3 Leading Cybersecurity Risks for Organizations and How to Mitigate Them

There’s no getting around it: People usually represent an organization’s largest attack surface and greatest risk, says Theo Van Wyk, Head of Cybersecurity, CDW Canada. They’re also connected to an organization’s second- and third-greatest risks: the devices employees use for work and the processes followed when using those devices. The industry even has a phrase for it – people, process, technology – and when advising organizations on their cybersecurity practices, CDW focuses on these three key areas.

“We adjust based on size and budget, but we measure all steps against people, process and technology,” Van Wyk says.

The phrase’s order is intentional – while many organizations focus on technology first, users should be their primary focus, Van Wyk says, followed by the processes used to access work devices. It also aligns with the three main types of attacks that companies face: Against users, which usually take the form of phishing or social engineering; processes, usually in the form of malware; and technology, by trying to access user credentials.

“People are your first and last line of defence,” he says. “The same user that you’re relying on to not click a malicious link is the same user you want picking up the phone and calling your IT team to say, ‘I think I just clicked on something I shouldn’t have’ if they do. The faster they do that, the faster you can contain the threat.”

That’s why a leading strategy for mitigating cyberthreats is security awareness training, says Ivo Wiens, Cybersecurity Practice Lead, CDW Canada: It ensures that users understand that today’s cyberthreats extend well beyond “smash-and-grab” tactics like phishing emails.

“Attackers are getting smarter than just imitating templates,” Wiens says. “They can sit in your SaaS email platform for months, monitoring your communications, reading your email, waiting to identify the information they want before encrypting and holding it ransom or producing fake internal documents.”

Also a greater risk than technology is the operational processes guiding its use. Van Wyk cites “whaling,” a fraud aimed at the C-suite, which often begins by targeting lower-level workers.

“They’ll send a message that looks like an email from the CFO saying, ‘Hey, it’s late Friday afternoon and the vendor urgently needs this payment, but their usual accounts are down. Send it to this account instead,’” Van Wyk says. In that case, employees need to change the medium of communication: “If you received the message via email, pick up the phone and call. If they called, ask for a face-to-face video meeting. Switching the communication channel can make all the difference.”

Such potential uncertainty around users being who they claim to be is why many cybersecurity experts, including Wiens, advocate implementing a zero-trust architecture, in which organizations continuously validate a user’s digital access at every step, often with the support of tools like privilege access managers, password generators and multifactor authentication.

“Even if we do trust all of the people within our organization, we still want to verify their access – and the reality is we don’t have to trust every action in our organization,” Wiens explains. “We can continue to verify their access and their behaviour.”

While acknowledging that many users can be put off by the phrase “zero-trust,” Wiens says organizations can mitigate this by helping users understand both their value within the organization and the value of the assets they have access to.

“You don’t need to have the knowledge or experience of a security administrator, but we find that users who understand the value of their organization’s assets and understand their level of access to them are more likely to protect them better,” he says.

Wiens also implores users to recognize the risk their personal activities pose, noting that it’s often easier for cybercriminals to hijack company equipment by reaching out to users on social media such as instant messaging platforms, or even Twitter or Facebook, where it’s easier to contact users and they’re more likely to reply.

“We’re seeing a real shift from the classic email from your boss inside your inbox to tactics that exploit not only technical vulnerabilities, but those human vulnerabilities we expose via social media,” Wiens says. “It’s a much easier direction for cybercriminals to take, because we really have blurred the lines between office and home.”

Van Wyk advocates for users to think of themselves as “digital citizens,” vigilant about the security of their online activities whether for work or personal reasons.

“What I like about the concept of ‘digital citizen’ is it acts as a bridge between what you do on your personal device versus what you do on a corporate device,” Van Wyk says. “For a long time we had a divide – you were trained on what to do and what not to do on a corporate device and then you went home and did whatever you want. But if you use your phone for payments or online banking, you should want to secure that phone as well as any work device.”

Once organizations have people and process strategies in place, then they can focus on mitigating the risk they’re most familiar with – technology, which involves more than just implementing complex, unique passwords and multifactor authentication.

The most prominent technology threat is ransomware, and with good reason – it’s typically the most expensive for companies and the most profitable for cybercriminals. A December 2021 report from Palo Alto Networks discovered that the average ransom paid by Canadian victims of ransomware was more than $450,000.

Beyond the typical use of firewalls and endpoint security technologies, CDW also encourages organizations to protect their technology from ransomware in two primary ways, Van Wyk says. One is ensuring they have backups in place, so that even if a cybercriminal locks their data they can continue operating.

The other involves protecting credentials, lest cybercriminals find their way into a system that’s been effectively backed up but still contains confidential information.

“Many cybercriminals, if they learn the organization has proper backups and isn’t worried about losing access to their data, will use it for blackmail or threatening to release it to competitors,” Van Wyk says. “Many organizations will pay out of fear of the damage knowledge of a breach will do financially, to their reputation and to their customers’ trust in their brand.”

“The right thing to do is disclose the breach and own it,” he continues. “Because otherwise you can have fines from the Office of the Privacy Commissioner of Canada, and if personal information was involved and you can’t show that you did your due diligence in following the above steps, you could have third party lawsuits on your hands.”

Van Wyk emphasizes that when it comes to preparation, one size does not fit all. “One significant mistake organizations make as they aim to implement a compliance framework is that they try to shoehorn themselves into the compliance framework,” he says, referring to security standards such as ISO/IEC 27001, which can be difficult to apply to an established workflow and easily deviated from if an organization isn’t careful.

“Our risk advisory group will work with you to align how your business operates with the framework, so that you’re implementing the intent of the compliance framework rather than the letter of the compliance framework,” he says.

Fortunately, CDW offers multiple security services including user awareness training, risk advisory and penetration testing, in which a team of experts acting as “ethical attackers” test how susceptible an organization is to attacks. These various assessment services allow organizations to better identify how limited budgets should be prioritized.

“Based on your operations, the type of data you access and make available and how your customers interact, we can identify the best ROI spend on technology, people or process that that will advance your security posture the most per dollar spent,” Van Wyk says.

Perhaps most importantly, CDW provide comprehensive security solution services from leading cybersecurity providers including  Palo Alto Networks and Okta.

“If someone implements your security solution and hands you the keys, and you don’t know what to do with it, then it’s not going to be able to respond to any threats,” Van Wyk says. “Organizations naturally tend to accumulate large amounts of technical debt. CDW’s security experts can assist with new builds, upgrades, or reviews to maximize the time and money you invest in your security solutions.”