Managing Security and Cyber Risk in 2020

Cyber security concept. Network protection.

In 2020 companies face myriad security challenges. Some are regulatory, such as the European Union’s upcoming ruling on whether Canada’s privacy laws comply with the General Data Protection Regulation (GDPR), a decision that could trigger new legislation here. Some can seem too farfetched to require our immediate attention; however, AI-powered threats are growing in sophistication and becoming an everyday part of the threat landscape, and should be a focus for 2020. 

In this look at managing security in the new decade, we’ll begin with the challenge that most immediately impacts a business’s ability to effectively protect itself: the shortage of cybersecurity professionals. These workers require special training, especially with AI being leveraged in more cyberattacks. But there aren’t enough of them, and this shortage can make it difficult to develop security expertise in-house.  

Having a team prepared to respond to attacks can mitigate risk and reduce the cost of recovery. This becomes clear when we consider that the longer it takes to recover from an attack, the greater its cost. The 2019 Scalar Security Study found that recovery time among Canadian companies is increasing, rising from an average of 16.1 days in 2018 to 19.4 days in 2019.

Meanwhile, organizations have optimistic but unrealistic expectations for how long it will take to return to normal operations, with 66.5 percent of respondents expecting to fully recover in less than two hours.

Preventing attacks and responding to those that inevitably occur requires an understanding of ransomware, phishing attacks, data theft and newer threats that incorporate machine learning. But another part of the picture that must not be forgotten is the customer. A majority of them expect their personal information to be protected by the businesses they purchase from; 83 percent feel businesses should be doing more to protect the personal information they collect, according to a survey from IBM Security. That might be because 38 percent of respondents knew someone who had had been hacked or had their personal information compromised.  

Breaches threaten the trust that all businesses rely upon to operate: the same IBM survey found Canadians seem to trust banks as much as ride-sharing apps, with trust levels within a five percent range across six categories of business.  IBM Canada president Ayman Antoun suggested this marks Canada’s shift toward a “trust economy,” in which Canadians are more aware which businesses make privacy and security a priority. This attitude is more prevalent in Gen Z and Millennial respondents (18 to 29), 57 percent of whom are comfortable with companies sharing their information without notifying them, while only 44 percent of Baby Boomers (50 and older) feel that way.

As businesses grapple with waning public trust, governments have been seeking legislative solutions. One example is the European Union’s GDPR, which came into effect in May 2018 as an effort to give individuals control over their information.

An expected decision on how well Canadian’s own privacy legislation complies with GDPR could prompt Ottawa to revise it. This interplay between jurisdictions might be inevitable in a world where businesses and privacy considerations both cross borders. Currently, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t provision a way for the direct imposition of fines. In some ways, it falls behind legislation at the provincial level. Changes could give it more teeth, with consequences for businesses that mishandle the personal information they collect.  

Meanwhile, the federal government is investing in cybersecurity. Ottawa made its biggest-ever cybersecurity commitment in the 2018 budget by committing an average of $100 million per year on a new cybersecurity strategy. In 2019, the budget proposed supporting the Canadian Centre for Cyber Security with $144.9 million over five years.

Businesses are making their own investments: Statistics Canada’s most recent Canadian Survey of Cybersecurity and Cybercrime found that Canadian companies on average invest about $78,000 on implementing cyber security measures, with large businesses spending $922,000 and medium-sized businesses $108,000.

In this time of change, the nature of threats is itself evolving. Sophos warns that automated content generation is appearing in more attacks, particularly those aimed at human elements of systems. For example, as successful as email phishing attempts can be, deepfake videos are an even more sophisticated attempt exploit people. The escalation from text to video can catch even savvy users off guard.  

With so many aspects of security constantly evolving, it’s important to ensure your organization is ready to recognize that cyberattacks will happen, and can respond to them when they do.

CDW Canada’s experts can help you navigate today’s threats and prepare you for what comes next. Learn more.