2017 was a record year for cyber-attacks, but the fault may sit with companies and governments, not cyber-criminals. Only one percent of data breaches stemmed from a zero-day attack, meaning that 99% of the other attacks were perpetrated on systems that could have been patched, mitigated, cleaned, and protected from exploit.
While organizations and governments continue to struggle with the basics of visibility, detection, and response, good cyber hygiene simply cannot be ignored.
Some governments however, are taking an active approach to beef up their cybersecurity measures. Just the other month, Canada released the details of its revamped cyber protection program after learning its former program, Public Safety Canada, had been ineffective at preventing significant cyber-attacks.
Perhaps not surprisingly, these inefficiencies were discovered through the process of auditing the cyber hygiene of the participants and organizations within the program.
They say the best offense is a good defense and in this case, a good defense begins with well-calibrated security on current systems: cyber hygiene. Without strong cyber hygiene, organizations and governments can be exposed to any number of cybersecurity incidents including ransomware attacks and data breaches.
As we’ve learned, these incidents can have dramatic effects — think of the impact of stolen trade secrets, lost consumer trust, or the upending of social services — so we must reinvent ourselves and distance our security programs from the all too common reactive approach.
By way of analogy, let’s consider the financial system. Unlike other industries, finance is a special place, serving as the oxygen to the economy. With finance so critical to everything else working effectively, governments implement policies that curtail damaging incentives and reinforce what we want: transparent markets, fair lending, and appropriate investment.
Just as the financial industry is affected by monetary policy, regulations, government-sponsored lenders, and official currency, cybersecurity can be influenced for better or for worse by government action.
After all, cybersecurity is an integral component of the economy and more investment in hygiene serves as a signal to would-be cyber-criminals that they should move along and find another pond to phish in.
The new plan unveils how Canada will help businesses prevent and respond to attacks, while protecting its own infrastructure. It is a multi-pronged approach, but there are three key takeaways that can be learned from this model.
First, the plan details how public and private sector collaboration will become critical in thwarting growing cyber threats. Seeing how both commerce and cyber-attacks make use of government critical infrastructure, it is only natural to see a public-private solution to the growing problem of cybercrime.
Not only does Canadian infrastructure benefit, but by also creating the Centre for Cyber Security as part of its new plan, the country has created a milieu that fosters a sense of trust between private businesses and the state. This is a key development as distrust in data privacy is at an all-time high.
Canada is also extending affordable and targeted cybersecurity disciplines to small and medium-sized businesses. By doing so, the country benefits from an effective and efficient continuum. It should be effective, because it encourages doing the right thing, and efficient because you can ensure that measures are put into practice without significant disruption to businesses. This approach not only helps Canada secure its economic players but its economy overall.
Finally, by putting a focus on helping these organizations become more resilient, the Canadian government is shifting the finger of blame to the cyber-criminal. Rather than writing ever-increasing complex regulations directed at those who have been victimized by cyber-attacks, Canada is placing the blame where it is due.
The Canadian example may not be a one size fits all approach. What we see however, is a call to action from a global leader in its efforts to shore up cybersecurity measures.
In a world that is increasingly digitized, with data flowing in and out of private and public domain, organizations and governments must work together to improve the safety of their structures and citizens. By extending assistance to organizations and businesses, the Canadian government is understanding its role in combating growing cyber risks.
The country is taking a hard line and demanding that robust cyber hygiene be priority number one not only its own security programs, but for the country’s businesses and organizations. Hopefully, and soon, we’ll see other leading nations follow suit.