The decision by the city of Fredericton, NB to dedicate more than $300,000 to protect their networks from cyberattacks is a smart move considering the recent hacks of government entities – and it turns out the municipality is part of the majority in its approach.
A report by Statistics Canada released in March 2019 revealed that only 5% of Canadian businesses reported not having any cybersecurity measures in place, and 58% of businesses undertook activities to identify cybersecurity risks. Nonetheless, some experts still see awareness around cyber risks as something that needs improvement in Canada.
Cyber insurance professionals need to remember that not everybody views the cyber threat as the serious risk that it is.
“All risk managers, all companies, [and] anybody associated with any organization, large or small, should be worried about the disruption occurring from a cyberattack, and yet the whole notion of building a resilient enterprise that can deal with a cyberattack is simply not embraced by most businesses, particularly small and medium-sized ones,” said Ridge Global chairman and former Secretary of the US Department of Homeland Security, Governor Tom Ridge, while speaking at a cyber roundtable organized by Ridge Canada Cyber Solutions at Ryerson University.
The event, “A Risk Manager’s Guide to Cyber,” brought together experts from across the insurance, legal, and risk management fields to discuss challenges in the cyber insurance industry, and talk candidly about what they’re seeing in terms of developments that could create headwinds in the near-term, according to Greg Markell (pictured), president and CEO of Ridge Canada.
One of the key obstacles identified by the roundtable group was the awareness issue.
“I don’t believe, at least from my perspective, that the awareness of cyber risk is as elevated within the broader business community in Canada as it is in the States, but it will get there,” said Governor Ridge, pointing to the people problem as a major exposure. “The number one point of access, from my experience and talking to a lot of the experts, into your company, into your organization, into your non-profit isn’t technical – it’s human failure. Phishing is still the easiest way to get access, so training and education are some of these basic, preliminary steps. Digital hygiene will make a huge difference.”
Read more: What's really behind most data breaches?
Some people still assume that technology will save them, but even if they have the newest iPhone or Mac, their data is not necessarily safe.
“Let’s pretend you lived in a house with an impenetrable door and an impenetrable lock. That impenetrable lock on that house is not going to do you any good if any time the robber shows up to rob you, he tricks you from the outside to open that door,” said Danny Pehar, managing director of cybersecurity awareness training for Cytelligence, at the roundtable. “Our technology isn’t getting hacked – we’re getting hacked, and that’s the problem.”
The challenge of building awareness is people’s resistance to admitting they or their organizations have holes in their foundations.
“Not only do people not think they need it, but they outright reject even the concept of awareness. They will get angry and offended, and I’ve gone to places for the purposes of establishing a program, for the purposes of teaching, whether it’s a lecture or an online program, and people are upset when they see me,” explained Pehar, adding that this resistance can even extend up to leadership ranks.
Companies, with the aid of insurance experts’ ongoing work, need to recognize that cyber risk is here to stay, and they need to assess their risk mitigation strategies, or else risk losing valuable data and money to cyber hackers.
“It is a permanent risk. We shouldn’t be breathless about it – it’s like any other risk you would have to manage,” said Governor Ridge. “And the risk exposure grows every day as the number of people on the internet, which is anticipated to be about six billion by 2022, [grows].”
However, he added, “There are certain protocols you can embed in the culture and certain precautions that [can be] taken. You have to be prepared to respond and recover.”