Just 12 days into 2023, the Globe and Mail published an article titled, “Ontario liquor retailer joins growing lists of firms hit by cyberbreach”. There are 5 reasons why this is such a strong article to set precedent in 2023.

Point One:

Cyber risk is a new normal:

Mr. LeBlanc compared dealing with cybersecurity threats to a game of Whack-A-Mole. “You fix one breach and you have to go to work on, what did we learn from that, how can we strengthen that system. It’s nonstop.”

There is no magic bullet defence you can buy, deploy, and forget.  It is a process of constant vigilance, preparation and readiness.

Point Two:

Knowing and doing are two different things.  Cyber events are in the news almost everyday, but it continues to be a challenge to get senior leadership to prioritize and invest:

But Lisa Kearney, chief executive officer of the Women CyberSecurity Society Inc., said in her 15 years as a consultant, she has rarely seen organizations put enough resources toward the prevention of data breaches prior to their occurrences. “Even when there are resources available internally, businesses are not often trained or knowledgeable, or frankly ready, to take action,” she said.

There’s no such thing as surprises, just a lack of foresight. (S1 E2, The Empress)

Point Three:

In IBM’s Cost of a Breach Report 2022 83% of cyber breach victim companies had suffered multiple breaches:

Ms. Kearney believes the reason many organizations go through cybersecurity incidents “over and over again” is because once systems have been recovered after a breach, companies move cybersecurity down on their list of priorities again.  “They get what we could call social amnesia, forgetting how important those security concerns were when they first went through it,” she said. “People, especially those in power or with authority, are getting desensitized because these attacks are happening with so much frequency these days.”

Cyber Security risk management must be integrated into how the organization operates.

Point Four:

Making someone responsible, insourced or outsourced, is not enough.

“At the same time, we also saw that 68 per cent of managers surveyed say their companies have a cybersecurity division and a further 18 per cent report they are in the process of creating one,” said Kuljit Chahal, the practice lead for data security at Adastra.  “The issue isn’t about whether you have a cybersecurity division or not,” said Kimberley St. Pierre, director of strategic accounts at cybersecurity and systems management provider Tanium Inc. “It’s about whether companies are using their systems practically and efficiently.”

IT Risk Management is an intimidating topic for the non-technical executive and business owners, but the threat is too large, and the defensive effort to complex, to just give it over to IT experts to “handle”.  Non-technical business leaders need help understanding and gaining control of the security decision making process.  It is one of the central IT management challenges today, but the communication gap must be bridged.

Point Five:

The Zombies are coming, we must get ready.

“We cannot afford to be surprised any more,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University, formerly known as Ryerson University. “This is the norm now. Cyberattackers will target the most important parts of our society and our economy and our critical infrastructure. And the impacts of these attacks are going to be increasingly serious.”

Once you recognize the scale of the threat the next question is: Are you ready?