‘Winter is coming!’
October is cyber security awareness month. We are also well into the Fall season. This is a time to give thanks for the harvest and other blessings. The change of seasons is also a nudge to prepare for winter, which can bring hardship if we are not prepared. On a personal level, we drain the garden hose and shut off the water outdoors, rake leaves, clean gutters, clean the fireplace and stock up on wood (or at least get the furnace serviced). We get the snow tires on. The more prepared among us look to springtime and plant bulbs for a colourful early garden. The slightly more paranoid, and, those who have learnt from experience, check for gaps and drafts in insulation and roofing. We do these things because ignoring them leads to trouble in the middle of winter at -20 Celsius: burst pipes, no heat, racoons in the attic, sliding off the road. Some of us even make a list of tasks because there is a lot to do.
Well run businesses and organizations also prepare for the literal or figurative winter. Retail businesses prepare for Black Friday to New Year sales season, driving ripples of business activity through supply chains locally and globally. Many businesses also begin to take stock of their situation and performance to date and make plans for the next year.
What has this got to do with cyber security and awareness of related threats and risks?
Your organization relies on technology for business operations, automation, and information for oversight. The extent of this reliance may have increased over time and be more than you thought. Sometimes, your reliance is revealed when technology fails or is disrupted, like a cyber cousin of Murphy’s Law. Much is written and said this month about cyber security awareness in October, focused on individual awareness of threats like phishing, ransomware, and social engineering – rightly so, since these threats can have serious consequences if ignored. People remain the strongest and the weakest link in cyber security chain link (de)fence. So please beat the drum and encourage users to:
- not open odd emails or use public WiFi;
- be wary of social engineering scams;
- use strong passwords and where possible, multi-factor authentication for remote access to business systems; and,
- report strange IT events to management.
| Statistics Canada just released cyber incident numbers for 2021. For small enterprises (10-49 employees): One in seven lost revenue from a cyber security incident, and experienced extra costs to clean things up! One in six had systems unavailable so employees could not work! One in fourteen enterprises said their business reputation was harmed by a cyber security incident. |
Today, these practices are just good cyber security hygiene for business users, and some are brought into the home.
As the ones in charge, and ultimately responsible for the well-being of the entity, owners and managers of businesses can do a bit more. Consider doing the following, with a little help from your IT lead:
- Review the external business, technology and cyber-space environment
Review the external business, technology and cyber-space environment and how it might affect your business. This year has been a poster child for global events with technology or cyber ‘exhaust’ that affect us locally. Russia’s invasion of Ukraine, China’s sabre rattling at Taiwan, climate change driving weather extremes, and supply chain challenges all seemed like remote problems, until they weren’t! IT supply chain attacks, while not new, are now recognised in the business world as real with pervasive and serious consequences that should be at least understood, if not managed. You may not be a primary target, but your business may relate to attractive targets like critical infrastructure providers or the defence industry. This is how Target got hacked big-time in 2013 . If you don’t think this through, no-one else will. Don’t over-react, but take an hour to have the discussion. - Take stock of your technology
Make a list of your business and operational technology applications and supporting infrastructure (i.e. things like database management systems, operating systems, firewalls and routers). If some of these are really old, they may no longer be supported by the vendor. This means that holes in these systems may no longer get fixed or will get fixed last, leaving you vulnerable to technical exploits that themselves are now automated. Hackers love this stuff, and know how to automatically crawl around the internet to find these entry points to your systems. You can then make an informed decision to upgrade these systems, consciously save money on upgrades, or replace them altogether. - List of all user and ‘system’ accounts
Finally, get your IT team to make a list of all user accounts on systems, and what is known as service or system accounts. For example, the database ‘account’ that your accounting application uses to communicate to the underlying database management system where your data resides. In a typical small or medium size entity, there are at least a few of these. If you are using a cloud like O365 or AWS there are many service accounts! Review this list for employees no longer with your organization, or systems no longer used. Delete or at least disable these accounts. They are another weak spot that hackers look for, and readily exploit. For extra points, also look at the privileges each user and system account have. Are they all necessary? If not, prune them like you would a shrub before winter!
These three management level tasks will not only make you more aware of your reliance on technology but also aware of some risks that you have and can take some simple steps to manage to a reasonable level. Doing these the first time may be painful and take more time than you would like. So document the steps and the results, even just as notes in a book. Next year, doing these preventative steps or controls will be easier, and you can compare this year to last – trends are always interesting to see.
We hope these ideas give you, as leaders of your organizations, some important cyber security issues to consider, together with practical steps to manage relevant threats.
For more information on risk management, please reach out to our Welch Risk Advisory team.
| North American Industry Classification System (NAICS) | Private sector | |
| Size of enterprise | Small enterprises ( 10 to 49 employees) | |
| Geography | Canada | |
| Percentage of enterprises that were impacted by cyber security incidents | ||
| Impacts of cyber security incidents | 2019 | 2021 |
| Loss of revenue | 11.5 |
14.3 |
| Loss of suppliers, customers, or partners | 2.1 |
2.8 |
| Additional repair or recovery costs | 22.7 | 14.1 |
| Paid ransom payment | 3.7 | 1.1 |
| Prevented the use of resources or services | 22.8 | 16.8 |
| Prevented employees from carrying out their day-to-day work | 27.3 | 16.1 |
| Additional time was required by employees to complete their day-to-day work | 28.6 | 20.5 |
| Damage to the reputation of the business | 6.5 | 7 |
| Fines from regulators or authorities | 0.3 | 1.7 |
| Discouraged business from carrying out a future activity that was planned | 1.1 | 3.5 |
| Minor incidents, impact was minimal to the business | 39.4 | 38.3 |
| Other impacts of cyber security incidents | 4.7 | 5.3 |
| Business does not know what the impacts of the cyber security incidents were | 17.9 | 24.9 |
