It’s a risk facing almost every company today, but cybersecurity should be at the top of the agenda for those holding sensitive information, a cyber professor has warned.
Last week saw yet another cyberattack hit the headlines globally: two Canadian banks, Bank of Montreal and Canadian Imperial Bank of Commerce, revealed that they had been contacted by cyberattackers claiming to have stolen the data of nearly 90,000 customers in what was described as the first significant assault on financial institutions in the country.
In today’s landscape, suffering a cyberattack seems almost inevitable. But for sectors that hold masses of sensitive data, such as finance and healthcare, a leak could cause significant reputational harm, says Professor Florian Kerschbaum, interim director of the Waterloo Cybersecurity and Privacy Institute.
“If your business is built on trust, which in the case of a bank it actually might be, then you really want to protect your reputation,” Kerschbaum told Corporate Risk & Insurance.
“If cybersecurity could have a big impact on your reputation, then you should have it at the top of your agenda. You have to see and understand where cybersecurity could impact your business, and it’s probably in more ways than you can currently think of,” he explained.
However, cybersecurity defence currently looks more like a game of whack-a-mole than a coherent strategy.
“You have a number of defenders, and you have a set of attackers that try to break into systems, steal data, and make money out of that. The challenge for the defenders is that they have to close every possible hole, whereas the attackers only have to find one open hole to get in. That makes the odds for the defenders very, very difficult,” Kerschbaum said.
As a relatively new risk, and one that continues to evolve at speed, there still is not enough data to help build defences against future risks. As a result, cybersecurity today is mostly procedural, with little foresight of risks.
“We’re not very much prepared for future threats… take the prevalence of AI right now – we haven’t really understood what the implications of using AI and these kinds of decisions really are. Trying to be able to predict what the security will be is very difficult,” Kerschbaum said.
As of yet, there is no clear risk profile: “even insurance companies can’t really tell you how much you are affected, they basically can only really value your assets,” Kerschbaum commented.
But as the cyber insurance market matures and the amount of data collected grows, the hope is that tools can be developed to better predict the risks and challenges in cybersecurity. For now, best practice lies in “defence and depth” – in short, layers of encryption – according to Kerschbaum.
“If one security control fails then you have a second in place,” he said. “If we can build systems in this way, while nothing will be foolproof, the science of resilience is that if plan A fails, you have to have a plan B.”