What are the emerging patterns and risks for cybersecurity in Canada, the United States, European Union and Australia? A global panel shared their views and predictions at last week’s 64th Pacific Rim Advisory Council (PRAC) conference in Calgary.
Here are their key insights:
- Businesses need to take steps to understand their supplier’s cybersecurity hygiene—and include contractual terms in their agreements that require the provider to abide by a particular standard, permit the business to audit compliance with that standard, and require notification by the third party of a breach of safeguards. Other contractual terms should also identify which party will bear the costs associated with a cyber attack.
- Cloud service contracts—which are generally offered on a take-it-or-leave-it basis—typically carve out liability for the cloud provider in connection with a cyber attack. As a result, businesses need to make sure they have other protections in place in connection with a potential attack against the cloud provider, as well as provisions in the cloud contract that permit monitoring of the cloud provider’s performance to the stated security standards.
- Managing risk at an organization needs to be driven by business in collaboration with IT. Including IT staff in negotiation of contracts can be important in the context of, for example, cloud service provider agreements.
- The human element remains the greatest weakness in cybersecurity. Everyone at a business needs to be trained on how serious the threat is and what to look for in their everyday communication. Leaders must align the entire organization to work together.
- Regulatory: The EU’s General Data Protection Regulation (GDPR) came into force in May 2018, and has extraterritorial effect. Other jurisdictions around the world are following step with implementing more aggressive statutory regimes to compel compliance with protection of personal data.
- Honeypots: This is an increasingly popular detection tool in cybersecurity defence. Honeypots are decoys on a company’s system that are intended to attract hackers. Their security is weaker and when a hacker enters a honeypot, the company can learn about the tactics of the attack—then use this information to deflect future ones.