Cybersecurity Awareness Month
Awareness of cyber threats not always matched by protective actions
Cyber Security Awareness Month is held internationally each October to help the public learn more about the importance of cybersecurity. The Canadian government’s theme for its 2021 campaign is “Life Happens Online.”
The theme recognizes that Canadians’ digital lives expanded dramatically due to the COVID-19 pandemic. Whether it was talking to family members and friends through our computers or working at our jobs remotely, our online connections burgeoned – and so did the risk of cyber threats.
Employees are more worried about cyber threats but are still not taking all the right precautions
CDW Canada provides IT solutions and services to businesses in such areas as cybersecurity, digital infrastructure and cloud technology. The company surveyed working Canadians on their cybersecurity knowledge and actions in 2020, when remote work was common. A follow-up survey this year was designed to take another reading of employees after more than a year of these new working conditions.
“Our latest survey found that employees’ awareness about cybersecurity threats is on the rise,” says Theo van Wyk, head of cybersecurity for CDW Canada.
Compared to last year, a greater percentage of employees now report they are concerned about cyber threats. Their biggest worries were data leakage, identity theft and hacker attacks. Malware, phishing scams and ransomware also made the list.
“It is encouraging to see that people have more knowledge, because the first step in combatting cyber threats is raising awareness,” he says. “However, practising regular cybersecurity hygiene – properly protecting devices and networks – remains a challenge for many Canadians.”
“We strive to balance cybersecurity needs with usability and efficiency,” says Mr. van Wyk. “Many security measures can be complex, and employees can find it difficult to maintain a high security standard when they are trying to be productive day after day.”
Take passwords, for example. A lot of us rely on the same or similar passwords for different devices and networks to help us log in with ease. The 2021 CDW Canada survey found that fewer Canadians use unique passcodes or passphrases to protect their phones, computers, networks and smart devices than in 2020.
“This is very concerning for us because reusing passwords gives attackers opportunities to gain access to multiple work and personal digital sites,” he says.
The stealth of social engineering attacks
A growing cyber threat is known as “social engineering” – where attackers trick you into revealing your credentials by posing as a trusted contact or mimicking a credible organization.
“In the past, bad actors still needed to figure out a way to hack into the network to use your credentials. Today, where everything is in the cloud and online, once they have those credentials they can easily gain access,” Mr. van Wyk says.
“It’s for these reasons that we’ve been advocating the adoption of a Zero Trust approach for some time now,” says Mark Quesnel, Canada country manager from identity and access management company, OKTA. “This mindset includes providing protection by building systems that utilize Adaptive Single Sign-on (SSO) and strong Adaptive Multi-factor Authentication (MFA) in response to the ever-increasing threats that we’re seeing.”
The CDW Canada survey also found that employees tended to be less rigorous about protecting smart watches, smart doorbells/thermostats and smart speakers than for their computers and phones.
“Despite the growing hybrid/remote work environment, many people still think that smart devices are entertainment and removed from work. Depending on network setups, an attacker can use personal smart devices as a gateway to your work network,” he explains. “You have to think about layers of security in the whole environment.”
Cyber best practices for organizations and individuals
Only half of the CDW Canada survey respondents indicated their organization had prepared employees with security education. In the new work landscape, organizations and individuals have to collaborate to protect their digital spaces and be good digital citizens.
Here are a few additional actions that individuals can implement:
Use a password manager: This is software that stores multiple complex passwords for different platforms behind the scenes while requiring the user to log in just once.
Use passphrases: An easily remembered phrase with a few character replacements can be hard for attackers to guess.
When setting up new accounts, turn on MFA capacity, if it’s available.
And for employers:
Make sure security education isn’t too generic and that it is relevant to the systems your employees are using and how they’re using them.
Ensure the tool sets you provide to employees to react to a potential breach are standardized. If you have too many variables and different procedures, employees will try to use shortcuts.
Create an inclusive environment where employees feel empowered to report security risks or cases where they have been attacked, without fearing judgment or penalties. Many security incidents can be mitigated if they’re revealed at an early stage.
To view the full report as it appeared in The Globe's print edition: Cybersecurity Awareness Month