to make sure that we're shutting things down quickly and that we can recover quickly as well.
Anne-Marie Henson:
That's a really great piece of advice. I guess I want to ask you just to elaborate on something you talked about at the end with regards to testing your plan, because it's great to have something on paper. Sometimes you try to execute and it doesn't always work out the way it's on the paper. So how often would you recommend a company revisit that plan and also test the plan?
Sacha Blasiak-Priestley:
So typically, we'll say annually to revisit the plan and for a test. When we do the test, what we like to do is simulate a real live incident. And I think we've even moved away from incident response to crisis management or crisis response, because we recognize now that when it comes to a cyber attack or a cyber incident, there's so many different areas that have to play a part.
We've seen HR that has to be involved. In some cases, you have a PR firm. If you have cyber insurance, you have a cyber insurance that has to come in. So there's so many different moving parts now. It's not just an IT problem. Having said that, that's a large thing to test, right? So we want to make sure when we're doing it, we have all of those people at the table.
We've even done it where the board of directors has been at the tabletop with us listening, figuring out when they might have their input. We would probably say annually. Review a plan anytime a major change happens into your environment though. If you've moved to the cloud, for example, obviously that plan would have to be updated to make sure that taking into account where all of your systems are.
Anne-Marie Henson:
Yeah, no, it's a good point to review, not just annually, but when there are major changes that happen. If you've moved locations, maybe you've expanded to five new cities or acquired a business. So no, those are absolutely great pieces of advice. So, thanks for sharing that.
I'd like to know about how you see the future of cybersecurity evolving. As threats become more and more complex, as we become more and more reliant on the use of technology in our everyday lives and in business, where do you see cybersecurity in the next five years?
Sacha Blasiak-Priestley:
Like I said, I think when it comes to cyber, we're going to see the use of AI, again, helping us to really detect and respond to those cyber attacks. And cybersecurity expertise will really remain crucial to make sure that the systems are designed securely from the start. If we think about how cyber was typically, or in some cases still is, it's kind of at the end of a cycle.
So, if an organization, for example, has written a piece of custom code or they're about to release an application, they're like, "Oh yeah, by the way, security, can you take a look at this?" And then at that phase, if there are major security risks, you're a day away from launching, it's very expensive, we have to fix things rather quickly.
What we really want to see is that cyber really what we call shift left, move right into the beginning of the process, embed cyber into all of the business processes to make sure that everything is being designed securely. And again, when you do it that way, it's less expensive and it's more secure. Also, making sure that cyber really helps enable the business. Again, historically, maybe cyber was looked at a little bit like a traffic cop. We're saying, "No, you can't do that. It's too risky. You can't do that."
What we want to do is really make sure that the business is communicating with the cyber teams so that the cyber teams understand what those business objectives are, and we can help enable those. We want to make sure that you're taking full advantage of new technology. We want to see people move to the cloud. We want to see agile ways of delivering services, but we want to make sure that you're doing it securely. So, I think organizations working together with cyber will really help.
Anne-Marie Henson:
I love what you said there. And I think that myself, coming from an audit background, we'd like to look at ourselves in a similar way today versus many years ago, is that we're not just there at the end after everything has happened to tell you what happened. Cybersecurity used to be thought of as, okay, well, I had an attack and now I can't access my information, and so this team has to come in and help me. It's more of a continuous process and integrating that into your business the same way you've integrated technology into your business.
Sacha Blasiak-Priestley:
Absolutely. And again, it can really enable businesses to take that next step. Like you said, use new technology, look at new ways, look at how they can use AI. We have a lot of clients right now that we're talking to about what their readiness for AI looks like. How do they start taking advantage of all of these new great technologies, but doing it in a secure way.
Anne-Marie Henson:
Sacha, thank you so much for all this amazing information. I really appreciate your time today and your input. I hope our audience appreciated this discussion. And I'd also like to thank you, our listeners, for tuning in today and to all of our episodes. I'm Anne-Marie Henson, and this has been BDO's Accounting for the Future. Please let us know if you found the topic interesting and useful, and remember to subscribe if you liked it. We'll see you next time.
Narrator:
Thank you for listening to BDO Canada's Accounting for the Future. Past episodes and related insights are available at www.bdo.ca/accountingforthefuture. Or you can go to Apple Podcasts, Spotify, or Google Podcasts to subscribe. For more information on BDO Canada, visit bdo.ca.