Cybersecurity

Can Canada Be a Global Cybersecurity Leader?

In this interview, Ulrike BahrGedalia (Senior Director of Digital Economy, Technology, and Innovation at the Canadian Chamber of Commerce) speaks with Marjorie Dickman (BlackBerry’s Chief Government Affairs and Public Policy Officer) about BlackBerry’s new collaboration with the Canadian Chamber of Commerce on the Cyber.Right. Now. campaign, and Canada’s capability to be a world leader in cybersecurity. Bahr-Gedalia is leading the Cyber.Right.Now. initiative for the Canadian Chamber of Commerce.

Ulrike Bahr-Gedalia: What are the core components of the Cyber.Right.Now. campaign, and why did BlackBerry decide to partner with the Canadian Chamber of Commerce to raise cybersecurity as a key issue for the Government of Canada?

Marjorie Dickman: The Cyber.Right.Now. campaign aims to make Canada one of the most cyber-secure countries on the planet. It's a unique initiative championed by the Canadian Chamber of Commerce, BlackBerry, and more than two dozen leading technology and cybersecurity organizations including Microsoft, Cisco, AWS, General Dynamics, Innovapost, and eSentire. Together, we're urging the government to make cybersecurity a top priority and Canada a world leader in this sector.

Canadians and businesses have become all too aware of the impacts of cyberattacks on economic and societal stability. Not surprisingly, the 2021 Edelman Trust Barometer found that 65 percent of Canadians fear falling victim to a cyberattack. (This is the second highest worry among Canadians today, only behind the fear of job loss.) A PwC report similarly indicates that 80 percent of Canadian CEOs are concerned about cybersecurity as a threat to growth. Recent cyberattacks on pipelines, water treatment facilities, hospitals,

universities, and businesses underscore the need to act quickly to secure the country’s digital infrastructure, businesses, and communities from cyberattacks.

Notably, Canada boasts world-class cybersecurity capabilities, including some 400 cybersecurity companies. In fact, some of the world’s top cybersecurity companies are Canadian, and BlackBerry is proud to be one of them. The Cyber.Right.Now. campaign is urging Canada to invest in and leverage this expertise to prevent cyberattacks, grow the economy, and secure our digital future.

BG: Becoming one of the most cyber-secure countries on the planet is an ambitious vision. How can Canada turn this vision into action? MD: Canadian cybersecurity companies have some of the most advanced cybersecurity solutions in the world. For instance, BlackBerry’s AI-driven cybersecurity solutions can identify cybersecurity threats before they occur, in some cases even two years before the malware has been deployed. This prevention-first security helped protect our customers from recent high-profile cyberattacks, including those by DarkSide — the ransomware gang behind the Colonial Pipeline attack, Nobelium – the infamous threat group behind the SolarWinds attack, and REvil — the group behind the attacks on Kaseya, JBS, and Acer.

Canada also has world-class centres of cybersecurity innovation, including Waterloo, Fredericton, Montreal, Calgary, and Vancouver. And Canadian cybersecurity companies consistently rank among the top 100 R&D spenders in the country, with an R&D intensity three times higher than the ICT industry average.

Yet, Canada risks falling behind, as other countries increase their cybersecurity investments. The OECD reports that Canada is one of the few countries where technology R&D investment is “stagnant,” investing only 1.5

percent of GDP and declining, while Canada’s competitors are investing billions in advancing their cybersecurity capabilities.

Notably, Canada boasts a wealth of cybersecurity talent. But competition for this cybersecurity workforce is fierce. There are over three million unfilled cybersecurity jobs globally, with more than 100,000 of these in Canada. This means Canada’s top talent is very often poached to work abroad. In fact, nearly two thirds of Canadian-educated software engineering students leave to work outside of Canada.

For Canada to be a global cybersecurity leader, the Cyber.Right.Now. campaign advocates three goals:

1. Secure critical infrastructure, businesses, and communities by investing in cybersecurity at per capita levels comparable to its G7 peers;

2. Grow the economy by attracting and incentivizing cybersecurity innovation in Canada; and

3. Bolster Canada’s cybersecurity career opportunities by training, recruiting, and retaining the most talented and diverse workforce.

BG: How can we ensure that these three goals are included in the federal government’s 2022 budget?

MD: Cybersecurity has never been more vital to a nation’s security — its people, government, and businesses. The Cyber.Right.Now. campaign urges Canada to invest in cybersecurity at a globally-competitive level. For example, the U.S., the U.K., and European governments are investing billions to secure their digital infrastructure and help position their economies for future growth. A focus on cybersecurity in the federal government’s 2022 budget can set Canada on a leadership path in this critical sector.

Securing Canada’s digital infrastructure has never been more critical.

To learn more about the work of Interac in protecting Canadians against fraud, and to access educational resources with helpful tips on spotting scams, visit interac. ca/en/content

This article was sponsored by Interac.

The Secret to Security Is Open Collaboration

In today’s online world, safety and security are digital concerns. Cybersecurity is a fast-moving field, and Canada can't afford to fall behind. D.F McCourt

Cybersecurity is security. Whether we’re talking about the security of an individual, a small business, a large corporation, or the Canadian government itself, our continued well-being and prosperity depend on the skills of the cybersecurity professionals we count on to protect us. Cybersecurity skills are no longer a niche area of expertise. They've become our fundamental social and economic safeguards in every aspect of our personal and professional lives. But how can the Canadian workforce keep apace of this constantly-evolving sector?

“Canada has a very strong background in cybersecurity,” says Steven Liss, Vice President of Research and Innovation at Ryerson University. “Historically, we’ve been one of the top four countries in the field. But, when we talked to the industry, we were also hearing that there was this tremendous gap in unfilled positions.”

That this dialogue was happening

between Ryerson and industry partners in the first place is of critical importance. If we isolate cybersecurity research, development, and training, we invite disaster. When cybersecurity conversations that are occurring in the industry, in academia, in government, and in law enforcement happen in isolation, varied perspectives on the many facets of this issue develop at differing rates, and gaps form in the collective understanding.

Bringing all voices to the table

A central commons was needed to bring these perspectives together, allowing them to intermingle and flourish. Enter the Rogers Cybersecure Catalyst, a not-for-profit corporation founded in 2018, owned and operated by Ryerson University. “The Catalyst was developed to be a hub for collaboration between the academic sector, the public sector, and the private sector,” explains Charles Finlay, the Catalyst’s Founding Executive Director. “We bring these three pillars together to develop

It Takes Vigilance — and a Village — to Fight Fraud

Isolation may impact our defences against fraud. As the pandemic persists — and as we face colder weather and shorter days — many Canadians will spend more time alone and could become more vulnerable to fraud.

Research from Interac Corp., a leader in digital security and authentication, demonstrates that over half (55 percent) of Canadians worry that increased isolation during the pandemic is making people more susceptible to fraud. Meanwhile, data from the Canadian Anti-Fraud Centre shows 23,842 reports of COVID-19-related fraud between March 6, 2020 and June 30, 2021.

Rachel Jolicoeur, Fraud Prevention and Strategy Director at Interac, says that Cyber Security Awareness Month is an opportunity to give Canadians the tools and support they need to fight back against the fraud threat.

“The best way to combat isolation is through community — and making that connection with others is critical when it comes to fighting fraud,” says Jolicoeur. “Fraudsters always look for new ways to force Canadians to react in the heat of the moment. This pressure can be compounded when we don’t have a friend, family member, or neighbour we can turn to for a second opinion.”

Use your voice to help others According to Jolicoeur, we can counteract the impacts of isolation by sharing our fraud experiences with others. We should look for opportunities to educate widely on any scam attempt we have faced and what could have been done to stop it.

“I always say that it takes a village to stop

fraud. It also takes vigilance. Think about those in your life and reach out to them to share your experiences. Let them know they can talk to you if faced with requests for information that appear suspicious. At Interac, we advise Canadians to Stop, Scrutinize, and Speak Up. Ask others not to react in the moment — if they're being forced to respond quickly, that's a telltale sign of fraud. Take a moment to pause and listen to your instincts,” says Jolicoeur.

Investing in secure innovation

As Canadians, we all have a responsibility to help combat fraud — including the business community. For its part, Interac works to keep Canadian customers safe and secure when transacting through the company’s investment in world-class privacy, fraud mitigation, governance, and digital identity and authentication expertise.

“We take our responsibility to protect Canadians seriously. For example, Interac e-Transfer® users are protected by multiple layers of security, making the service one of the most secure money transfer services globally. Enhanced features have been designed with security in mind — including Interac e-Transfer Autodeposit, which we encourage Canadians to use as it allows transactions to be automatically and conveniently deposited into your bank account,” says Jolicoeur.

innovative programming of the highest quality focusing on skills training, support for Canadian cybersecurity companies, public education, and policy development.”

In this unique environment, students, researchers, thought leaders, entrepreneurs, and established industry professionals are building the platform that will bridge the cybersecurity skills gap and launch the next cohort of security innovators. In addition to more traditional education and skills building, programs range from the Cybersecure Accelerator — which connects new businesses in the space with an elite group of talent from existing tech companies — to the Cyber Range, an immersive and collaborative cybersecurity training and testing platform.

Cybersecurity is about people

The interconnected environment of the Catalyst drives home a key truth about cybersecurity: it is inextricably human. “Cybersecurity is about critical thinking, but it's also about teamwork,” says Liss. “We’re encouraging people to recognize that they're not working in an isolated space. There’s certainly a big technical component, and cybersecurity is not for the faint of heart in that regard, but there’s also a need to be able to communicate and understand the implications and relevance of the technology in people’s lives. Cybersecurity is about people.”

Women

Cybersecurity is a booming industry with one big problem — there just aren’t enough qualified people to fulfill the industry’s demand for workers.

According to an (ISC)2 study, the industry expects to see an estimated 3.5 million vacant jobs globally in 2021.

To meet the demand, the industry needs to grow more than 145 percent. While the industry aims to attract more talent in general, it also faces a diversity gap — despite the millions of open jobs, there just aren’t enough candidates to fulfill these roles. And yet, according to Cybersecurity Ventures, only 25 percent of cybersecurity jobs this year will be held by women, despite women making up almost 47 percent of the general workforce.

“While there are many opportunities for young women in this profession, there's a disconnect between what cyber professionals do and the skills needed to be one,” says Beth Dewitt, Partner and Board Member at Deloitte Canada and Women in Cyber Leader. “I don’t come from a traditional computer science or engineering program.

Today, cybersecurity requires diverse perspectives and experiences to solve complex issues and threats. We need to include people with non-traditional and non-technical backgrounds so that this diversity of thought and experience can inform how we build and protect the very services and systems that help keep us connected and progressing as a society. Without this kind of diversity, we won’t be able to reflect our own social diversity or create more inclusive communities.”

Diverse backgrounds bring diverse perspectives

Dewitt, whose career started in international development and anthropology, came into the cybersecurity field through her work in health research and health privacy. She leads Deloitte’s global Women in Cyber campaign — which aims to showcase that behind every functioning society, there's a woman in cyber. The campaign, which focuses on the stories of real women working in cybersecurity at Deloitte, aims to attract more women to the industry, while celebrating those who are currently making an impact.

“The more we get our own stories out

there, the more young women and girls will see that there are opportunities for them,” says Dewitt. “Organizations need to position cyber as a career choice for all individuals with different backgrounds, degrees, and experience. Cyber is a risk profession, not just a technology profession. It’s a business enabler and it’s strategic, more so now than ever.”

In addition to breaking down misconceptions, Dewitt says that it's important for organizations to be deliberate in how they're recruiting and hiring for roles in cyber. Since the campaign started, Deloitte has seen a rise of over 30 percent in female applicants.

“This demonstrates early in our campaign that there are many women who are interested in working in this space and that through this campaign, and through seeing women like them who they can easily relate to, they better understand what opportunities are possible and accessible,” says Daniella Toledano, Partner, Cyber Risk Services at Deloitte Canada. “Diversity leads to a wider range of perspectives and voices, as well as experiences and skills, which together lead to interesting and innovative solutions to our cybersecurity threats.”

In addition to the digital component of the campaign — which will feature videos, articles, and podcasts — Deloitte is also developing a grade school program to introduce girls to cybersecurity earlier, and help improve their understanding of online safety. Deloitte’s Women in Cyber team has also designed a leadership development program aimed at uniquely supporting its own women cyber professionals.

What’s next for women in cyber: beyond landing the job

The campaign isn't done, and Dewitt points out that it's important to have continuous awareness opportunities to inspire growth, development, and to promote women into leadership roles. She suggests those interested in a career in cyber to “just go for it.”

“There are increasingly more professional and community groups focused specifically on women in cyber, and equally as many women professionals who are committed to helping other women start a career in cyber. I encourage those interested to reach out and get connected,” says Dewitt.

Cybersecurity today is a fastpaced arms race. Gone are the days when an off-theshelf security product could provide sufficient cyber defence for an organization. Maybe those days never really existed at all. Modern cybercriminals have vast resources available to them, they coordinate with agility across oceans and time zones, and they have their own active R&D teams working around the clock to develop innovative threats and expose new vulnerabilities. The current threat landscape is not only a moving target, it’s also an accelerating one, and organizations need a next-generation response if they don't want to be left behind.

"We've entered an era where attacks are more advanced, stealthier, and launched by cybercriminals and nation states that have fully industrialized their craft," explains Mark Alba, Chief Product Officer of Anomali, a leading cybersecurity company. "Adversaries are keenly aware of how rapidly organizations are expanding their digital surfaces. To take advantage of this new reality, they've operationalized their campaigns and are utilizing tools and techniques that are frequently steps ahead of legacy security solutions."

Superthreats thrive in environments dominated by legacy technologies

“What’s needed now is a new way of thinking and acting. We can no longer operate with a wait-and-see approach. To succeed in the modern business environment, public and private sector organizations must take a strategic approach to deal with cyber threats — one that will allow us to end the race by crossing the finish line ahead of nefarious actors,” says Alba.

A top candidate for a race strategy is the deployment of extended detection and response (XDR) solutions. XDR connects and integrates all security data and telemetry, correlates it with global intelligence, and then leverages artificial intelligence to automatically analyze, detect, and stop attacks and breaches, in real time before they become costly and disruptive incidents.

Threats are dealt with before a human intervention could even begin by cybersecurity experts with complete analytics that can be used to hone the system, strengthening the defences on each iteration. “The detection and response capabilities as we've known them in the past, have extended way beyond the traditional concept of the enterprise net-

work. With the advent of edge computing, cloud, IoT, blockchain and other emerging technologies, plus the rapidly-changing and dynamic nature of the enterprise environment, an extended detection and response capability continuously adapts and pivots to the new cyber threats and is the way to go,” says Umang Handa, a partner leading the cybersecurity practice at one of the big four System Integrators.“Powered by patented artificial intelligence, our proven Anomali XDR Platform automates the collection and correlation of all security data, telemetry, and global intelligence. Our unique Anomali Match XDR product provides the precision detection and optimized response support needed to stop attackers and breaches before they have a chance to disrupt operations.”

Will this technology end cybercrime for good? Surely not. But it does provide a welcome opportunity to put the cybercriminals on the back foot for once. “XDR should be thought of as the new phase of cybersecurity that leverages relevant intelligence at scale,” says Alba. “It provides precision attack detection and optimizes ecosystem-wide response to stop attackers and breaches before they have a chance to disrupt business and inflict costly damages. Many businesses have invested in technologies that can detect smoke, but few can find the actual fire, and even fewer can extinguish a blaze before it burns out of control.”

There’s no telling what innovations and advancements in productivity may become possible when our brightest IT minds finally get a break from chasing down fires. With XDR, we just might find out.

Optiv Helping Companies of All Sizes Boost Their Cybersecurity

Cyber threats lurk everywhere and threat actors grow more sophisticated each day. No Canadian organization is immune to potential ransomware attacks, malware, phishing schemes, and data breaches. Wellversed and up-to-date on the latest attack methods, many cyber attackers have a big advantage by using even more advanced tools than company IT administrators use in searching for vulnerabilities to exploit.

According to Statistics Canada, about one fifth of Canadian businesses were affected by cybersecurity incidents in 2019. In the same year, over 43 percent of large businesses, 29 percent of medium-sized businesses, and 18 percent of small businesses had some form of cybersecurity incident.

The impacts in terms of business disruption, lost revenue, productivity, and reputational damage are huge — not to mention the forensic, insurance, and legal costs.

Optiv, a cyber solutions integrator Optiv Canada works with organizations of all sizes to develop, optimize, implement, and run their cybersecurity programs. Based in Toronto, Optiv Canada is the Canadian subsidiary of Optiv Security — a U.S. cybersecurity solutions integrator founded over 20 years ago and headquartered in Denver, Colorado. Globally, Optiv Security provides cybersecurity consulting, assessments, products, and services to over 7,000 business and government clients, has over 2,200 employees, and partners with over 400 vendors.

“We launched Optiv Canada in 2016 and then expanded in the market in 2017 through the acquisition of Conexsys Communications Ltd., an established Canadian security and networking solutions provider,” says Cheryl McGrath, Area Vice President and Country General Manager, ICD.D at Optiv Canada. Today Optiv Canada is Optiv’s fastest-growing entity, having achieved a top ranking with large Canadian companies in identity and access management (IAM), risk management; digital transformation, devsecops, AI, and security operations.

Optiv Canada continues to focus on expanding its in-country service capabilities to meet the demands of Canadian public

and private sector organizations from coast to coast, drawing on its global capacity and international experience as needed. “Additionally, we deliver security-cleared resources to clients in the Canadian federal government and other environments where information security is paramount,” says McGrath.

Meeting organizational needs of any size, risk level, and point in cyber journey

“One thing I’ve observed advising organizations across Canada on their cybersecurity plans and programs is that every organization can use help in one way or another,” says Michael Doucet, Executive Director of the Office of the CISO (Chief Information Security Officer) with Optiv.

But lack of resources makes that challenging, especially for medium-sized companies, which may not be able to build those capabilities internally. “Even big banks with 300 or 400 cybersecurity specialists on staff may not have enough in-house resources to address the rapidly-morphing cyber landscape,” says McGrath.

That’s where Optiv comes in. With its strong bench of cybersecurity talent, deep expertise, and access to broad cyber resources, Optiv Canada can meet the needs of organizations of any size wherever they are — regardless of their risk level or place in their cyber journey. “We deal with entities across the country of every size, from the largest federal government departments, public sector clients, and large banks to mid-sized organizations,” says McGrath.

Under its advisory, strategy, and consulting umbrella, Optiv Canada offers several practice areas, including cyber digital transformation, identity and data management, risk management, security operations, threat management, and integration and innovation services. “Essentially, we go to clients and build cybersecurity roadmaps, strategies, and anything else they need to build their cybersecurity ecosystem,” says McGrath. “We also spend a lot of time talking to Boards of Directors, because they’re ultimately responsible for reviewing the enterprise risk plan and portfolio for the organizations they oversee.” says McGrath.

Complementing the advisory, strategy,

and consulting umbrella is the technical umbrella, under which Optiv operationalizes and runs the programs it advises on, drawing from over 400 of its vetted and tested cybersecurity partners.

Managed services give companies predictability with cybersecurity programs

A key Optiv differentiator is the ability to offer advice and implementation in a one-stop shop. “We help come up with the road map and strategy, and then take it to the next level to help organizations build, implement, and even run their cybersecurity programs,” says McGrath. Through its managed services offering, Optiv provides its own staff to manage an organization’s entire cybersecurity program, or a portion of it, as they wish. “Being able to do that 24/7 for a medium-sized organization gives them a level of predictability in the deployment of their cybersecurity activities,” says Doucet.

Another differentiator is Optiv’s approach. Many companies take a threat-centric, “outside-in” approach, focusing first on identifying specific threats and then reacting with technology procurement. Optiv instead takes a proactive and strategic “inside-out” approach to cybersecurity, starting with risk mitigation and building out from there with strategy, infrastructure rationalization, operations optimization, and ongoing measurement. “This is far more effective at reducing current and future risk than the threat-centric approach,” says McGrath. “We also focus on building a future-ready mindset within the organization, using a holistic approach from the mailroom to the boardroom.” Optiv believes the critical attributes needed to create and support that mindset are Clarity, Foresight, Agility, and Resilience.

A key tool in helping clients be futureready is Optiv’s MXDR (Managed Extended Detection and Response), a comprehensive, cloud-based threat detection and response service that automates incident investigation by ingesting data across various layers and sources. “The idea of being able to use everything in your environment as a sensor to detect potential security threats and incidents and monitor it is very important in our industry right now,” says Philip Solakov, Director of Client Solutions at Optiv Canada. “Our MXDR service enables us to collect information from anywhere and everywhere and perform a comprehensive analysis across a customer’s entire threat surface, prioritizing alarms, investigating events, and managing incidents.”

One thing I've observed advising organizations across Canada on their cybersecurity plans and programs is that every organization can use help in one way or another.

To learn more about how Quantum eMotion, the only public QRNG company in the world (QNC/QNCCF), is developing the next generation of quantum-safe encryption, visit quantumemotion.com

This article was sponsored by Quantum eMotion.

Future-Proofing Cybersecurity Using Quantum Technology

In the arms race between cybersecurity and cybercriminals, we've always relied on complexity trumping computational power. In the era of quantum computing, complexity isn't enough. We need true randomness.

Agood random number is hard to find. Humans are terrible at generating randomness, and computers are arguably even worse. And yet randomness is a fundamental building block of modern digital encryption. Without a good source of pure randomness, even our strongest cybersecurity measures are vulnerable to the rapidly-accelerating march of computational power.

“When an algorithm generates a random number, almost by definition, you know that it's not really random — it's deterministic by nature because it has been created by a complex formula behind it,” explains Francis Bellido, CEO of Montreal-based firm Quantum eMotion, the only public quantum random number generation (QRNG) company in the world. “With the threat of quantum computers, which have already in the prototype stage increased calculation capacity millions of times over, it will be possible to crack any existing encryption system one way or another.”

With cybercriminality increasing fourfold over the course of the pandemic, it’s more important than ever that we future-proof our security with true randomness, removing the computational element altogether. But where do we find these pure random numbers?

The quest for true randomness

“In Newtonian physics, there is nothing random,” says Bellido. “The only way to get pure true random numbers is to rely on quantum mechanics. What we've developed at Quantum eMotion is a junction which we bombard with electrons and measure the quantum tunnelling effect. It's purely random — what we call in physics a source of pure entropy. The junction itself is extremely small, 10 microns across. It will fit in a USB key or on a chip in your phone, making it completely uncrackable. It’s our vision that in the future, every device that connects to the internet should have a QRNG. Because, after all, every time you connect a device to the internet, you're creating a new door for cybercriminals to enter your home or business.”

As the world of computing continues to be transformed in the quantum era, future-proofing those doors is going to require the kind of locks that only true randomness can provide.

Why Canadian Businesses Need to Beware of Cybercriminals

It’s hard to read the news without noticing the increase in cybercrime, especially cases of ransomware. Large organizations around the world are being held for ransom after their data is compromised or stolen for increasingly larger sums of money.

The technology and the knowledge needed to perpetuate ransomware attacks are readily available at low cost for cybercriminals, as noted in our National Cyber Threat Assessment 2020 report.

“Big game hunting,” or targeting larger businesses, happens when cybercriminals go after big enterprises that cannot tolerate disruptions and are likely to pay hefty ransoms to restore operations. But don’t be fooled — it isn’t just large businesses that are being targeted. Small- and medium-sized businesses and individuals are just as likely to fall victim to cybercrime. They just don’t make it into the news.

Mitigating ransomware incidents with cybersecurity knowledge and best practices

Old or unpatched software can provide easy access to business networks. Employees unable to recognize phishing emails and possibly compromised attachments can also lead to a serious breach. Basic passwords, re-used on many accounts, are easy entry points for cybercriminals to get access to your information.

There are simple and effective tips that can help protect you from common cyber incidents. For starters, you can improve your baseline cybersecurity defence, making it harder for cybercriminals to compromise your business. A harder target usually means cybercriminals need more resources. More resources mean time and money, which makes you less worth their while. It won’t make you invincible, but it helps make your business a less attractive target.

At the Canadian Centre for Cyber Security (Cyber Centre), we have plenty of resources available to help. These resources can help prevent an attack and keep your business safe and secure, as well as provide guidance on better-educating employees on cybersecurity awareness. If you’ve fallen victim to a cyber incident, you can find advice on how to respond and report it via our new incident reporting portal. Reporting cyber incidents helps us and our partners make sure other Canadian businesses don’t fall victim to the same crime.

In a rapidly-evolving tech marketplace, understanding business needs and matching them with up-to-date skills is a Herculean challenge, especially in specialized fields like cybersecurity. This is a global phenomenon, but Canadian needs are uniquely complicated, with smalland medium-sized businesses heavily outnumbering large enterprises. In such a decentralized marketplace, it can be a full-time job just keeping track of the skills in demand and the opportunities available. Thankfully, Canadians can rely on TECHNATION.

TECHNATION is Canada’s leading national technology industry association. It collaborates with businesses, educational institutions, workers, and government agencies to ensure that Canada’s tech workforce is connected, agile, resilient, optimally trained, and properly utilized. And, as TECHNATION President and CEO Angela Mondou explains, that means talking about a lot more than just traditional hard tech jobs, even in the sophisticated and fast-paced world of cybersecurity.

“The cybersecurity need isn't limited to pure tech skills,” says Mondou. “Companies also need hybrid roles, which include cybersecurity project managers and analysts, to name a few. TECHNATION’s Career Ready Program, funded by the Government of Canada’s Student Work Placement Program, play a huge role in helping youth to realize pathways into careers in tech, particularly in cybersecurity, where there's a lack of understanding as to what positions in that field

might include. Reskilling is also particularly important to keep economically-impacted sectors viable and secure.”

The Career Ready Program saw a 15 percent national increase in demand for cybersecurity-based work terms during the pandemic, and employers can receive a $7,500 wage subsidy for each student they hire. The number of successful student work placements through the program continues to rise.

Steady and increasing demand from Canadian employers

As part of the Career Ready Program, TECHNATION has developed an AI-driven labour market tool in CareerFinder, which collates and analyzes real-time data to provide predictive guidance on changing workforce needs. Since its debut last year, CareerFinder has reported a daily cybersecurity job shortage of 8,000 to 10,000 jobs in Canada. Filling these positions is both an economic opportunity and a security necessity.

“It's clear that the rapid pace of cyberattacks and the shortage of trained cybersecurity professionals are growing challenges in Canada,” says Mondou. “Canadian governments and municipalities are increasingly the target of hackers and, with the pandemic, there has been an increase in ransomware attacks due to people working from home. There are not nearly enough skilled graduates from post-secondary institutions or cybersecurity training programs

to keep up with the steady and increasing demand from Canadian employers.”

The educational and training element must be at the heart of any roadmap to a stronger and more secure tech sector in Canada. Fortunately, strengthening connections between different worlds like industry and academia is exactly what TECHNATION does best.

“TECHNATION is a leading collaborator in the Canadian cybersecurity ecosystem,” says Charles Finlay, Founding Executive Director of the Rogers Cybersecure Catalyst at Ryerson University. “They work closely and very effectively with a wide variety of stakeholders like the Catalyst to advance training programming, and they are well-known for their work in identifying cybersecurity employment needs across Canada. They're tackling that very effectively through their CareerFinder, skills frameworks, advisory groups, and many other programs. The Catalyst is proud to collaborate closely with TECHNATION and they're an important part of our mission. Angela in particular deserves a shout out as a very effective leader in cybersecurity.”

Securing an innovative future for Canada in the worldwide tech ecosystem is big work, and there are a lot of moving pieces. With partners like TECHNATION guiding our efforts, however, Canada has all the makings of a clear global leader in cybersecurity and the future of tech.

This

Cybercrime Is Scary, but a Strong Offence Is the Best Defence

Cybersecurity is one of the most serious economic and national security challenges we face.”

Those are the opening words of the Honourable Harjit Sajjan, Canada’s Minister of National Defence, in the latest National Cyber Threat Assessment. The document is a chilling look at data and credential security in a rapidly-digitizing landscape faced with rising incidents of cybercrime and increasingly sophisticated threats. According to the Canadian Internet Registration Authority, more than 80 percent of the nation’s organizations were targeted by a cyberattack in 2020, while many companies identify cybersecurity as their number one operational concern in 2021. So what can Canadian organizations do to defend themselves effectively?

One of the best ways to approach the challenge is, first and foremost, as a people problem. “You can spend a lot of money on technology and have all the right hardware and software in place,” says Nim Nadarajah, Partner at Canadian cybersecurity firm CrucialLogics, “but

the weakest link in the security chain is always going to be the end user.”

During the pandemic, the importance of strengthening this link grew even more acute as the rise of working from home dramatically shifted the need for cybersecurity beyond organizational spheres into the personal realms of employees. “It’s not just about having a lock and alarm on your front door,” Nadarajah says. “You need to make sure that it’s locked every night and have a plan for when the alarm goes off.”

Anticipating danger is the first and best defence

According to Nadarajah, maintaining such a plan and ensuring real security requires a continuous mindset of vigilance and action. These days, cyberthreats are innovative, prolific, and diverse, as are the actors who initiate them. Many companies know this but may not be equipped to tackle digital perils in all their forms and mutations. It takes the right tools and expertise to stay one step ahead of the bad guys in such a murky climate.

What SOC and Security Teams Want to Know About Digital Transformation

The velocity of our world’s current digital transformation, while necessary, has caused some businesses to accept a higher level of security risk. They don’t want to impede business progress, but truly transformative change requires both digital innovation and cybersecurity. Without security comes the potential for considerable financial and reputational harm.

In fact, 82 percent of IT security and C-suite respondents said they experienced at least one data breach because of digital transformation.

If it’s such a serious issue, why are some businesses not prioritizing security?

Maybe it’s not a priority for this year’s budget, organizations can’t find the right security talent, or there’s a lack of awareness. Others may believe that implementing certain security controls is too difficult or that additional steps are too burdensome.

Whatever the case may be, not prioritizing security leaves vulnerabilities, and understanding the division of responsibilities, especially where cloud providers, third parties, and authentication management are involved, is crucial.

Bolting cybersecurity on later in digital transformation is expensive, and for IT operations to function effectively, security can’t be siloed.

Business is more digital than ever Cloud migrations, a distributed workforce,

the Internet of Things (IoT), and the internetworking of operational technology (OT) expand the attack surface. No industry, field, or size of organization is immune, either.

Even if security is top of mind for your organization, these technologies introduce unforeseen vulnerabilities that your legacy security systems may not be able to prevent.

Cyberattacks are increasing in frequency and sophistication

Threat actors attempt a cyberattack every 39 seconds, and cybercrime is the threat that’s most likely to affect Canadian organizations in the coming years. Cyber threats are also largely opportunistic, and the introduction of new technologies presents new vulnerabilities — just what attackers are looking for.

For instance, the time between initial access and ransomware being launched is shrinking, and overall tactics are becoming more advanced. Visibility across your infrastructure is crucial to swift detection and mitigation. Involving security teams in your ongoing digital transformation allows you to consider the evolving threat landscape throughout the change process.

Trusting the right security partner is key Nadarajah believes that true peace of mind comes from an open and honest dialogue about vulnerability within an organization. “Transparency is where a lot of organizations in the cybersecurity space fail,” he says. “If we have a customer who's willing to work with us and give us the keys to the kingdom, we’re going to show them how we’ve fortified it, the defence mechanisms we’ve put in place, what we’ve caught, and what got through.”

In truth, Nadarajah says, “some attacks are always going to get through, but it’s how you handle the response and remediation that’s important.” And on that front, CrucialLogics is well-armed.

Nadarajah is one of three partners that started CrucialLogics. He's joined by Amol Joshi and Omar Rbati, who started CrucialLogics as an advisory-first company whose goal is not to sell technology but to help companies demystify and enable security.

With the increase in cyberattacks comes increased ramifications

Without comprehensive security practices and protocols to fortify your transformative processes, your business faces the possibility of financial damage.

In fact, Canadians have lost $4.9 billion to ransomware over the past year, with the average ransom demand falling between $164,772.27 and $659,246.27. Factor in downtime, and those numbers increase to millions of dollars.

However, money isn’t the only issue to consider. If breached, your organization will likely experience a loss of consumer trust and reputational damage, which makes recovery a significant challenge.

The velocity of digital transformation allows for invigorating advancement but also raises greater security questions. Cyber threats evolve constantly in expense, expanse, and sophistication. Your organization needs resilient security controls, regardless of where data is stored and where employees work from. The right prevention, detection, and response solution is critical.

Read more about securing your digital transformation in “5 Security Recommendations for CIOs Managing a Digital Transformation Program."

When Cybersecurity Technology Fails, Will the Human Element Hold Strong?

In

The cybersecurity field is growing at an incredible rate, but it remains quite young as an industry and a science. As the cybersecurity industry exits its adolescence and matures into the robust and comprehensive discipline we need it to be, it must grapple with fundamental questions about what security even means in today’s digital world.

Redefining cybersecurity with David Shipley

There are a lot of voices clamouring to be heard in the dialogue that's shaping the future of cybersecurity. But in such a rapidly-moving field with such high stakes, the most effective ideas quickly rise to the top, even if they're unorthodox or of unexpected origin. New Brunswick’s Beauceron Security has secured a well-deserved seat at the forefront of this discussion, and CEO David Shipley is championing a decidedly human approach to digital security.

“I'm an accidental cybersecurity professional,” says Shipley. “This was not my plan. I've been a soldier, a newspaper reporter, and a marketer for the University of New Bruns-

wick. When the university was attacked by a hacktivist group, I was the one who realized it, and I used my skills to help with the incident response. As a result of that, the CIO asked me to help lead the university's cybersecurity defence. What I found there, dealing with hundreds of different incidents every year, was that the root vulnerability behind cyberattacks was rarely, if ever, technology. It was always traced back to people, process, and culture. So, I began thinking about the human side of cyber.”

And so Beauceron Security was born, with a mandate to take this idea of people and culture as the foundation of cybersecurity and turn it into something practical, applicable, and measurable.

Putting bold ideas to the test: Measurable results in the security marketplace

In a recent white paper, Beauceron Security emphasized the quantitative successes they've seen relative to its competitors in the field of anti-phishing security. At the heart of the initiative is the Beauceron Platform, which actively motivates employees to engage with security and rewards them for doing so through positive feedback and gamification focused on critical behaviour metrics too often overlooked.

“We know that anti-phishing programs are effective and that we can use them to decrease click rates,” explains Beauceron Data Scientist Nicole Bendrich. “But it’s also important to recognize that click rates aren’t the only metric we should be measuring. It’s very easy to get a false sense of security from

“I had experience working at IBM on their flagship enterprise security software, and it was exciting to have the opportunity to build something like that from the ground up with a new human-focused strategy,” says Beauceron Co-Founder and Chief Evangelist Ian MacMillan. “We saw an opportunity to empower individuals, not as a liability that you have to protect, but as an asset to protect organizations. By encouraging people to do their part, we actually see a shift where employees don't just assume that it's someone else's problem, and they

a low click rate. That's why we also include metrics like the ignore rate, which the report rate that aren't necessarily discussed as often but that are really important because they actually show behaviour.”

With phishing attacks, as with all types of cyberattacks, technology can go a long way to securing the defences. But, with an ever-growing volume of attacks, some percentage will always get through. And it's exactly the ones that get past the AI that a well-trained and engaged human is best-equipped to recognize and address — If they’re not too scared to do so. “Our goal is to put people in control of technology, empower them to be in control of technology,” says Bendrich. “Sometimes users are just not willing to interact with anything at all because they're afraid of making a mistake. Rather than not engaging at all, we want them to be able to identify if something

now have the tools to act when they find a security concern. The byproduct is that the organization is more secure.”

In short, the Beauceron philosophy represents a seismic shift in how to approach the long-recognized human factor in security. If human behaviour is the most significant vulnerability, you can work to lock that down, and remove it from the equation, but that has never worked. What if, instead, you work on turning the same qualities that make people vulnerable into a key component of security resilience?

is a phishing attack, or if it's spam, or if it's an email. Then they can move through the world a little bit less scared and more in control.”

When users are well-trained and steeped in a cybersecurity culture that values engagement and active reporting of attacks, they become less timid, and more vigilant, and they take pride in their own contribution to security. The psychological and emotional character of security is transformed from a weakness into a strength.

“There's a reason why we chose to name our company and our technology after a sheepdog,” says Shipley. “The idea is to turn people from the passive victims of cybercrime, the sheep, into the active defenders, the sheepdogs. It’s not humans as the last line of defence after technology has failed, but as the first and best, with technology playing a supporting role.”

Empowered people are secure people, a conversation with Ian MacMillan

Who Protects the

Cloud?

And Why Your Business Should Care

During the pandemic, cloud adoption was accelerated at a rate never seen before — but moving to the cloud quickly without considering security could be leaving companies vulnerable.

According to a recent study, cloud data centres will process 94 percent of all enterprise workloads in 2021. This is due to the many benefits that the cloud brings to companies, including reduced IT costs, automated upgrades, scalability, collaboration efficiency, and flexible work practices — like working from home — which are all key during a pandemic.

This shift to remote work during the pandemic has resulted in a 238 percent increase in global cyberattacks. This statistic comes from a recent report released by HP and KuppingerCole, an international, independent analyst firm, which assessed remote work and its cyber risks.

Holding businesses responsible for their own security As organizations embrace cloud digital transformation, there are also cyber risks to consider.

“A common misconception is the fact that security is the cloud service provider’s responsibility,” says Antoine Saikaley, the Canada Technical Director at Trend Micro, a cybersecurity giant that currently protects over 500,000 enterprise and commercial organizations. “Organizations using the cloud need to understand that security is actually their responsibility and need to ensure that their applications and data are secure.”

The good news is that tools exist to make cloud security more integrated, easier, and a lot more effective than many IT leaders believe. Finding the right security partner now is more important than ever.

Cloud services, like AWS and Azure, both adhere to a shared responsibility model which holds customers liable for protecting their own data and applications. Businesses may be concerned about their sensitive data leaving the country when outsourcing complex security tasks.

With the company’s cloud security platform, Trend Micro Cloud One, being hosted in the AWS Canada (Central) Region, Canadian customers can focus on their core business while their data is safely stored within the country.

While it protects people and organizations from all over the world, Trend Micro is also deeply invested in Canada — with over 300 Canadian employees in four locations

and three out of seven of its cloud services being researched and developed locally. This allows Canadian businesses to protect their existing on-premise infrastructure and devices, as well as their cloud environments — all under one platform.

Every employee plays a role in security

“Businesses that are unprepared for remote work may see an increased risk of corporate or customer data being stolen by hackers,” says Saikaley. “For example, security management consoles that relied on devices being connected inside the network perimeter will lose cyber threat visibility and control with devices at home with no connection to the corporate network.”

A recent study by Trend Micro, Cyber Risk Index 2021, found that 84 percent of North American organizations are likely to experience a data breach of customer records within the next 12 months.

As well, the study from HP found that 70 percent of workers will access their work devices for personal use due to remote work — including for gaming, using streaming services, and online learning, or homework — which will further put these devices, and the company itself, at risk for an attack.

In addition, Saikaley points out that over 90 percent of breaches start with a phishing email and notes the importance of companies having an awareness strategy to ensure that employees gain an understanding of what phishing looks like.

Phishing attacks are designed to trick victims into revealing personal information, like work passwords, and can lead to exposing devices to harmful ransomware or viruses, impacting company finances and brand reputation. These attacks can mimic websites or emails that you already access, like streaming sites, gaming sites, or even banking sites. As a result, attackers can gain access to private, sensitive information from companies through their employees.

This means it's important for an organization to train everyone, whether they’re a security leader, an employee working at home, or even a board member, on cybersecurity risks.

How trend micro can help

A challenge many organizations face is that the cloud isn’t simple, and many of the technologies that make up the cloud are new, with new features being deployed all the time. Understanding how these work and — more importantly — how to secure them can be difficult.

Utilizing a security platform approach can help build your cloud to be more secure, but educating your architects and administrators will also help. One key area is hardening your cloud account creden -

tials, as these will be regularly targeted by malicious actors. Using multi-factor authentication to access all accounts can minimize this risk tremendously.

“The Cloud One platform is ideal for organizations or businesses that are migrating to the cloud,” says Saikaley. “It provides enhanced visibility, detection, and response, and ensures that regulated workloads are meeting compliance and are protected, and that infrastructure misconfigurations are remediated promptly.” While businesses must modernize with software as a service (SaaS) based deployments to provide protection, they also need to supplement that security by achieving user, device, and cloud application risk insight through continuous risk monitoring such as with Trend Micro’s Zero Trust Risk Insights service — plus additional visibility, detection, and response.

With an increasing amount of cyber threats every day, it’s important for businesses to be prepared for any risks they might face. By combining a strong security strategy that encompasses all levels of an organization, a market-leading cybersecurity platform and world-class threat research, businesses can become more resilient in the new post-pandemic world.

Is your company prepared for the cybersecurity risks that come with remote work? Learn how to protect your company and how Trend Micro can help.