'Companies need to invest in cybersecurity awareness programs'
By now it’s common knowledge that cyberattacks can target anyone — individuals, governments and businesses.
February 5 is Safer Internet Day. With that in mind, what steps can individuals and organizations take to better understand and protect themselves from these ever-evolving threats?
Marc-André Léger is a part-time faculty member in the Department of Supply Chain and Business Technology Management at the John Molson School of Business. His research focuses on cybersecurity risk management. Léger believes that employee training and risk mitigation strategies are key to keeping a business safe.
Cybersecurity is the responsibility of every employee
Can you describe your field of research?
Marc-André Léger: Currently I have two main areas of interest: cybersecurity risk management, and science, technology, engineering and math (STEM) education. As a cybersecurity expert working in risk management, I have noticed that businesses and business managers talk about cybersecurity a lot, but in actual fact they do not allocate much in the way of resources to it — unless they have just suffered some sort of serious incident.
I began asking myself, how can we change the current thinking for the better? The answer is to create tools that help managers make better decisions and that use their limited resources more effectively when it comes to maintaining acceptable levels of cybersecurity threats across their organizations.
What is the principal challenge to an organization or business’s cybersecurity?
ML: They rely on IT to function efficiently. However, managers only have access to a limited amount of financial and human resources, and they have to be allocated across the entire company. So we should not be surprised that day-to-day operations take precedence over some possible problem down the line.
Cybersecurity only becomes a priority after a company has experienced a serious incident or attack. The fact is, cybersecurity is the responsibility of every employee in the company, because they are the ones making the routine, daily decisions that can have a huge impact. With this is mind, the best advice I have for companies is to invest in employee awareness programs in order to increase their overall organizational understanding of cybersecurity risk management.
What consequences can a company that has been victimized by a cyberattack expect to face?
ML: A cyberattack can cause a variety of negative effects on a business. It could lead to bankruptcy, job losses, including those of managers, and a loss of stakeholder confidence in the company. Information that is sensitive or of high value may be shared against the company’s wishes, potentially compromising confidentiality agreements. This information could be modified in an inappropriate manner, which could compromise its integrity, or it could be destroyed or lost.
A compromise of data security could lead to a loss in the competitive advantage the company was hoping to gain from its information and communications technology infrastructure. That in turn would result in economic losses for the company, regardless of whether it has been proven accurate or not. Those losses could be direct — as in the loss of the asset value of the information itself, for example — or indirect, as in the negative feelings caused by a service disruption, reputational damage, the loss of a competitive advantage, taking on legal responsibility and so on.
How can businesses protect themselves from a cyberattack?
ML: I have been advocating for an industry-wide data protection system that relies on the three Ps model: Prevention, Protection and Punishment. This model is based on three principal pillars:
- Prevention: Preventive measures are implemented within the organization. This includes, for example, a cybersecurity policy, a formal risk assessment process, annual IT audits and an employee awareness campaign that includes cybersecurity training.
- Protection: Implementing risk mitigation strategies; appointing individuals to positions of responsibility regarding risk management; and the implementation of an incident management system, a disaster recovery plan and a business continuity plan.
- Punishment: It will be necessary to prepare punitive actions against individuals who are found to have violated or deliberately contravened the two preceding pillars.
Find out more about IT security at Concordia.