Experts are saying that companies looking to improve their resilience against cyberattacks should focus more on how to contain the damage, as there is no turnkey solution to data breaches.
“Everyone is hacking into everything,” remarked Benoit Dupont, a professor of criminology at the University of Montreal and the Canada Research Chair in Cybersecurity. “Even the most secure, aware organizations like the top intelligence agencies in the world get hacked.”
It is not enough to spend on cybersecurity measures, experts warn. According to Benoit and his peers, companies that want to be truly cyber-prepared must understand the major role human error plays in data breaches.
Companies can start properly preparing themselves by identifying which of their data is something they must absolutely protect, explained Christian Leuprecht, national security expert at the Royal Military College and Queen’s University.
“People think there is such a thing as privacy and that you can keep things secret. We need to come to the realization that’s not possible,” Leuprecht told The Canadian Press. “We need to say 90% of stuff that becomes public, we can live with that. And here’s the stuff that we have to protect at any and all cost, and where we’re going to put all our efforts into protecting that.”
“We always assume people are hacking near perfect systems,” said Leuprecht. “We have major human errors in the way the systems are set up. Most people actually run terrible operations including some of the largest in the country.”
Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, also pointed that few companies bother encrypting their data.
“The fact that every time we hear about someone’s system being breached and people are able to read the details tells you a lot,” Kabilan added, saying that companies also fail to patch and update their systems, leaving their dated software vulnerable to the newest exploits.
Encryption alone, however, is not a viable long-term strategy, said Andre Boysen, chief identity officer at Toronto-based SecureKey.
“It’s going to make it harder for the business to read the data,” he said. “It’s got limited usefulness,” Boysen explained.
Leuprecht suggested that organizations should look into simple deterrents that would make it unattractive for cyberattackers to steal information.
“For instance, if you’re storing credit card information, or things that have lots of numbers, you can create fake versions of them ... So if somebody gets a hold of all these numbers they don’t know what the fakes are and what the real ones are,” he explained.
“If you’re just an organized criminal operation that’s trying to extract financial data, you don’t want to invest millions of dollars and hours trying to sift through all the data to figure out what’s real, what’s fake, what’s usable.”
Another method that is unused by most companies are the use of exfiltration detectors, which detect outgoing data and block any documents that are intended to remain inside the network.
“This is not rocket science,” Leuprecht stressed. “You have a water main break, you shut it down.”
Related stories:
Is cyber insurance prompting more cyberattacks?
World on the brink of cyber warfare
