How much security is enough?

The current landscape

Phrases such as “ransomware attack”, “data breach” and “cyber attack” are now practically weekly news items. For example, in their July 2024 report, Cyber Management Alliance noted 34 major events affecting large or well known brands. That’s not year to date, that’s just July 2024 alone. According to IBM, the cost per breach is now averaging CAD $6.578 million (USD $4.88 million).

For a more local perspective here in Alberta Canada, “more than half (51 per cent) of small- and medium-sized businesses (SMBs) in Alberta say they were attacked by cybercriminals over the past year; and 55 per cent paid a ransom to unlock their computers within the past three years” according to a recent study by KPMG Canada. In fact, according to the Government of Canada, at least 2 in 5 Canadians have been a victims of ransomware.

So how are organizations responding? According to the same study from KPMG, only 28% of surveyed companies felt their organization was well-prepared for cyber attacks. Going further, Statistics Canada states that only 10.3% of Alberta-based companies reported having a dedicated cyber security budget, and only 19.3% are planning to take new or additional actions for their cyber security strategy.

These alarming statistics paint a clear picture: despite the increasing frequency and severity of cyber attacks, many organizations—particularly small and medium-sized businesses—are woefully under-prepared. This lack of preparedness isn’t just a matter of oversight; it reflects a deeper systemic set of challenges within the broader cybersecurity landscape. As threats continue to evolve, many organizations are finding themselves ill-equipped to respond effectively, raising crucial questions about what constitutes adequate security in today’s environment.

So, the short answer to ‘How much security is enough?’ is that it depends on your organization’s specific risks and resources—but not taking action is no longer a viable option.

The complexities of cyber security

The truth is that defending an organization from cyber threats is not for the faint of heart. The types of threats are as vast as they are complex; and the defences required are no less intricate. To manage this complexity, many organizations choose to offload the responsibility for such defences to Managed Service Providers (MSPs). However, these providers often find themselves supporting a staggering number of security products—sometimes ranging from 10 to 50—on top of their existing responsibilities for supporting administrative, maintenance, and productivity ecosystems.

This situation can lead to numerous challenges, such as teams being spread too thin, being overwhelmed by vast amounts of data, and struggling with misconfigurations. This often results in an incomplete picture of what’s truly happening within the network.

Typically, the primary goal of any IT service provider, including MSPs, is to focus on the operational needs of an organization—keeping systems online and ensuring teams remain productive. Yet, as noted in the Sophos MSP Perspectives 2024 report, a shortage of cybersecurity expertise presents a significant issue. This shortage is compounded by other critical problems such as stolen credentials, security tool misconfigurations, and insecure wireless networking. However, despite the importance of these issues, the biggest challenge highlighted is the constant struggle to keep up with the latest cybersecurity solutions and technologies.

So where does that leave us? According to the insights from the IBM Breach Report (2024), the situation is grim. A staggering 24% of organizations only discovered they were breached when notified by the attackers themselves. Another 34% were informed by a ‘benign third party.’ This means that security teams are only identifying breaches on their own 42% of the time—and even then, it’s often far from immediate.

The industry term ‘MTTI’—Mean Time To Identify—refers to how long it takes to discover a security incident. Shockingly, the average MTTI is 194 days, or roughly 6.4 months. The ‘MTTC,’ or Mean Time To Contain, which is the time taken to stop the immediate damage, averages 64 days. It’s important to note that “contain” doesn’t mean the issue is fully resolved—it simply means the ‘bleeding’ has been stopped. This means that on average, it takes an enterprise 8.5 months to discover and contain a threat.

But not all incidents are created equal. Ransomware, for instance, is particularly insidious, with an average time to identify of 211 days and another 73 days to contain. Fully remediating a network—restoring all systems to full operational capacity—can be a project that stretches on for many weeks or even months after containment.

The long-term impacts are equally devastating. According to the IBM report, “Only 12% of organizations queried during this year’s report said they had fully recovered from their data breaches.” 70% of respondents had significant or severe disruption to their operations. Factoring the costs of such disruptions, recovery costs were often closer on average to CAD $6.7 million (USD $5.01 million). The majority are still grappling with the aftermath, which often includes lost revenue, damaged customer trust, and the daunting task of repairing their reputation. Moreover, there’s the additional burden of supporting employees and customers who may suffer follow-on attacks, such as identity theft.

A common refrain from smaller enterprises, is that the costs of containment and recovery will be far more manageable than the millions spent by larger firms. While it’s true that costs can scale to a degree with the size of an organization, it’s still pricey. For example, take the experience of one small business: In the middle a ransomware attack, the quick thinking of the systems administrator ensured that only 5 out of 15 workstations, 1 server and 1 data backup system were encrypted. Still, the costs of just recovering the hobbled systems cost roughly CAD $20,226 (USD ~$15 000), not including other costs. It’s unknown what the potential losses in revenue were incurred, or how customer relationships were affected, but in today's challenging economy, such a situation could quickly spiral.

Another common misconception, is that SMB’s are not a target. Many SMB leaders say “it’s never happened to us”, as if it never will. However, according to the Cyber Readiness Institute, “Small and medium-sized businesses (SMBs) are the lifeblood of the global economy, driving innovation, creating jobs, and spurring local prosperity. An estimated 350-to-400 million SMBs employ at least half of the world’s workforce and produce upwards to half the gross domestic product (GDP) in many developing countries.” This is by far, too tempting of a target for cyber criminals.

There’s two key reasons for this: a) cybercriminals know they can expect fewer, and less sophisticated defences from SMBs; b) they know there’s a chance they can use their illegal access to an SMB as a means to potentially gain access to a larger target. Thus, the Cyber Readiness Institute, further states in their 2024 report “The State of Cyber Readiness Among SMB’s 2024”, that “It is vital to understand where SMBs stand on the cybersecurity battleground.”

Finally, there is the consideration of regulatory requirements. For example, in the USA relevant regulations might include: GLBA, COPPA, HIPPA or CCPA, or in Canada, regulations such as PIPEDA (federal) and PIPA (provincial, in Alberta). Penalties for noncompliance often start in the thousands of dollars per breach, and can easily ramp up into the tens of thousands depending on the judgement and severity of the breach.

There is hope and a way forward

Common misconceptions about security planning, is that it either isn’t required or is so complex and costly that it isn’t worth it. Of course, neither of those statements are true. The solution lies in taking a big picture of what your organization needs, and then breaking that down into manageable projects. For example, security cannot be perceived as an add-on or problem that can be solved with tools. Instead, it requires an operational mindset with a view to it being a process of continuous improvement.

So how can a security program be manageable? It comes down to the simple principle of breaking the process down into smaller steps, and then completing one of those steps at a time. Each step often informs what is required in the following step.

Assess Your Cybersecurity Needs

A solid first step is assessing your current situation, as well as deciding if you need additional expertise to satisfy your cybersecurity requirements.

• Identify Your Critical Information and Data: Determine which information is most crucial to your organization's success, such as customer details and confidential business information.
• Catalog Essential Tools and Systems: Make a list of the key hardware and software that your business relies on—this could include your website, email systems, file storage, and accounting software.
• Pinpoint Your Most Valuable Assets: From the above lists, highlight the top items that would have the most devastating impact if compromised or lost. Think of these as your "key pillars of operation".
• Review Access Controls: Examine who has access to these key pillars. Evaluate whether the current level of protection is sufficient and if it aligns with your security comfort level.
• Assess Your Protection Measures: If you're unsure about how well-protected these assets are, it’s a signal to consider getting professional advice.
• Evaluate Your Capacity for Improvement: If your assets need better protection, assess whether you have the knowledge and resources to implement the necessary security measures. If not, external support may be necessary.
• Understand Regulatory Requirements: Check if your business must comply with specific cybersecurity, data protection, or privacy regulations from customers or governing bodies. Ensuring compliance can save you from sizeable penalties.

Remember that cyber criminals are often extremely patient, persistent, and thorough. However, if your planning and execution are equally meticulous, you can become a less attractive target. When the potential payoff no longer justifies the effort, criminals are likely to move on. Consequently, the value of bringing in adequate support cannot be understated. In fact, today most businesses need to get some outside support for IT and cybersecurity.

Building your cybersecurity program

A key element that can help in simply getting started, is having a well-organized plan with some structure. There are many frameworks available for this purpose, but the US National Institute of Standards and Technology has an excellent guide for SMB’s. In it, they outline the NIST Cybersecurity Framework (2.0), which contains six ‘high level functions’:

• Govern: helps you to establish and monitor your organizations cybersecurity risk management strategy, expectations and policy.
• Identify: helps you to determine the current cybersecurity risk to the organization.
• Protect: supports your ability to use safeguards to prevent or reduce cybersecurity risks.
• Detect: provides outcomes that help you to find and analyze possible cybersecurity attacks and compromises.
• Respond: supports your ability to take action regarding a detected cybersecurity incident.
• Recover: involves activities to restore assets and operations that were impacted by a cybersecurity incident.

Examining these ‘functions’ breaks the process of developing a comprehensive cybersecurity program into a manageable one; with the outcome being a situation that allows you to ‘understand, assess, prioritize and communicate’ more effectively. The activities listed with each function within the guide offer the step-by-step approach which facilitates a more manageable approach.

It’s also essential to realize that no cybersecurity plan is ever perfect or complete. As organizations change, so does technology as well as the threats. So, a cybersecurity program has to be iterative and continuous in development. Let’s think about this with an analogy:

Imagine your organization as a ship navigating through ever-changing waters. The crew aboard this ship isn’t static; people are constantly coming aboard and disembarking. Some crew members bring valuable experience and knowledge, while others may be new to sailing and unfamiliar with the ship's operations or the seas ahead.

Just as a ship cannot afford to set sail without ensuring every crew member is well-trained and prepared for their roles, likewise your organization also cannot expect to maintain strong cybersecurity defences without continuous training and support for your team. When a new crew member joins, they must be swiftly brought up to speed on the ship’s operations to prevent mishaps. Similarly, as team members come and go, ensuring everyone is well-versed in your organization’s cybersecurity protocols and methods is essential.

However, training is not limited to onboarding. Even seasoned crew members need ongoing drills and updates to respond to new challenges at sea. The same applies to your team. Cyber threats are constantly evolving, and so must your team’s knowledge and skills. Regular training sessions, updated resources, and continuous support are crucial to ensure that everyone—whether new or experienced—remains vigilant and capable of responding to the latest cybersecurity threats.

By treating cybersecurity training as an ongoing journey rather than a one-time event, your organization ensures that its defences are as strong and adaptable as the team behind them.

It’s also important to consider your ship. Safety equipment deteriorates, new equipment is developed, regulations and requirements change, and so on. Accordingly, a crew will regularly inspect, conduct maintenance and replace its equipment - especially safety equipment. For example: Emergency communications devices such as satellite radio or ‘EPIRB’ (a portable device that automatically transmits a call for help along with a position) used to be state-of-the-art for sailors; today however, they are both standard or even required tools aboard sea-going vessels. The same is true for the technical equipment that runs your organization. The tools you utilize to secure your organization must match the threats of the day. For example, you’re likely familiar with terms like ‘anti-virus’ and ‘firewall’, but what about EDR (Extended Detection and Response or SIEM (Security Information and Event Management)? Such tools used to be the cutting edge, and only at the disposal of deep-pocketed enterprises; today however, they are essential tools that should be utilized in every organization.

So, when we come back to that initial question: “What kind of security is enough?”, the only real answer is this: There’s no fixed amount of security that’s ‘enough.’ Instead, it’s about maintaining an adaptable, ever-evolving program that matches the scale and risks of your business.

Creating Awareness

By far, one of those most effective ways an organization can protect itself is by having awareness as a team mentality. When people share knowledge and collaborate continuously, the efforts required by cyber criminals ramp up significantly. Therefore, developing a cyber-aware culture is essential. This doesn’t come easily to everyone, so patience is essential. Leadership is required to take the time to integrate a team's valuable knowledge and insights into the organization, complementing that expertise with cybersecurity-aware methods.

On the other hand, if leadership treats security awareness as mundane, that attitude will likely permeate the organization, diminishing the value of the investment.

The most effective methods are ones that are engaging, fun and rewarding. There is rarely a one-size-fits-all for every organization, so creativity is required. Thus, it’s important for leaders to ask themselves how they can make security awareness an approachable and rewarding part of a team’s ongoing education.

Take the First Step

Now, all of this may seem daunting, but every step forward - however small - makes your organization that much stronger, and more resilient. Start by understanding where your organization stands today: assess your assets, identify your vulnerabilities, and make informed decisions about what needs to be secured first. This is the first leg of your journey—a crucial one that gives you the insight and confidence to move forward. Next, focus on building a strong foundation by integrating cybersecurity into your daily operations, much like how a ship’s crew keeps the vessel afloat through careful coordination and maintenance.

Remember, you don’t have to make this journey alone. If your organization needs help, seeking external support from cybersecurity professionals can make a world of difference. Whether it’s navigating complex regulatory requirements or developing tailored defence strategies, the right guidance can save you time, resources, and protect your reputation in the long-run.

No matter your starting point, the key to long-term security is adopting a continuous improvement mindset. Technology and cyber threats are always evolving, but so can your defences. With regular training, assessment, and adaptation, you can ensure your organization is well-prepared to face whatever comes next.

Resources

Glossary

General Cybersecurity Terms

1. Cybersecurity: The practice of protecting systems, networks, and data from digital attacks that aim to access, change, or destroy sensitive information.
2. Incident: Any event that compromises the confidentiality, integrity, or availability of information systems or data. Incidents range from minor technical issues to full-scale cyber attacks.
3. Threat: Any circumstance or event with the potential to cause harm by exploiting a vulnerability, intentionally or unintentionally.

Types of Cyber Attacks

4. Ransomware: Malicious software designed to block access to data or systems until a ransom is paid.
5. Data Breach: An incident where unauthorized access to sensitive data occurs, often leading to exposure or theft.
6. Phishing: A form of social engineering where attackers impersonate trusted entities to steal sensitive data like login credentials or financial information.
7. Zero-Day Exploit: A vulnerability in software that is unknown to the vendor and has not yet been patched, making it a prime target for attackers.

Cybersecurity Frameworks and Compliance

8. NIST Cybersecurity Framework: A set of guidelines developed by the U.S. National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk.
9. PIPEDA (Personal Information Protection and Electronic Documents Act): A Canadian law that regulates how organizations collect, use, and disclose personal information in commercial activities.
10. PIPA (Personal Information Protection Act): A law in Alberta that governs the handling of personal information by private organizations within the province.

Cybersecurity Tools and Technologies

11. Firewall: A security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules, acting as a barrier between trusted and untrusted networks.
12. Endpoint Detection and Response (EDR): A cybersecurity technology that monitors and detects threats on endpoints like computers and mobile devices and enables swift mitigation actions.
13. Security Information and Event Management (SIEM): A technology that provides real-time analysis of security alerts generated by network hardware and applications, helping organizations detect and respond to potential threats.

Cybersecurity Processes

14. MTTI (Mean Time To Identify): The average time it takes to identify that a security incident has occurred.
15. MTTC (Mean Time To Contain): The average time it takes to contain or stop the immediate damage caused by a security incident after it has been detected.
16. Vulnerability Assessment: A systematic process of identifying, evaluating, and addressing security weaknesses within an organization’s systems, networks, or software.
17. Incident Response: The process of detecting, investigating, and responding to cybersecurity incidents to minimize their impact and restore normal operations.

Bibliography

1. Cyber Management Alliance. (2024, July). July 2024 Biggest Cyber Attacks, Data Breaches and Ransomware Attacks. Retrieved from https://www.cm-alliance.com/cybersecurity-blog/july-2024-biggest-cyber-attacks-data-breaches-and-ransomware-attacks
2. IBM. (2024). Cost of a Data Breach Report 2024. Retrieved from https://www.ibm.com/downloads/cas/1KZ3XE9D
3. KPMG Canada. (2023, October). Cyber Crime Strikes More Than Half of Alberta Companies. Retrieved from https://kpmg.com/ca/en/home/media/press-releases/2023/10/cyber-crime-strikes-more-than-half-of-alberta-companies.html
4. Government of Canada. (2023). Ransomware Awareness for Canadians. Retrieved from https://www.getcybersafe.gc.ca/en/blogs/does-your-small-business-need-cyber-insurance
5. Statistics Canada. (2023). Table: Business Innovation and Growth, Cybersecurity Measures. Retrieved from https://www150.statcan.gc.ca/t1/tbl1/en/tv.action?pid=3310087501
6. Sophos. (2024). MSP Perspectives 2024: Insights from MSPs on Security Challenges and Best Practices. Retrieved from https://assets.sophos.com/X24WTUEQ/at/4pkwmz2c5z35tpgrj4r3fxw8/sophos-msp-perspectives-2024-wp.pdf
7. TechTarget. (n.d.). Ransomware Attack Case Study: Recovery Can Be Painful. Retrieved from https://www.techtarget.com/searchsecurity/feature/Ransomware-attack-case-study-Recovery-can-be-painful
8. Cyber Readiness Institute. (2024). The State of Cyber Readiness Among SMBs 2024. Retrieved from https://cyberreadinessinstitute.org/resource/low-awareness-lagging-implementation-little-incentive-the-state-of-cyber-readiness-among-small-and-medium-sized-businesses-2024/
9. NIST (National Institute of Standards and Technology). (2023). NIST Cybersecurity Framework for SMBs. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
10. Wikipedia. (n.d.). Emergency Position-Indicating Radiobeacon (EPIRB). Retrieved from https://en.wikipedia.org/wiki/Emergency_position-indicating_radiobeacon
11. Microsoft. (n.d.). What is Endpoint Detection and Response (EDR)? Retrieved from https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-endpoint-detection-response
12. Microsoft. (n.d.). What is Security Information and Event Management (SIEM)? Retrieved from https://www.microsoft.com/en-ca/security/business/security-101/what-is-siem