Ctrl+Alt+Defend—How organizations can protect themselves from an evolving cyber threat landscape
Recommended articles
On related topics
Companies are becoming increasingly vulnerable to a growing number of cyber threats that are constantly evolving, becoming more and more sophisticated. If you haven’t heard of ransomware by now, you are probably part of a very small demographic as it has become the token type of cyberattack that often dominates headlines. Though, that isn’t all as there are several other types of cyber threats being leveraged by criminal groups today that can quickly bring an organization’s operations to a halt, put its reputation in jeopardy, and harm its relationships with partners, suppliers, employees, and customers, all of which can result in significant financial implications, legal and regulatory consequences.
To gain valuable insights in this arena, NATIONAL brought together leading executives and decision makers in cybersecurity to offer dynamic perspectives on the ever-evolving threat landscape and how corporate entities and brands can protect themselves and mitigate reputational risk and damage.
The featured panellists were:
- John Hewie, National Security Officer at Microsoft Canada
- David Masson, Vice President of Enterprise Security at Darktrace
- Leigh Tynan, Director of Online Security, TELUS
- Imran Ahmad, Technology Sector Head and Cyber Lead, Norton Rose Fulbright
- Karen White, Senior Vice President and Crisis Lead, NATIONAL Public Relations
The discussion
During the hour-long discussion, our esteemed panellists delved into several important topics including the most prevalent cyber threats that companies can expect in 2024 and beyond, and how they can be proactively prepared, not only to prevent these threats but to react purposefully to mitigate impacts should an organization be subjected to a cyber attack. Below are some of the key themes and takeaways from the panel:
Put a plan in place
One of the obvious yet overlooked tactics when it comes to being proactive is to have an actual plan in place. The plan itself is important but the planning that goes into the development of that plan is essential to an organization’s ability to respond. It allows companies to be purpose driven, and to think about posture, not just organizationally but individually, because cybersecurity begins with the individual and ends with the organization. Having individual buy-in is equally critical as having tools and mechanisms to protect an organization.
Build a culture
Like most functions in an organization, people and culture are critical factors when it comes to cyber preparedness. Unfortunately for many companies, nobody seems to care until something happens. Simply relying on an IT team to save the day is never enough and there is a real need for organizations to invest in psychological safety and cyber hygiene as it will foster a positive culture around cyber preparedness.
Consider the impact
When thinking about the potential implications of a potential cyber attack to an organization, the following considerations must be taken into account:
- What are the operational considerations?
- What could it cost us?
- What is the reputational risk?
- What are the legal ramifications?
React appropriately
Industry experts feel that it is no longer a question of if an organization will be targeted, but when. And due to the frequency and success of these attacks, people are no longer expecting organizations to be perfect. They are more interested in seeing how they respond to an incident as that is essential to how they are perceived. In some cases, being compromised might present a trust-building opportunity, though that is certainly not where you want to be. If in that scenario, there is a fine balance to be found between speed and accuracy.
Expect these cyber threats
- Ransomware is likely to continue as the most prevalent threat likely to impact organizations.
- Artificial intelligence has become more and more sophisticated, which is great when it is used for good, but very dangerous when used by cybercriminals.
- Business email compromise, which often targets authority figures in an organization to scam others internally and externally, is next on the list of threats, and one that doesn’t always make the headlines. It is often conducted using social engineering and phishing emails.
- Crypto hacking is another dormant threat that can be quite damaging from an operational and cost perspective. It involves crypto coins being mined on an organization’s infrastructure.
Consider these factors
Supply chain risk is another key consideration for organizations to keep top of mind when determining the potential impacts of cyber threats. For some small or medium sized businesses, outsourcing their IT needs to a third party opens the door for significant risk that is ultimately outside of their organization. Similarly, for companies that work with a variety of suppliers, clients, partners and other third parties, the potential risk at hand for all the companies involved multiplies as many within the supply chain don’t have the full picture.
Instilling good cyber hygiene across your organization is critical. Bringing on tools and strategies such as multi-factor authentication and password keys, and a zero-trust mindset can go a long way. From a psychological perspective, picking up on red flags or warning signs can be very effective. For example, if you receive a direct email from a senior executive at your company asking for a favour, you must consider what the ultimate outcome will be if you were to action their request and if it is even something you would do, should do, or could do under normal circumstances.
Remote working is another factor that has significantly changed the cyber threat landscape. Employees are no longer working within the four walls of their office where there are established security controls, and in some cases, they have begun using their own personal devices to connect into their organization’s network which poses significantly more risk.
Just the overall sophistication of cybercriminal groups must be taken into consideration as well. Many of them are significantly more sophisticated than we presume, with some even functioning as full-fledged organizations with teams dedicated to operations, human resources, IT, sales. They are even sophisticated enough to take paid vacations and have helpdesks.
Manage your corporate reputation
If an organization has been compromised, the following helps determine and/or influence their perception:
- Timeliness
- Transparency
- Efficiency
People want to know if they were informed in a timely manner and transparently about how they were impacted, and what steps are being taken to remedy the situation. Generally, people can be more forgiving from a reputational standpoint if an organization can effectively achieve the above points.
Think like an everyday consumer
Beyond the business perspective and as an everyday consumer, all the companies and organizations you engage with for products and services—whether through apps on your phone, e-commerce accounts through their websites or in person at their locations—have your personal information on their networks, and if they are compromised so are you. In many ways, these organizations represent your personal supply chain.
Topline takeaways
Imran Ahmad—Preparation is paramount. Leigh Tynan—Be proactive, not reactive. David Masson—Do something. John Hewie—Good cyber hygiene can help achieve the basics.
Next steps
For more information about NATIONAL’s cybersecurity preparedness and communications offering please reach out to our Cybersecurity experts.