In a hyper-connected world, Canadian organizations that treat cyber-security as an afterthought do so at their peril. –Chris Atchison
The real danger of cyber security was the ominous message delivered by acclaimed journalist and cyber-security specialist Misha Glenny at a recent gathering of leading small and medium-sized business (SME) owners, managers and IT professionals at KPMG’s Canadian headquarters in Toronto.
Glenny, author of the 2011 book DarkMarket: Cyberthieves, Cybercops and You, painted a bleak picture of the many challenges facing everyone from authorities to legislators and IT administrators in their quest to stamp out the online crime that now threatens organizations ranging from multinationals to SMEs. While CEOs are beginning to pay attention (total global spend on cyber-security is poised to top $100-billion in 2018, up from $62-billion last year, according to IT research firm Gartner Inc.), Glenny stressed that a great deal of work still needs to be done to shield organizations, particularly SMEs, from the dire threats posed by online crime. “Cyber security is no longer just about technology,” Glenny told the audience. “Nowadays, it’s about risk management, politics, civil liberties, psychology and even military doctrine. If you’re in business, you need to know how this all fits together.”
You also need to understand your enemy. Glenny, who infiltrated several online crime syndicates while researching his book, painted a portrait of the average cyber criminal – a composite that surprised audience members. Ninety-six per cent of hackers are men, most are highly gifted in math and sciences, and start down a cyber-crime path between the ages of 12 and 15 years old, well before their moral compass is fully developed. “In many respects, they’re not criminals, but young kids exploring an exciting environment,” he said. “But without anyone to steer them the right way, they can very quickly become involved in criminal activities.”
As information technologies become ever more complex, Glenny pointed out that communication, threat awareness and strategic security thinking are becoming the SME owner or manager’s go-to tools in combatting online crime and thwarting attackers – no matter their age or motivation. Why? Glenny cited statistics showing that between 85 and 90 per cent of cyber-attacks start with phishing, a simple tactic where a cybercriminal infiltrates an organization with malicious software by using methods such as convincing an employee to open an e-mail attachment, or tricking them into surrendering their network password details. Boosting awareness of the dangers and nature of phishing attacks are a critical first step in tackling cyber-crime. “The primary area of vulnerability is the people who work for you in your company,” Glenny warned.
Of course, another pressing challenge facing SMEs, according to Glenny, is the lingering disconnect between the IT community, employees and business leaders. He outlined one possible solution, which is for more businesses to start integrating Internet security with their existing risk management strategies, then ensuring buy-in at the executive level before communicating those cyber-risk mitigation strategies and tactics throughout the organization. “No solution fits every company,” he explained. “They each have their own problems and vulnerabilities, and each need to understand that.”
That includes understanding their potential vulnerability across platforms, including mobile devices. Mitigating those threats requires a forward-thinking, strategic approach to prepare internal IT security infrastructure to not only buttress an organization’s current security framework, but also predict its future needs.
The risk-prevention bottom line comes down to a very basic cost-benefit calculation. “The risks if you’re not focusing on cyber-security,” Glenny cautioned, “are totally disproportionate to the amount needed to prevent it.”
For more information, visit www.kpmg.com/ca/en/topics/cyber-security