“The stakes are big, and the stakes are real. They range from dealing with remediation, to your corporate reputation, to running afoul of regulations.”
In one sentence, Allstream president Mike Strople summed up both the reason more organizations are becoming afraid of cyber-security attacks, and the challenge of keeping up with the potential vulnerabilities they face.
Speaking to a sold-out crowd of customers, partners and members of Canada’s business community at the Toronto Region Board of Trade on Tuesday, Strople used recent high-profile incidents involving Sony Pictures and Target to demonstrate how criminals are targeting digital information. Although these stories tend to draw a lot of attention and concern, he suggested most organizations are more likely to be tripped up by internal threats, including inadvertent exposure of data, rather than external hackers or state-sponsored attacks.
“If you narrow your range to only what North Korea could do to you, you’re missing the universe of threats you can be exposed to,” he told the TRBOT crowd, adding that organizations need to revisit the idea of conducting risk assessments to launch a “defense-in-depth” strategy. “You’ll be frightened by what you find, but better to find it out ahead of time.”
Strople listed advanced persistent threats (APTs), distributed denial of service (DDoS), internal attacks, bring-your-own-device (BYOD) vulnerabilities and cloud-based security issues as the top 5 attack vectors in 2015. In a Q&A with the audience afterwards, though, one executive raised the spectre of partner and supplier relationships, which could also open up the possibility of data breach or loss. Strople agreed this was an increasingly important area for many business leaders.
“They become an extension of your organization,” he said, “they need to know the standards you have in place. They need to share those standards. They need to be educated.”
Of course, the education process needs to start from within. Another audience member wondered whether CEOs understand the nature of risk facing their organizations today. Strople said this is where CIOs have become critical advisors — maybe even to a greater extent than they bargained for.
“They not only have a more prominent seat (at the boardroom table), they have the hot seat,” said Strople, who suggested the wave of public attacks in 2014 have made security a much higher priority for senior leadership teams.
Policy development, along with training and paying greater attention to human behaviour all need to complement whatever technology investments organizations make to secure their data, Strople said. That doesn’t mean that this will ever be a finite process. Instead, he suggested cyber-security is about figuring out what’s necessary to preserve the trust of customers.
“There is not a code that can’t be broken. It’s just a matter of time and computer power,” he said. “It’s also not a red light/green light decision. It’s about degrees of protection. That’s what I think managers and leaders have to deal with: What is the degree of protection we need, given our threat level, and what customer expectations are.”