Maximizing Connectivity & Productivity

It’s a mistake for companies to go for off-the-shelf cybersecurity

A Globe and Mail interview regarding the impact and necessity of cybersecurity and why off the shelf product do not make the cut for companies.

Highlights (see link for the full interview):

So what can companies do to prevent attacks?

Brian Rosenbaum: I’m big on training, education and the establishment and enforcement of proper policy and procedures. A lot of companies have the technology in place, but they don’t enforce security protocols. For instance, when companies encrypt devices, employees will often disengage that encryption because it’s too difficult to sign on and companies are not monitoring this practice. To me, a lot of this is an educational and cultural issue within the company. Ensure employees understand how a company can be hacked into and attacked.

Claudiu Popa: Organizations don’t bother to understand the simple concept of risk management and they try and find off-the-shelf products. Off-the-shelf products are fairly rigid and, in most cases, require proper configuration and management, and that expertise is hard to get. You end up having mismanaged product and a false sense of security and that’s a lot worse than having no security at all. Companies need to build certain things into their security and follow processes, but they have to assess their risk to begin with to know what it is they need to protect against. You can’t quantify risk if you don’t know if you should avoid it, transfer it, minimize it or mitigate it.

Why are so many companies so far behind?

Brian Rosenbaum: The law will be a driver. It will force companies to (speak) out in all cases that could be harmful to the individual. Once companies see that these aren’t isolated incidences, and that there’s a chain of events that happen when there’s a breach and that business can be interrupted, then they’ll sit down and say, ‘maybe we should invest.’ So the change in law will help, but it will be a combination of factors. There are so many breaches right now and companies can’t just sit back and do nothing.

Are cyberattacks worth fighting or is it just a cost of doing business?

Brian Rosenbaum: You’re going to have difficulties transferring that risk to insurance if you’re not going to invest in preventing attacks and privacy breaches. If you want to be insured, companies will have to see that you made an effort. So I think you do have to invest in security, but it’s more than just that. You need to invest in governance, protocols, procedures, training and auditing.

Leave a Reply

You must be logged in to post a comment.

Mississauga, ON, Canada 905.607.3500