Companies must focus on managing cyber-attacks, not eliminating them

TORONTO — Companies trying to stay ahead of the increasing threat of cyberattacks need to be cognizant of one simple fact: there is no perfect antidote or turnkey solution against criminals bent on breaching their systems.

“Everyone is hacking into everything,” said Benoit Dupont, professor of criminology at the University of Montreal and the Canada Research Chair in Cybersecurity.

“Even the most secure, aware organizations like the top intelligence agencies in the world get hacked,” he said. Last month, the New York Times reported that the cyberweapons developed by the National Security Agency to spy on other countries are now being used against it, thanks to a leak.

The number of Canadian businesses experiencing losses of $1-million or more loss rose to seven per cent from just one per cent two years ago, according to a 2017 report by the Canadian Chamber of Commerce.

With each passing year, hacking has become more dangerous, sophisticated and difficult to prevent — and solely ramping up spending on cybersecurity is not a viable solution for any organization, experts warn.

What’s required when it comes to cyber preparedness, Benoit and others argue, is a radical overhaul of the entire ecosystem that accounts for the significant role that human error plays in breaches from confidential data sent to insecure home systems, to phishing schemes that rely on tricking people into giving up sensitive information belonging to their employer.

At a minimum, organizations should ensure that mechanisms are in place to minimize the damage caused by inevitable cyber-infiltrations so that if criminals are able to breach a system they won’t necessarily be able to exit with anything of value.

That starts with prioritizing the information that organizations must protect, said Christian Leuprecht, national security expert at the Royal Military College and Queen’s University.

“People think there is such a thing as privacy and that you can keep things secret. We need to come to the realization that’s not possible,” said Leuprecht.

“We need to say 90 per cent of stuff that becomes public, we can live with that. And here’s the stuff that we have to protect at any and all cost, and where we’re going to put all our efforts into protecting that.”

Surprisingly, encryption in which data is translated into a secret code that can only be accessed by using a secret key or password to decrypt the documents into plain text is one measure few companies seem to be adopting, said Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada.

“The fact that every time we hear about someone’s system being breached and people are able to read the details tells you a lot,” Kabilan added.

Encryption, however, isn’t a viable long-term cyber-strategy for companies that need to have constant access to data themselves, according to Andre Boysen, chief identity officer at Toronto-based SecureKey.

“It’s going to make it harder for the business to read the data,” he said. “It’s got limited usefulness.”

Typically, such companies instead rely on constantly monitoring what’s happening on their network — a feat no human can succeed at, even with organizations leveraging more artificial intelligence and algorithms to determine suspicious activities and identify them before hackers get access to their crown jewels.

“We always assume people are hacking near perfect systems,” said Leuprecht. “We have major human errors in the way the system are set up. Most people actually run terrible operations including some of the largest in the country.”

Failure to patch and update systems is another area where human error causes critical fallout, Kabilan noted.

“It’s so much of a non-starter that it’s not being done,” he said, referencing the WannaCry ransomware attack, which infected hundreds of thousands of computers in May and scrambled data at hospitals, factories, government agencies, banks and other businesses around the world.

“(WannaCry) spread because some people clicked on a link but the reason it proliferated was that it took advantage of an unpatched system.”

Organizations need to get a better handle on setting up simple deterrents to make it as unattractive as possible to try to steal information, said Leuprecht.

“For instance, if you’re storing credit card information, or things that have lots of numbers, you can create fake versions of them … So if somebody gets a hold of all these numbers they don’t know what the fakes are and what the real ones are,” said Leuprecht.

“If you’re just an organized criminal operation that’s trying to extract financial data, you don’t want to invest millions of dollars and hours trying to sift through all the data to figure out what’s real, what’s fake, what’s usable.”

Other effective methods not be used by companies are exfiltration detectors that examine outgoing data and block any documents that are intended to remain inside the network, he added.

“This is not rocket science,” said Leuprecht. “You have a water main break, you shut it down.”

Get local stories you won't find anywhere else right to your inbox.
Sign up here

Just Posted

Alberta children whose only symptom of COVID-19 is a runny nose or a sore throat will no longer require mandatory isolation, starting Monday.
477 new COVID-19 cases confirmed in Alberta on Thursday

Changes being made to the COVID-19 symptom list for school-age children

Chasetin Morin
Photo from RCMP
Three men accused of assaulting Blackfalds RCMP officer going to trial

RCMP officer shot and wounded one of alleged attackers in December 2019

The Cenovus Energy Inc. logo seen at the company's headquarters in Calgary, Alta., Wednesday, Nov. 15, 2017.THE CANADIAN PRESS/Jeff McIntosh
One-time costs of Husky takeover expected to be about $500 million, says Cenovus CEO

One-time costs of Husky takeover expected to be about $500 million, says Cenovus CEO

This drum circle was one of a multitude of activities held at The Hub on Ross in downtown Red Deer. The facility was permanently closed by the provincial government his week. (Advocate file photo.)
Many Red Deerians react with anger, dismay at closure of The Hub on Ross

Many disabled people can’t afford other recerational options, says guardian

Award-winning Calgary developer Brad Remington stands with Red Deer Mayor Tara Veer at the site of three multi-family condo complexes that are planned for Capstone, west of Carnival Cinemas. (Photo by LANA MICHELIn/Advocate staff).
$36M condo project on its way to Capstone development

Calgary developer plans to create 180 housing units to open in 2022

Alice Kolisnyk, deputy director of the Red Deer Food Bank, says the agency expects an increase in demand as the COVID-19 pandemic continues. Every new subscription to the Red Deer Advocate includes a $50 donation to the food bank. (Photo by BYRON HACKETT/Advocate Staff)
Support the food bank with a subscription to the Red Deer Advocate

The community’s most vulnerable members are always in need of a hand,… Continue reading

Workers at Olymel's Red Deer pork processing plant are among those eligible for a $2-an-hour bonus because of the pandemic.
Red Deer Advocate file photo
Two Olymel workers test positive for COVID-19 in Red Deer

Two workers at Olymel’s pork processing facility in Red Deer have tested… Continue reading

Ryan, Falcons avenge earlier loss to Panthers, 25-17

Ryan, Falcons avenge earlier loss to Panthers, 25-17

FILE - In this Oct. 28, 2015, file photo, former world boxing champion Roy Jones Jr. shows off his Russian passport during a news conference in Moscow, Russia. Mike Tyson and Jones got permission from California's athletic commission to return to the boxing ring next month because their fight would be strictly an exhibition of their once-unparalleled skills. (AP Photo/Ivan Sekretarev, File)
Mike Tyson, Roy Jones promise a fight in “exhibition” return

Mike Tyson, Roy Jones promise a fight in “exhibition” return

David Hearn watches his putt on the seventh hole during the first round of the Wyndham Championship golf tournament at Sedgefield Country Club on Thursday, Aug. 13, 2020, in Greensboro, N.C. David Hearn, like everyone, has been deeply effected by the COVID-19 pandemic. THE CANADIAN PRESS/AP, Chris Carlson
Canada’s Hearn looks to shake off poor 2020 results with more consistent play

Canada’s Hearn looks to shake off poor 2020 results with more consistent play

Malnati birdies half of holes to take 1-shot lead in Bermuda

Malnati birdies half of holes to take 1-shot lead in Bermuda

Penny Oleksiak swims the 200 metre race during the 2018 Team Canada finals in Edmonton on Wednesday July 18, 2018. The number of young swimmers in Canada is dwindling because of barriers posed by the COVID-19 pandemic. THE CANADIAN PRESS/Jason Franson
Swimming Canada urges pools to accommodate youth, says can be done safely

Swimming Canada urges pools to accommodate youth, says can be done safely

Canada's Meaghan Mikkelson (12) and Marie-Philip Poulin (29) defends against United States' Hilary Knight (21) during the third period of a rivalry series women's hockey game in Hartford, Conn., Saturday, Dec. 14, 2019. Gina Kingsbury, Hockey Canada's director of women's national teams, hopes a Rivalry Series against the United States can happen this winter.THE CANADIAN PRESS/AP/Michael Dwyer
Canadian women’s hockey team yearns for international competition

Canadian women’s hockey team yearns for international competition

Most Read