2021 was the worst year on record for cyber attacks on Canadian companies. Businesses and IT experts alike thought it couldn’t get worse after, in 2020, it was reported that 78 percent of Canadian organizations experienced at least one cyberattack within a 12-month period. That disturbing number rose to nearly 86 percent by the time this past year came to a close. As we get deeper into the first fiscal quarter of 2022, businesses are on high alert, but awareness is no longer good enough. It’s time for action. Below is a breakdown of what your organization needs to do.
6 Cyber Security Action Items for Q1 of 2022 that Your Business Must Attend to Right Away
I. Put a Patch on Today’s Vulnerabilities
Does your company use open source software for e-Commerce, enterprise applications, and cloud services for troubleshooting, auditing, and data warehousing? Then you may be using an Apache service and if so, may be currently vulnerable to a new attack vector against Log4j. The Canadian Centre for Cyber Security (CCCS) issued an alert about a major security flaw in this piece of software at the end of 2021. Apache has since issued seven Log4j updates (reference here) but how many businesses will realize the necessity to employ the most recent patch, and have their IT team do it? Therein lies the problem.
You see, we’re not drawing your attention to the Log4j vulnerability so that you can take action on this cyber security issue alone. You may not even use it to begin with. Instead, it’s an example of a systemic problem in Canada’s commercial space. Most businesses are not aware of security breaches against the software they use for operations and data storage. Or when they become aware, it’s typically too late, as their own systems have been compromised. This is exactly what has happened with organizations that use Apache services:
“What caused these, and other vulnerabilities […] to be widely exploited was a failure of businesses to mitigate in a timely manner: either by updating to a new release or applying mitigations […] Open source supply chain issues can’t be solved by focusing exclusively on developers.” (Apache, IT World Canada)
If your organization uses Apache Log4j, take responsibility by taking action. Apply the updates as per CCCS recommendations. But more importantly (for all businesses) look at all of your open source software applications. Have your IT team (medium to large businesses) or developer (small business) drop everything and perform an audit to check for software updates. These updates will include important security patches, so ensure that they are initiated today.
II. Set Automatic Updates
There’s honestly no reason to let security patches pass your IT team by, as nearly all updates can be set to automatically occur. Ensure automatic updates are set for all software applications, from enterprise solutions to those that run the IoT devices in your office.
III. Monitor CCCS Alerts & Advisories
Monitor all cyber security alerts that pertain specifically to Canadian organizations. The Canadian Centre for Cyber Security (CCCS) has an Alerts & Advisories portal for companies to reference and take action on. This portal is updated in real time, and should be referenced daily by your IT team. At press (January 25) there have been 41 alerts issued by the CCCS since the beginning of the month. Over 40 alerts in just 25 days! Unfortunately 2022 looks like it will be another record-breaker for cyber attacks. Don’t let your company add to the growing statistics.
IV. Batten Down the Hatches on Remote Staff
A large percentage of the Canadian workforce works from home, and will continue to do so for the foreseeable future. Even if one-percent of your staff or contractors are remote, your company is susceptible to their own cyber vulnerabilities. It only takes one successful phishing attack to take down and entire organization. You need to protect your company from hackers who target remote staff and contractors. Preventative measures include the following:
- Network remotely using a VPN.
- Restrict online meeting access and secure webcams for video-conferencing.
- Supply staff/contractors with company issued computers that your IT department monitors and updates with the latest patches.
- Establish firm networking policies for every user in your company.
- Provide ongoing interactive training to ensure remote staff knows what to watch out for (i.e. new phishing schemes, etc.) and what action to take if they suspect a threat.
For greater detail on all of the above, please reference this guide to protecting remote staff from cyber attacks.
V. Review PIPEDA Compliance
There was a very important update to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) back in 2018. In response, your company would have established a reporting system to account for exploited vulnerabilities. There have ben updates since then. The Office of the Privacy Commissioner of Canada (OPC) has updated several guidance documents to reaffirm some of the types of personal information generally considered sensitive in the context of PIPEDA. Please reference these 2021-22 updates when establishing/re-establishing your reporting protocol. It’s one thing to suffer a cyber attack, but a whole other punitive and public relations nightmare to come if strict reporting protocols aren’t followed.
VI. Update Your Cyber Security Insurance
Every day, the AV-TEST Institute registers over 450,000 new malicious programs (malware) and potentially unwanted applications (PUA). What this tells you, is that no matter how carefully you follow the guidelines above, staying ahead of hackers is an exceedingly daunting task. Your company may not be able to prevent all cyber attacks, which is why cyber insurance is critical. Only then can your organization (including staff and stakeholders) be truly protected against advanced threats.
Other Cyber Security Articles to Review:
- Why You Need Cyber Insurance
- Cyber Security Starts at the Top
- Phishing Liability Prevention and Corporate Responsibility
- C-Level Phishing Schemes to Watch Out For