… but you can't hide: why you need to tackle cyber-threats head on
By Gaétan Houle
A CYBER-ATTACK can occur any place, anytime; no business is immune. According to EY's recent Global Information Security Survey 2013, security incidents are on the rise in this country. In fact, the survey shows that incidents in 2013 spiked 29 per cent over the year prior.
Part of that spike may be because an increasing number of employees are using their own mobile devices in the workplace, resulting in breaches of sensitive or confidential information. Organizations need to consider the risks associated with social media and cloud-based technologies accessed on these devices. They need to ask who should be responsible for the device's data — employer or employee? And how often should the device be updated and security-managed?
The good news is that Canadian companies now rank cyber-security as a one of their top priorities for the coming year. They're wise to do so. Establishing an ongoing process for assessing risks will bolster a business's ability to prepare for the future, and empower it to react quickly should challenges arise.
The thing is, getting your cyber-strategy right isn't so much about handling current threats, but rather uncovering the unknown cyber-threats hiding right around the corner. The EY survey finds that only 13 per cent of Canadian respondents prioritize the innovation of security services and technologies to address new and emerging threats — and that's a threat in itself. Despite increasing security budgets over the previous year, businesses here also appear comparatively conservative in the way they're tackling these threats.
So, where do you start, and how do you ensure your approach is bold enough to protect your business? Getting your process right means legal counsel, and other C-suite executives, need to ensure everyone in their organization is on the lookout for vulnerabilities and risks that often come with new technology. Everyone has to own this risk and work together to tackle it.
Part of that process includes reviewing, rethinking and, in some cases, completely redesigning information security programs to prepare for future technologies. If proper security programs aren't in place, organizations can miss out on the full benefits of new technology and innovation.
Similarly, organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. These efforts need to be championed by executives at the highest level of the organization, who need to be aware that 80 per cent of the solution isn't technical, but rather just good governance.
Globally, we've found that organizations are making moves to focus on the right priorities. Generally, organizations name business continuity and disaster recovery as their top information security priority for the upcoming year. These organizations are looking at things like cyber-risks and cyberthreats, data leakage and data loss prevention, information security transformation and compliance monitoring.
Some sectors are more focused than others. Financial institutions, for example, place greater emphasis on cyber-risk and cyber-threats. But when taking action to improve their information security function, all organizations need to determine whether the improvements they are making will address the expected volume and frequency of existing and emerging threats, and whether they can implement them fast enough to keep pace with the threat landscape. In other words, organizations need to understand how effectively their actions will help to protect their business processes.
While Canadian organizations are definitely investing more in information security, they need to ask whether the spend is on the right priorities. In general, many Canadian organizations need to shift their focus from operations and maintenance to improving and innovating, along the lines of the ways their global counterparts are focusing efforts.
If you want your organization to get ahead of cyber-threats, you've got to be proactive and devote resources to understanding both the opportunities and the threats. You must be prepared to fundamentally transform information security programs where necessary, or gaps – and risks – will only continue to grow.
Canadian organizations are improving how they manage the risks they already know about. But tackling future risks requires a bigger, bolder offensive strategy that focuses on what may be lurking just around the next corner.
Gaétan Houle is EY's information security practice leader.
By Gaétan Houle
A CYBER-ATTACK can occur any place, anytime; no business is immune. According to EY's recent Global Information Security Survey 2013, security incidents are on the rise in this country. In fact, the survey shows that incidents in 2013 spiked 29 per cent over the year prior.
Part of that spike may be because an increasing number of employees are using their own mobile devices in the workplace, resulting in breaches of sensitive or confidential information. Organizations need to consider the risks associated with social media and cloud-based technologies accessed on these devices. They need to ask who should be responsible for the device's data — employer or employee? And how often should the device be updated and security-managed?
The good news is that Canadian companies now rank cyber-security as a one of their top priorities for the coming year. They're wise to do so. Establishing an ongoing process for assessing risks will bolster a business's ability to prepare for the future, and empower it to react quickly should challenges arise.
The thing is, getting your cyber-strategy right isn't so much about handling current threats, but rather uncovering the unknown cyber-threats hiding right around the corner. The EY survey finds that only 13 per cent of Canadian respondents prioritize the innovation of security services and technologies to address new and emerging threats — and that's a threat in itself. Despite increasing security budgets over the previous year, businesses here also appear comparatively conservative in the way they're tackling these threats.
So, where do you start, and how do you ensure your approach is bold enough to protect your business? Getting your process right means legal counsel, and other C-suite executives, need to ensure everyone in their organization is on the lookout for vulnerabilities and risks that often come with new technology. Everyone has to own this risk and work together to tackle it.
Part of that process includes reviewing, rethinking and, in some cases, completely redesigning information security programs to prepare for future technologies. If proper security programs aren't in place, organizations can miss out on the full benefits of new technology and innovation.
Similarly, organizations need to place more emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. These efforts need to be championed by executives at the highest level of the organization, who need to be aware that 80 per cent of the solution isn't technical, but rather just good governance.
Globally, we've found that organizations are making moves to focus on the right priorities. Generally, organizations name business continuity and disaster recovery as their top information security priority for the upcoming year. These organizations are looking at things like cyber-risks and cyberthreats, data leakage and data loss prevention, information security transformation and compliance monitoring.
Some sectors are more focused than others. Financial institutions, for example, place greater emphasis on cyber-risk and cyber-threats. But when taking action to improve their information security function, all organizations need to determine whether the improvements they are making will address the expected volume and frequency of existing and emerging threats, and whether they can implement them fast enough to keep pace with the threat landscape. In other words, organizations need to understand how effectively their actions will help to protect their business processes.
While Canadian organizations are definitely investing more in information security, they need to ask whether the spend is on the right priorities. In general, many Canadian organizations need to shift their focus from operations and maintenance to improving and innovating, along the lines of the ways their global counterparts are focusing efforts.
If you want your organization to get ahead of cyber-threats, you've got to be proactive and devote resources to understanding both the opportunities and the threats. You must be prepared to fundamentally transform information security programs where necessary, or gaps – and risks – will only continue to grow.
Canadian organizations are improving how they manage the risks they already know about. But tackling future risks requires a bigger, bolder offensive strategy that focuses on what may be lurking just around the next corner.
Gaétan Houle is EY's information security practice leader.
