1. Are Canadian organizations currently dealing with a “ransomware epidemic” and how should this affect their cyber strategy?
Rocco Galletto – Yes, there is a ransomware crisis that continues to accelerate at an alarming rate and affects more and more organizations in Canada. On the one hand, Canada is a top geographic target, simply because it's one of the most digitally advanced economies. On the other, threat actors are multiplying because criminal groups have made it easier to perpetrate attacks. A threat actor can now leverage ransomware-as-a-service (RaaS) and attack multiple organizations in a single hit. The crisis has taken on “epidemic” proportions due to the proliferation of cyber criminals now using RaaS. With very little background in cyber or IT, it is now possible to perpetrate a very lucrative attack.
Organizations need to understand this new reality and respond accordingly. Automating controls and ensuring there are strong backup strategies are crucial for weathering the current ransomware storm. Zero trust strategies and software-defined perimeters are also on the horizon and offer a lot of promise, but it will take time for organizations to adopt these solutions.
The key thing to understand about ransomware and digital extortion is that it's a very opportunistic and timely attack. Companies have undergone massive digital transformations in the past few years and are more vulnerable than they have ever been. Technological enablement has resulted in many more access points that cyber criminals can exploit. The emergence of RaaS platforms is a direct response to this. Threat actors can pay a monthly fee, access support, automate, scale, and attack thousands of organizations at the same time. If successful, a threat actor will typically lock a significant portion of these businesses out of their systems and encrypt their data until they pay a ransom, almost always in cryptocurrency. Extortion tactics are also becoming more severe as many attacks leverage the sensitive data they steal from an organization.
2. What are the most common pitfalls or blind spots you see when assessing different organizations' cyber risk management strategy?
RG – Because cybersecurity is an ever-evolving landscape, it may force some organizations into a chain of reactions that complicate their cyber strategy. The resulting infrastructure can often be piecemeal and disconnected. Organizations can fall into a whack-a-mole situation when it comes to patching bugs, responding to specific threats, and involving third parties. Cyber strategy really needs to be architected at the get-go, as new technologies are being explored, and before they are implemented. A sound cyber strategy helps you implement the right tooling and capabilities so you can protect and grow your business at the same time.
Another very common blind spot is the confusion between digital maturity and digital resilience. Many organizations have a high degree of maturity: their security team is in place, they have enabled cyber processes and documentation, and have invested in new technologies that help drive innovation and growth. An example would be a human capital software solution, which enables digital transformation, but also increases an organization's risk ratio. This new capability introduces a whole new dimension of personal data that the business will need to protect. It's why tech enablement needs to happen in tandem with cyber risk management. This is probably the biggest area of vulnerability for most companies right now.
3. For companies who have already invested significantly in cybersecurity, how should they be approaching their investment amid the ransomware crisis?
RG – When it comes to assessing your cybersecurity investment, optimizations should really focus on moving toward a risk-based approach, which means that your cyber strategy moves to the centre of your risk management framework and avoids the trap of developing disconnected, albeit digitally advanced monitoring systems in response to different types of threats. All businesses are currently undergoing some form of digital transformation. Part of this shift is ensuring that cyber is closely aligned to the unique business profile it is designed to protect.
Oftentimes clients will ask if they are overspending on cyber. My answer is that cyber has become one of the leading business risks for Canadian organizations. You're either not spending enough on cybersecurity or spending in areas where you may not receive the largest return. I often hear about organizations who “have transformed” their cyber programs and implemented new processes and control points and this is fantastic news. But the next step is to ensure your cyber strategy continues to evolve alongside the business. With every change, new partnership, new technology, and new service offered, the organizations' threat profile changes and those changes need to be understood and assessed for new risks.