Blog / The State of Cybersecurity – May 2024

This week we’re pleased to offer a special edition of our IT newsletter, The State of Cybersecurity, by TRINUS CEO and our very own IT guru, Kevin White.

Rob Bot, Grace, and your Friendly Neighbourhood Cyber-man will return with a new video newsletter next week.

Despite an increasing awareness of cyber security incidents, two common myths are still pervasive in the Canadian Small and Midsize Business (SMB) market. The first is that an organization can be too small or unimportant to be a target, and the second is that small organizations have little to lose if they are the victim of a cyberattack. Unfortunately, given the state of cybersecurity as of May 2024, neither myth (and they are myths) has ever been further from the truth.

The phrase “cybersecurity threats are constantly evolving” has become one of the most commonly used slogans in IT industry for the past 10-15 years, so much so that decision makers are likely to tune it out entirely. However, while it’s true the industry has already seen cyberthreats evolve quickly in that time, the previous pace doesn’t compare to the rate of change we’ve started seeing this past year, and will see in the near future.

The State of Cybersecurity – Artificial Intelligence

The catalyst for this exponential increase in risk is Artificial Intelligence (AI). The concern is not that a malicious and sentient AI entity will begin to attack human networks and infrastructure like the plot of some of our favorite blockbusters, but instead that hackers are now using AI to extend their reach further than they could have even dreamed of just a few short years ago. Modern AI is often thought of as a tool that multiplies the productivity of the person using it, and that is true, but it’s true for everyday users and malicious actors alike.

The easiest way to understand AI’s impact on cyberattacks is to look at how most attacks are conducted. The first phase, discovery, whereby an attacker gathers information about a target and its vulnerabilities, is the most time-consuming. It typically includes searching for gaps in a victim’s network and looking at the makeup of their staff and associated accounts. The latter information is often widely available on the internet even if your organization doesn’t have an online staff directory or other “Meet the Team” or similar page, but can take time to gather and convert into an effective attack strategy. Until recently, that is.

What was previously a largely manual and time-consuming job for an attacker has since become almost an afterthought as AI tools can now automate target discovery, allowing attackers to effectively reconnoiter a virtually unlimited number of targets simultaneously. Attackers then program their AI to conduct highly sophisticated attacks or social engineering scams on any targets with detected vulnerabilities, and they can now do it without manual input. The result has been an extraordinary expansion of attackers’ ability to scan for vulnerable organizations and attempt to exploit them.

That’s not to say all AI tools should be avoided. Quite the opposite. Considering the current state of cybersecurity in general, if there was ever an appropriate time to “fight fire with fire” in the IT industry it would be now. Many modern cybersecurity tools now make use of AI to help process the millions of data points a day that even a small organization can generate. However, like any tool, it’s not a magic bullet, and requires considerable expertise to configure and monitor for it to operate effectively.

This brings us back around to the problem with SMBs sometimes thinking they’re too small and unimportant for hackers to care about. Organizations with such a mindset will soon be faced with the reality that they are just as easy to target as their larger or better-known peers. If anything, the inverse is true; larger organizations have the money, staff, and management insight to take cybersecurity seriously and invest in effective countermeasures. Meanwhile, some SMBs see cybersecurity like an optional add-on to their primary IT support, and so rarely give it the attention and resources necessary.

The State of Cybersecurity – Major Risks

To make matters worse, this rise in effective AI attack tools has closely succeeded the largest erosion of cybersecurity controls yet seen in the digital age, that being the move to hybrid and remote work. Prior to the pandemic, traditional network security measures were designed around having the majority of users and devices behind a central office perimeter that could be managed and protected as a whole. Hybrid work and working from home has made these types of network security counter measures less effective. To make matters worse, many organizations made the move to remote work as an immediate reaction to COVID-19, willfully overlooking proper planning and network design in exchange for an expedient return to staff productivity, albeit from home instead of the office. And while all that was reasonable at the time, such rapid deployments sometimes created security gaps, both known and unknown. Unfortunately, as happens all too often with cybersecurity, initial pledges to patch such gaps went unfulfilled over time as things returned to normal, leading to vulnerabilities that still exist for many SMBs today, almost three full years later.

With the increased likelihood of cybersecurity incidents among SMBs understood, it’s also important to evaluate the potential risks incidents represent to them. For many, cybersecurity risks can be summarized into four overarching categories:

1. Loss of productivity: Staff will likely be unable to work during the incident.
2. Loss of data: Data might not only become irreplaceably lost but could also be exfiltrated by malicious actors and released publicly.
3. Loss of reputation: Public incidents reflect poorly organizations and senior leadership, including elected officials.
4. Regulation noncompliance: A cybersecurity incident (and your organization’s response) could result in non-compliance with legislative requirements, industry regulations or insurance requirements, potentially leading to fines or legal action.

The State of Cybersecurity – Regulatory Compliance and PII

Individually, any one of these can be the cause of significant disruption for an organization. However, most incidents will involve all four to some degree. Their consequences will be different for every organization but should be largely self-explanatory if an organization understands the type of data that it’s storing. Alas, many organizations and their senior leaders don’t understand the extent of information they retain, nor what’s considered private or sensitive. For example, the Office of the Information and Privacy Commissioner of Alberta classifies any information that can be used to identify an individual as Personally Identifiable Information, or PII, which includes staff names, phone numbers, email addresses, and other basic contact or demographic information.

That means that in reality, all organizations store PII in some capacity, even if it’s just staff names and phone numbers. Most will store significantly more, such as private information pertaining to customers (rate payers) and even intellectual property. The organization thus assumes the risks and responsibility associated with protecting that data to the best of its ability. In the eyes of the law, even small organizations have a lot to lose to a cybersecurity incident.

It’s also important to understand that organizations can’t outsource risk to a 3rd party, even via service provider or insurance agency. Recent legal history shows in all cases that responsibility for protecting sensitive data ultimately lies with the organization. In some extreme US cases centered around private data breaches, senior leaders have even been named as defendants in legal cases. Not only have many of them lost their jobs, but some have also been found personally liable for failing to take their organization’s cybersecurity seriously, allowing penalties and remediation to be assessed against the individual persons involved as well as the organization.

Cyberinsurance suffers from similar pitfalls. In the event of a claim, insurers focus on mitigating litigation risk and keeping recovery expenses as low as possible, not returning an organization to functioning as quickly as possible. Even in small cases it’s common for insurers to take over a week to greenlight a recovery process. Many organizations can’t afford such a delay, and some never recover even when insurance is footing the bill. Like traditional home or commercial insurance, taking steps to prevent a fire or flood is preferable to waiting for insurance to pay for repairs after one strikes.

The State of Cybersecurity – What Can Be Done?

With these myths busted, what can SMBs do to address the situation properly?

• Realize that cyber security is a serious issue that should be afforded the time, attention, and investment required.
• Understand that the cybersecurity landscape is constantly changing, that the rate of change is accelerating thanks to emerging technologies such as AI, and accept that provisions made today may need to be updated tomorrow to retain relevance.
• Understand and own the unique risks that a cybersecurity incident represents to the organization.
• Understand that it’s much easier to prevent incidents than to recover or respond to them afterwards.
• Remember that some things, like your business or organization’s reputation, can never be repaired once damaged.
• Understand the importance of regulatory compliance and that ignorance of these standards is not only considered negligent but also the fault of the organization. It’s not the regulator’s responsibility to ensure you’re aware of the latest standards.

Given the current state of cybersecurity, it’s understandable if SMB leaders and executives have deep concerns and serious questions regarding hackers, AI, and regulatory compliance. Each one represents a risk to productivity, profitability, and potentially even an organization’s sheer existence. If you’d like to learn more about any of these topics, or have any other questions regarding the general state of cybersecurity and what to expect going forward, please contact a TRINUS cybersecurity specialist to discuss getting some stress-free IT for your organization.