Trash is piling up, and your business is being overrun by empty containers and stacks of paper. A shanty town of Amazon Prime boxes towers over everything, threatening to collapse and cause an avalanche of liability lawsuits that could cost you millions.
If this was your office space, you would be tripping over yourself to hire the best cleaning service money could buy. So, why is it that when it comes to our inboxes, we continue to battle thousands of SPAM messages with out-of-date cybersecurity - the virtual equivalent of cleaning up a tower of old pizza boxes with a spray of Febreze?
Cybercrime is an increasingly prevalent problem. More than 4,000 ransomware attacks are reported to the FBI every single day. Over the past several months, the intensity of cyberattacks and phishing scams in Canada, especially in the province of Alberta, has increased rapidly. Over one-fifth of businesses in Canada were attacked in some form in 2017 alone. Legacy businesses are often exceptionally vulnerable, as they are the most likely to stick with old security programs and methods. Moreover, CFOs who are adept at managing other parts of their business run the risk of running a company into the ground due to a simple lack of knowledge of the gravity of the cyber threat.
Seeing so many businesses being taken down in this new era of cyberattacks shows us that we need more than a reminder to “install upgrades” on our current security systems. This is not just scaremongering. As regulators take notice, soon cybersecurity exercises will be a standard requirement, and as a sector, we need a change in mindset capable of combating the rapidly shifting approaches of the opposition - what we need is the power of AI.
Cyber Threats: The Risk CFOs Won’t See Coming
As the severity and sophistication of cyber-attacks increase, CFOs across the board have begun to take a more active role in security. More than two-thirds of CFO respondents in a recent survey said: “...they are comfortable understanding/discussing information security (e.g., risks, technology) and translating this information for their Board.”
However, with a little knowledge can sometimes come complacency, and it’s easy to fall into the trap of feeling secure for the wrong reasons. While nearly three-quarters of respondents claimed their company had not seen a breach of data, further testing showed that two-thirds of breaches would take months to be found, and some took upwards of a year. This means that just because a CFO is unaware of a breach, it does not guarantee one has not happened - it just has not been discovered yet.
According to a recent survey by Statistics Canada, 76% of Canadian companies already have anti-malware software in place, with 73.9% having email security and 68% having network security. However, less than 45% of Canadian businesses have invested in web application security, with even fewer reporting having data protection and controls, hardware and asset management, or software security.
This shows that while around two-thirds of security budget is usually spent on prevention, preventative security is only equipped to handle known threats, often involving malware. This leaves a company vulnerable to a wealth of new and unknown cyber risks like the ones we see being developed every day - ones that involve manipulating login credentials, phishing scams, and no malware.
Barriers to Cyber Safety: The Myths About Security Making Your Company Vulnerable
However, a lack of CFO knowledge is hardly the only problem when it comes to protecting a business against cybercrime. A change in mindset needs to take place throughout the entire organization in order to be successful, and security should be front and center of a company’s overall cyber health.
Hackers and malicious users are changing approaches and getting more subtle, nuanced, and complex all the time. As a sector, it is important that we are able to adopt the same approach. Rather than clinging to the idea that building bigger barriers will keep threats out, we need to find ways to disrupt threats throughout our systems and at various points in time. By focusing exclusively on a single outside barrier, we are leaving our data vulnerable to anyone who can get past that one point.
Although no one likes to think about it, part of the reason this is so important is that many attacks can come from inside - either from a disgruntled employee or from someone who has gained access to an employee’s credentials. A giant wall will do nothing against an attack if you open the door and let them walk right in.
Additionally, we can no longer think of cyber safety as having a single solution that we create and then allow to run indefinitely. Cyberattacks and crimes are constantly evolving, which means our defenses must evolve with them.
Artificial Intelligence: The CFOs Eyes and Ears of Cybersecurity
Another problem with the old ways of approaching cybersecurity is that we treat competitors as enemies - assuming that exchanging information will weaken our own defenses. While rival companies do represent a certain type of threat, we can continue to compete against them on a fair and honest playing field whilst also banding together against a common enemy: anyone who poses a risk to our cybersecurity.
Shared intelligence allows us to develop a safer space for everyone, giving us all more time to focus on creating better products and driving us to compete on a higher level. With a community effort, we can also understand the scope of a threat more quickly and reach solutions helpful for everyone involved.
Moreover, we need security solutions like Cylance, which employs machine learning to detect and analyze threats months, and even years in advance, well before they are able to wreak havoc. Unlike most traditional systems, which allow threats to go undetected until they have already been causing damage for months, machine learning creates a system that can learn and predict threats. Because AI allows computers to grow continually and become ever better at what they’re programmed to do, it is the perfect weapon against constantly evolving cyberattacks.
Is Your IT Doing Enough?
Just because your business is small, it does not mean that you aren’t vulnerable to scams, SPAM, and cyberattacks. Nearly 20% of the small businesses who responded to Statistics Canada’s survey also reported coming under attack, and with a smaller business, the risks and fallout from a cyberattack can have much graver consequences.
There are a number of common pitfalls that most traditional IT departments are susceptible to, especially when there isn’t a dedicated resource to protect your online environment (like a time and materials contract). Thankfully, there are also a number of simple, common-sense methods and practices that every business can implement to protect themselves.
Ad blockers are a basic but effective countermeasure to prevent malicious code from getting into your system in the first place. Segmenting networks, installing firewalls, and ensuring guest WiFi is also fully separated from your internal systems are more technical approaches but ones your IT department should be implementing.
It is also important to think about the human factor of cybersecurity, not just the technical side. Raising employee awareness is the first step, and implementing stronger password security is simple and something that doesn’t need specialist knowledge. Encouraging better, more complex passwords across the board helps protect a business, and putting multi-factor authentication in place can also reduce the risk further, meaning that for a hacker, even getting ahold of a password isn’t enough.
Ultimately, having some expertise within your IT department, or going outside to find it, is the best option. Just because a person can fix Susie in accounting’s password reset doesn't mean they are cybersecurity experts, and it’s important to ensure your IT is working as hard as it can to protect your business.
What CFOs Need to Do Now
The most important thing CFOs can do in the war on SPAM and the phishing scams it facilitates is to get to grips with the gravity of the situation. A successful phishing scam can cost a company millions of dollars and bring an enterprise to its knees. Moreover, these threats can infiltrate a business with ease and go undetected for months, or even years, when the proper safeguards are not in place.
Ethical hacking is one way to really understand the extent of the threat. Experts in cybersecurity can carry out penetration testing to fully assess the level of vulnerability of your systems, using the same tools and methods used by malicious users. This is a great way to understand the level of the threat, as well as to identify the areas where you may need to strengthen your defences.
The importance of cybersecurity is not just about combating SPAM or even just about protection from threats. It is about risk and taking the appropriate measures to fully mitigate that risk across the board.
If the task of managing this seems daunting, you are not alone! At VC3, we strive to identify and contain threats for our clients before they become a problem.