Follow the Leaders
"Security is never a priority until you've been hacked"
Arcadia Laboratories is one of a growing number of cybersecurity companies worldwide that are working to thwart cyberattacks, such as the ones that have hit massive organizations in recent years
Pierre Roberge is in the worry business.
Specifically, the chief executive officer of Montreal-based cybersecurity software company Arcadia Laboratories Inc. (branded Arc4dia) has made it his business to keep a step ahead of hackers and help keep corporations in Canada and beyond secure from online malfeasants.
His company – whose end-point attack detection and response product runs within a computer or server's operating system – is one of a growing cohort of cybersecurity companies worldwide that are working to proactively thwart cyberattacks, such as the ones that have hit massive organizations in recent years. Those affected by attacks range from the U.S. Central Intelligence Agency and retail giants Target Corp. and Home Depot Inc., to political parties and credit reporting agency Equifax Inc.
Then there are the many examples of security near-breaches of which most of us have never heard.
"The example we're most proud of was finding a very high-profile attack where one of our clients was the victim of someone installing a rogue device within their network," Mr. Roberge recalls.
"Then they started hacking by bypassing the [company's main] firewall. Because we were deployed on the end points [the machines attached to a network], we picked up on it before the damage was done."
Given the fact that Arcadia is tasked with protecting the networks of organizations such as the U.S. Air Force, Hanover Insurance Group Inc. and some of the largest companies in the world, Mr. Roberge is deliberately short on details. The less hackers know about this software and systems, the better for his clients' ongoing protection.
That is particularly important, given the fact that cybersecurity threats continue to escalate for organizations of all sizes across industries.
"I would say in the last five years, it's not getting any better, and it keeps getting worse," Mr. Roberge says of ever-heightening risk levels. "You can hire a really skilled hacker on the Dark Web for 300 euro per hour, and in 10 hours for most companies, he will have done quite a bit of damage."
A 2016 survey of business leaders and IT professionals by PwC Canada found that cybersecurity incidents in this country increased by 160 per cent over the previous year. The same study found that while Canadian companies continue to increase their cybersecurity spending – by 82 per cent over 2015 levels – those investments still accounted for only 5 per cent of organizations' overall IT expenditures.
"We're as exposed, if not more exposed, than we ever were," says Jerrard Gaertner, a chartered professional accountant and an advisor with the Chaos Group of Canada, a security and risk-mitigation consultancy in Toronto.
Mr. Gaertner points to a range of factors, including increased sophistication on the cyberterrorism and warfare front, the increasing complexity and interconnectedness of systems, which make them harder to protect, as well as the fact that organized crime is looking to cybercriminal activities as an easy way to generate cash flow.
SMEs are particularly at risk, he points out.
"Most of the small and medium-sized businesses that I've had exposure to deal with cybersecurity on an ad hoc basis as a technology problem. They feel that if they put on an anti-virus and plug a firewall into the network, they're fine. That's not the case. It's the equivalent of saying, 'Putting brakes on my car makes me a safe driver.'"
Experts agree that no matter the size of the business, it's critical to have a comprehensive cybersecurity strategy to protect important data, as well as to ensure business continuity in case of a breach.
With ransomware, cryptoware, malware and even less nefarious, yet equally costly challenges, such as hard drive failures posing threats to businesses of all kinds, CEOs and their IT teams – not to mention employees at all levels – need to be aware of the risk and manage it proactively.
Still, so few are prepared. Why?
"The policies and procedures underlying security require a corporate governance framework, an understanding of internal controls and time and effort that many small and medium-sized, even larger businesses, don't have the wherewithal to put forward," Mr. Gaertner says. "Security is never a priority until you've been hacked."
Abraham Megidish, the CEO of Toronto-based cybersecurity software firm Jentu Technologies Inc., notes that in most organizations, the focus is on achieving strong bottom-line performance. Individuals may be hired for C-suite positions, such as chief information officer, and be tasked with protecting a company's networks, but if their primary focus is still on business performance, security concerns can fall by the wayside.
Mr. Roberge says cybersecurity neglect is a common problem, as few businesses have a data breach or business continuity plan, let alone adequate cybersecurity infrastructure.
For organizations that cannot afford complex security software or systems, he advises at least implementing employee policies and procedures around data handling – basic versions of which can be downloaded online – that help staffers understand cybersecurity risk and areas of vulnerability.
It is then crucial to train employees on how to maintain those safeguards, he adds.
"For those that do [train employees], it pays off because awareness is important," Mr. Roberge says. "People only need one or two hours of training every year to know what's coming at them, then they can report it when something smells fishy. There are so many simple things you can do to avoid 99 per cent of attacks."
Mr. Gaertner says that many companies are now focused on a different approach to cybersecurity: data leak protection, which protects data in a variety of situations, whether accessed through a specific machine, or through an app, for instance.
Think of it as a combination of technology and data-management procedures that assumes hackers will be able to breach a network, and focuses on stopping them from lifting precious data. He says that data leak protection software is relatively affordable, especially for SMEs, and requires relatively little implementation time.
Most importantly, Jentu's Mr. Megidish stresses, is to embrace security as a company-wide concern and stop thinking about it as a drain on the organization's bottom line.
"Make your network your responsibility and teach your staff the same thing," he says.
"You need to say, 'Data is my primary asset' … and act accordingly."
- Conduct a comprehensive threat assessment to highlight potential areas of vulnerability.
- Use encryption to protect data.
- Avoid standard passwords and change those passwords often.
- Do not rely on basic anti-virus software or standard network firewalls for protection, rather than customized or more sophisticated software.
MORE FROM THE SERIES