Rob Philpotts:
Now that we sort of are very aware that cybersecurity is part and parcel of sort of geopolitical activities. We definitely have to become more and more aware and we strive every day to help our clients understand this.
Anne-Marie Henson:
Hello and welcome to Accounting for the Future. I'm your host, Anne-Marie Henson. Today on our 50th episode, it's crazy how time flies, I can't believe we're at 50 already. We're going to be exploring today's landscape of cybersecurity, how it's evolved into a strategic business priority, and why building resilience through cyber readiness matters more than ever. We want to look at what organizations must do today to stay prepared amid a lot of global uncertainty.
And here to share his insights, I want to welcome Rob Philpotts, a Partner in Cybersecurity at BDO Canada. Rob is a seasoned leader who brings over 22 years of experience of hands-on cybersecurity expertise to BDO. His work in intelligence and cybersecurity spans high-profile roles with large organizations, global consulting firms, NATO, the United States Cyber Command, the National Security Agency, and the Canadian Armed Forces, including an operational tour in Afghanistan. He employs a risk-aware, strategic approach to secure various industries across both on-premises and cloud environments. Rob, I'm so happy to have you on the podcast today.
Rob Philpotts:
Hi, Anne-Marie, glad to be here. Thank you.
Anne-Marie Henson:
So you've got a really, really interesting sort of background and expertise, so I think it's going to lend itself really, really well to this discussion. And it seems like the cybersecurity environment and risks are ever-changing. I want to tie that back to current trends that we're seeing a lot today with regards to trade disputes, geopolitical tensions. And how you think that has changed the way organizations think about cybersecurity today or how they should think about it differently today.
Rob Philpotts:
Yeah, so more and more cybersecurity, which is considered a domain of fighting by nation-states these days. And therefore, hence I was working at US Cyber Command and they treat that the same as the maritime environment, land or air or space as well. So you can imagine all the planning and effort from a military context when you sort of put that into your doctrine.
So that being said, now that we know that ... and we see it out and we'll talk about a few examples. But now that we sort of are very aware that cybersecurity is part and parcel of sort of geopolitical activities, we definitely have to become more and more aware, and we strive every day to help our clients understand this. That as a tool of various threat actors out there, things like your supply chain are less reliable. And when we're talking about cybersecurity, we're talking about your hardware supply chain, whether it's the computers you're buying for your business. We could see evidence of that in recent years, the Government of Canada banned Huawei, a Chinese telecom maker from being present inside the core of our networks due to a perceived national security threat.
The other part of your supply chain is your software. So often your applications, your operating systems, anything running on your machine is connected to a vast network of updates, patching. Those items ... patching and improvements, excuse me. And those items become vulnerable. And we see this in recent years with the Solar Winds breach, which was a firewall used around the world pretty much by a lot, almost everybody. And what the Solar Winds breach did is it was a false flag update that went into these systems and basically just left a back door for a nation state to be able to come and log into your network when they were ready. So it basically created a lot of targets.
Anne-Marie Henson:
Yeah, absolutely. Well, I'd love to find out more about this. When I think of a lot of Canadian companies today, for example, manufacturing business. So I might think if I'm running that business today and I'm considered to be an SMB, small medium business, my supply chain is all over the world, I'm bringing in materials and chemicals and industrials from all over the place. I'm not supplying the government, I'm not involved in defense simply manufacturing parts for, let's say, automotive industry or something. Why would I be a target of cybersecurity risk, let's say, by these nation states? Why should I care so much about these risks?
Rob Philpotts:
So that's a good question. So not every manufacturer out there is going to be the target of a nation state per se. Because they also have limited resources and they need to sort of go after things that are important to them. And I'll get to that. However, all businesses are susceptible to what we call cyber gangs that operate typically ransomware networks. And the ransomware is they attack you, they hijack your data, and then they basically ask for money or else they'll dump all your data wide open onto the internet. So ransomware is a problem that faces all businesses. And it's what we call typically untargeted campaigns, where they're just casting the widest net possible so they can exploit and get as much ransom as possible.
Oftentimes, some ransomware actors are attributed as proxies to nation states. As in it's an approved kind of arm's length activity that creates a bit of disruption and issues in the world. And one famous one of recent times was the Colonial gas, I believe that's the name, pipeline attack in the Southeastern United States. So that was a ransomware activity that shut down gasoline distribution in the US Southeast a few years ago.
To bring it back to your question as to what sort of small medium businesses would likely be a target of a nation state. And I just want to be clear, this doesn't mean you're automatically being targeted by nation states. It means you have to be more vigilant and resilient with your cybersecurity. If you're into an area like complex manufacturing, and this is typically things like computer technology, software, aeronautics, electric vehicles. Anything that's sort of cutting edge in this moment, there are certain nations that might take a strategic interest in that activity that you're undertaking. So if you're manufacturing something unique in the world or unique for your country or your industry that is advanced and technologically sensitive like, let's say, with patents or other trade secrets or intellectual property involved. That's something I would be more concerned about.
And how am I justified in saying that? Well, one of my old commanders at US Cyber Command National Security Agency, he famously called a period of time about 10 years ago, and it continues, the greatest shift of intellectual property and wealth in the history of the world. And what he was attributing that statement to ... and I'm paraphrasing there. And what he's attributing that statement to was this ongoing business after business attack being attributed to the People's Republic of China, for example. So seldom had nations gone after intellectual property, they were going after military secrets and other sort of diplomatic secrets and things like this. But never up until that general time period had nation states being so relentlessly stealing intellectual property, so they could establish their own businesses back in their country.
Anne-Marie Henson:
Yeah, that's really interesting, Rob. Because I think in the past there was a belief that cybersecurity was a threat, as you'd mentioned, with regards to ransomware. And trying to basically hold hostage the confidential information of companies to be able to get as much money as possible. And I think today businesses do need to look at it differently because they're not just after an immediate source of cash. Sometimes they are. Sometimes it can be they're after, like you said, your intellectual property. Or maybe they're not even after your intellectual property. But because you're an SMB and for example, you may be a supplier into a large supply chain where your customer has very sensitive information that a nation might really want access to. They might be able to access your systems over the more secure systems of a very large organization.
Rob Philpotts:
So the fact that we're integrated across suppliers selling what comes in and what goes out, and how integrated these businesses are from a logistics and a technology perspective is certainly something to think about in an era of breaking globalization. And we see this, right? We see world leaders clearly saying, western leaders, clearly saying the era of the global supply chain, that's shifting. Right now we have to be more choosy when it comes to where you're getting your data, your inputs from. And so if I'm in a business in Canada looking with whom I'm going to integrate, I would be looking at jurisdictions that sort of share our general principles. So Europe, European. The United States certainly still. But like-minded nations potentially that generally share our values and our institutional processes is very important. Just things to consider when you're planning your business activities.
Anne-Marie Henson:
Yeah, absolutely. No, thanks for sharing that. Very informative as a starting point for this conversation. I want to talk about an interesting white paper that BDO recently sponsored. It was completed by the International Data Corporation, it was called, Cybersecurity Readiness in the Age of Digital Transformation. And the report notes that only 40% of organizations integrate cybersecurity during their planning phase. Why is that number still so low with everything that we see happening in the news today?
Rob Philpotts:
I mean, I think a lot of this you can attribute it to, I think, just human nature. So we look at as we implement technology solutions to run our business, IT, OT, et cetera. Obviously the speed at which you can be efficient and realize your opportunities is very much an area to focus on. And I think that's been the drive as people digitize their businesses, the efficiencies they see and they just keep driving down that road.
And we see that now with AI. There's a huge oncoming technology with artificial intelligence. You see it. Obviously ... well, maybe not obviously. But it's pretty clear that there's a rush of investments, companies surging in trillions of dollars and data centers being built. And people are really betting a lot on the success of this technology, and the promise is certainly there. So that's the rush part, right? That's the engage with it and realize efficiencies and whatnot.
However, the other part of human nature is that it's very hard for us to perceive threats we can't see. If you can't see it, you're just not perceiving it until it's sort of in your face, if you will. So clearly perceiving of cyber threats, these are relatively invisible if you don't have the technology or if you're not thinking about that space. So I think that's sort of where that comes from.
And technology, and I'll say, cloud is even a bigger contributor to this. Cloud is supposed to make things more secure, which it certainly does. But it also equally accelerates one's potential to establish digital footprints that do work or connected to the business. They create risk or what we call a tax surface. And then they move on to another cloud footprint, maybe leave bits of the old ones still available. So this is something we see all the time in cybersecurity is kind of leftover openings or attack paths into businesses because of just the speed of deployment and the speed of technical production.
So the impact of that, I can just say planning is cheaper than responding, okay. This I believe is well documented. Planning is not ... it's seen as paying into cybersecurity, is seen as a cost. It doesn't contribute to the profit of the business. It's not making the widgets that go out the door, for example. But certainly when you think of the regulations, the expectations in the public is that if you are providing me a product and I'm providing maybe it's taking some of my data in return to operate the product, whatever that might be. I would expect that you're doing your best in security or a reasonable amount to protect that. Because we do see there are court cases, there are trials, different things occurring where companies have not taken cybersecurity seriously.
Now, what happens if you end up reacting without a plan, that's generally much more risky. Those things tend to become more public in general. Especially if they're, let's say, a ransomware actor. If they're putting your data online, everybody can see it. So how it works is they put it online. There's a bunch of Twitter X bots that monitor these sites. They're not secret sites. And then as soon as it's published on the dark web on what we call a shaming site, it's immediately out in the public domain through social media. A lot of researchers just do this as a hobby, scanning for those disclosures.
So why risk that, right? Why risk that in the moment? So imagine you're responding, it's chaos. Your defenses were low, they weren't invested in. You're dealing with potentially a public affairs crisis, a regulatory crisis, as well as a business crisis. This is not about rubbing someone's nose in it, we never do that. Responding to an incident is very serious. We take that very seriously. But if you reflect and you sort of take time out of the moment, why didn't I invest earlier? And it's not complicated.
And the other part I want to say about that is it's becoming important and also expected by government. So in Canada, we have a Bill C-8, for example, that is working its way through the parliament. This is an example of our own national legislation that I believe is going to change the Telecommunications Act to essentially create a cyber charter that will require not every business, but will require what they call designated operators. So essentially critical infrastructure. And there's a variety of ... there's a list here, it's not just a few. These types of organizations and companies, both public and private, will have to demonstrate a competency in cybersecurity. So there's legislation coming.
Other nations have been more forthright about this. And now what you see emerging is a trend of where company officers, so these are your Chief Executives, Chief Financial, Chief Operating Officers, Chief Information Officers. If they're aware of a cyber issue that was told to them, and they did not take action on that issue, there are now ... the SEC recently initiated a court case against a company officer. I don't know how that's going right now these days. But they did launch a case as a regulator against a US company officer for neglecting notifications from their staff about the state of their cybersecurity.
So that accountability is coming. Again, these are sort of more extreme examples. Not everything ends up in a charge, per se. But it's going to be fines, it's visibility towards your security posture. And so take action, start planning and be resilient. And don't have your business disrupted. It seems like a great thing to do from my point of view.
Anne-Marie Henson:
Yeah, it definitely seems quite clear that it's worth the investment based on what we've seen happening. And hopefully that number, that percentage increases over time. I'd like to know what we've read is that typically when there is a cyber incident and data is lost or stolen or held hostage for a bit. Typically, the recovery times can exceed seven days for these types of incidents. Which seems like quite a large ... a week of disruption is big. And that doesn't even count how long it takes afterwards to get back into business mode and be fully functional. Looking at that number, what would you say are the biggest implications of losing access to your data and essentially losing the ability to function as a business for a week's time?
Rob Philpotts:
I mean, depending on how your business ... so the impacts can vary. So typically there is a financial impact. We've seen organizations that have to draw down lines of credit because their cash flow stopped as a result of not having access to their data and being able to continue their business. That's an impact because there's a cost to that. That's not free to take in your lines of credit, to use them. So that's typically a decision that can be taken.
Other impacts where it gets more, I think, severe and kind of longer lasting is on the reputational side. If you're a business in a critical industry, let's say like medical supplies or something else, electricity, you name it. I mean, we can go on, there's so many sensitive sectors and areas. But if you're providing something unique, let's stick with the medical supply thing. Something unique, not a lot of folks are making this widget that's vital to ongoing healthcare, even simple things. We've seen this in the past where simple things would sort of be in short supply. But if this is as a result of your own lack of planning and less of a look on cybersecurity because for whatever reason a ransomware actor got into your network. If it's found out that it's because of a low level of security, that impacts your reputation. That will have people like, I can't have that disruption at my end, so I was relying on you. Therefore, I might consider switching. Or having multiple vendors supplying those same kinds of vital products.
So reputational damage is certainly something. And we talk a lot about this when we do our tabletop exercises with our clients. And a tabletop exercise where we walk them through a simulated breach. And then the executive learns about how to react and respond within that. But when we do those, we emphasize ... one of the ... and it varies by client on how they choose to do this. But what we discuss is how you manage a crisis and how the public perceives that management of the crisis affects you as you come out of the crisis. So if it's a sloppy response and your business takes a left turn in terms of reputation or business impact, and people are like, what's going on here? That will have longer ... and then you're sort of cagey about what you're doing on the inside and not being forthcoming. That will definitely impact your reputation.
Classic example of this, it wasn't a cyber crisis, but it was a food crisis. Maple Leaf Foods, so a much lauded case where they were open about day-to-day, every couple days, whatever it was, the CEO took responsibility and was open about what was going on. And that's very much a studied case. It doesn't mean you tell them everything. But you give enough that gives that confidence to the public. So the same in a cybersecurity event. So reputational and financial is typically what we see.
Anne-Marie Henson:
Yeah, it's a good point because I think the financial risks are immediate and typically you see them show up quite quickly in the event of a cybersecurity issue. But the reputational risk is really the long-term potential damage to your supply chain, your customers who might have lost confidence in your ability to secure their data and their information. So those risks definitely should not be underestimated when we're looking at these types of issues.
Rob Philpotts:
And well, financial too. Financial can be equally ... because financial, we've seen businesses actually shutter because they didn't have those lines of credit or whatever the financial structure or means to sort of get over that period of time. We've also seen in the cases of nonprofits that rely on maybe donations to support a charity type operation where ... and maybe there's sensitive data there. But we've seen where donors, literally they were being concerned about the philanthropists providing support to their nonprofit activity. So it can hit in all sorts of ways, and we do see it. But again, planning for the future when you make that ... so this is what we call an incident response plan. And that's actually one component of a cybersecurity program that's very important. So not only having the protection and the technology like the endpoint protection, for example, to protect your computers. But it's also having a plan that you invoke and you pull out when there is a crisis. Because that keeps everyone in their lanes and it keeps you on track with that response and managing risk in a crisis. So all of that is very important.
Anne-Marie Henson:
Well, it's a good point, Rob, you probably answered part of this next question. But I'd like to see if there's anything else we should consider. So the paper that we co-sponsored, again, suggests that budget alone, like putting aside some funds on a regular basis to have some managed services, a firm like BDO to help manage cybersecurity on a regular basis, that alone doesn't guarantee readiness for an incident. So what are some of the factors that are really critical more than just putting aside a budget and sort of financial means when it comes to being resilient from a cybersecurity perspective?
Rob Philpotts:
I'll start with the application of these budgets. And we have seen at certain organizations ... well, and it happens more often than you'd think or you'd like. So where there is budget allocated, I've got that covered, what's the problem? But then you go deeper and we're invited to work at some of these clients and we help them. But what we see where they need help when this happens is where they'll have every technology under the sun. They'll have things as a cybersecurity person, I would wish that I would have to work with some very cool tools out there. But you'll see all this investment, all these sort of individual technologies. But none of them are integrated.
So integrating these technology ... because cybersecurity, not to get too technical, but it's about getting visibility and signals from different parts of your digital activity. And so it means, what is happening with an account? What is happening with an account? Is that account that might be compromised, is that account interacting with a computer that it doesn't normally interact with? Or is it interacting with a set of data that it typically doesn't interact with? So why is so-and-so accessing HR data today? That user profile never does that. Okay.
Now doing that at the speed of light, of course, that's where your integration has to occur. And looking for those anomalies because that's how fast a cyber attack happens, we call it speed of cyber. It happens in the snap of a finger. So integrating those technologies is often what we see as lacking. And we assist clients in a number of ways in integrating that and sort of bringing up that maturity. If you're the Chief Financial Officer providing that budget, how can you find out if that's, well, what's kind of under the hood? Because typically it's like an investment. In the cases where we see lack of integration, it's typically it can be either an inexperienced or a low level of staffing that just doesn't have time to do the full architecture, what we call security architecture. And that's where they rely on folks like BDO to come and help them address this lack of integration.
Now, how do you validate your return on investment? I hear it's got to be integrated. How do I validate that? A couple of easy ways to do that. One is a service we provide and a number of service providers do this. Is what we call offensive security testing. And what this is, is where our team of ethical hackers will come in and they'll look at you from the outside in first. Sort of what we call a hacker's perspective. They're given no advantage, they're given no ... nothing is set up for them, per se. But they'll look at your attack surface from the outside. Whether it's a login page you have for employees, whether it's a firewall you have at the edge of your network on premise. Or whether it's your cloud services that you've set up.
So wherever your digital estate goes, they look at all of that from the outside. Then they find what we call attack paths or a series of exploitations that they can hit one after another to get inside your network. Or to get inside a service that you rely on. It's a very powerful activity, this offensive security testing. Because it literally, if they find these exposures, the message is you're exposed and you're not secure. And I don't know which message gets more strong than just saying, "Yeah, you're really exposed here based off these things." So often it's these quite simple attacks, sadly, that we find are available to our ethical hackers and would-be attackers.
Now, the other type of tests they do is we do offensive. They'll also go inside your network and do sort of an inside-out perspective. And this is important because once attackers are in, they want to get stuff out. And so what our offensive security team does is just make sure that your internal communications, your internal dependencies aren't exposing additional attack paths that would allow an attacker to go too far in your network or go everywhere in your network. As opposed to ... not ideally, but more ideally, like one vulnerable service versus an entire vulnerable estate. So they look at that side too.
I won't take too long. But the second activity is simply a posture review. So this is otherwise known as blue teaming. So this is where one of our security architects will go ... it's not so much testing. But it's where our security architects will sit with the client and they'll look at all their configurations from the inside, so from an inside perspective. And just go through best practices and industry alignment to make sure that those technologies are integrated. And just provide a roadmap to the clients or we'll do it for them. So that's looking from the inside and just sort of setting things up.
And then the third thing we do is what I mentioned earlier, these tabletop exercises. So this is where if you haven't done this and you have external stakeholders and executive, you have owners, investors, regulators, sensitive data, a sensitive type of operation that we spoke of, science and technology, manufacturing, for example. If you haven't done a tabletop exercise, I highly recommend it. Because what you'll see is how ready your organization is. Why that's important is because a plan will walk you through the consequences of privacy and how to deal with that in a crisis when it comes to things like employee data or personal data. It will walk you through the consequences of business disruption, which we spoke of, which you'll see, are your teams able to actually keep the business running? Are you able to recover your business from a backup, for example?
And it's surprising what comes up. We had a client once who had ... they were all cloud, everything was backed up. They were all, sorry, cloud and on-prem, everything was backed up. They were quite effective at backing up their business. So if something happened, they could sort of cut the cord and resume within a matter of hours was the theory. What happened was is they had not planned the bandwidth back to their data center to restore the business in their on-premises location. I mean, maybe it's not simple, maybe it was complicated to contract that bandwidth. But everything was nailed down except for this one detail of bandwidth of restore, coming back into the network. So they were disrupted because their plan had not been ... well, I wouldn't say, had not been exercised. But had they exercised this activity, potentially they would've seen that before the moment.
Anne-Marie Henson:
I think one thing I've seen as well is a really well laid out plan involves the entire organization. Sometimes I've seen sort of the finance team or the CFO say, "Okay, technology team, what's the budget for cyber?" And then you jot it down in your annual budget. And then at the end of the year you compare what's actually spent to what the budget was.
But that's really more of an exercise of checking the box. Rather than everyone understanding the responsibility they have in terms of ensuring cybersecurity and proper readiness and things like that. So the organizations that don't just offload this responsibility to the CTO or the CIO, and actually make it the responsibility of everyone, are the ones that I've seen that are really most successful.
I have one last question for you, Rob. You talked about so many different things an organization can do to be more ready in today's age of cybersecurity and threats. If you could leave us with just one piece of advice to organizations who are trying to prepare for cyber threats amidst all this uncertainty, you probably have so many. And I guess for organizations that have all these different priorities and emergencies or fires to put out, what would be the one thing you'd want to leave us with?
Rob Philpotts:
One thing I would say is seek the services of a dedicated security vendor. So a lot of companies in this space, we've talked a lot about small medium business, manufacturing, etc. So a lot of businesses in this space will have a dedicated IT services provider. An IT services provider, they can be quite robust. Certainly there's very competent operations out there. But what we find is that IT is about making things go. It's about getting the car on the road, rolling down the road, tires engine and getting it going. If you're not getting security involved, which is a different mindset, that's going to be things like the locks on your door ... sorry, the locks on the door of the car, the seat belts, maybe the windshield wipers, depending how far we want to take this comparison. But it's a different mindset than getting the car on the road going. And generally that is sort of core to the ethos of IT providers is to get things going. And when you get things going, other things can happen.
Now, you don't want to slow down your business ... we're not here to, no, stop getting going. That's not what we're here to do. What we're saying though is take a security services provider who's kind of arm's length from that IT provider. And now the IT provider might claim, oh, we got the security. That's fine. They can, again, there's very competent operations. But just occasionally if you're sort of wondering how this is going and if you're secure, that arm's length security vendor to do some of those sort of simple reviews that I mentioned. So whether that's an internal blue teaming review of your internal architecture or whether that's an offensive security test of your digital estate that's coming from this IT service provider. That's a very effective approach to let you know if you're in an okay place. Or at least what you have to do next.
And what types of reports can do blue teaming or the offensive security is when you come back to it later on, six months, one year, you now have something to compare it to. And if your IT services company isn't progressing there, at least now you have evidence to consider how you allocate your investments and dictate things. So very important.
One thing to keep in mind, these types of snapshot checks, even if it's a security audit for example. Those are point in time, that's not in the moment. We talked a lot about in the moment, how things can happen like literally in the moment of cyber. That's getting more into the cyber operations. If you're a big enough company, certainly, yeah, you do want to have a security operations program where you're actively defending your network with dedicated services and technology. But I'll stick with that. I'll stick with, do those point in time checks. They're very high value for what you pay. And they can hold your teams and service providers highly accountable to the security of your digital estate.
And by the way, you can't outsource risk. It's not your IT company's risk. It's your risk. It's also your accountability. So don't assume it away, especially as we see things changing as we talked about in the discussion today.
Anne-Marie Henson:
Thanks so much, Rob. I love the car analogy, actually, I think it's a really great one.
Really, thank you so much for your time and your perspective today. I hope our audience appreciated this discussion. If you liked this episode, make sure you leave a review or a comment and click the follow or the subscribe button to stay tuned for new episodes. Thanks to our listeners for tuning in today and to all of our episodes. I'm Annie-Marie Henson and this has been BDO's Accounting for the Future. Thanks so much.
Narrator:
Thank you for listening to BDO Canada's Accounting for the Future. Past episodes and related insights are available at www.bdo.ca/accountingforthefuture. Or you can go to Apple Podcasts, Spotify, or Google Podcasts to subscribe. For more information on BDO Canada, visit bdo.ca.