BakerTilly.ca Logo

Blog

Blog

July 23, 2024 by Blair Brown

4 cyber concerns every business should consider

Cyber criminals are constantly developing new techniques to compromise the security of unsuspecting businesses. The threat spectrum is always changing due to emerging technology and the expansion of cloud services, automation, artificial intelligence and machine learning. Against the backdrop of this evolving threat landscape, the risk paradigm for our public and private sector clients has evolved. What follows is an overview of the four most common cybersecurity threats and concerns we currently warn clients about.

Readiness for the secure use of AI and automation

To quote Bob Dylan, “the times, they are a-changin’”. Senior management are hearing about the benefits of AI, automation and Microsoft Copilot – in terms of both productivity and cost – but some are concerned about the risks and not sure they’re ready to embrace these powerful new tools. With the adoption of any new technology, managing risk related to compliance, legal obligations, data privacy, data exfiltration and security are key priorities. AI and automation can expand this risk envelope, as they often require extended privileges to be effective. They also often retain the user’s prompt and can access user data at an unexpected level and scope. If you have not thoroughly considered the risks of AI, conducted a readiness evaluation and looked at your existing data governance, data security, data privacy and cybersecurity in detail, you are probably not ready to flip the switch on AI or automation.

Securing the human

End users, staff, vendors and others using enterprise resources are most vulnerable to attack, which is why cyber criminals regularly target these groups. The proliferation of remote work, BYOD, mobile devices and third-party applications only exacerbates the challenges of securing the end user. In our experience, many organizations implement security awareness training, but it tends to be limited, consisting of little more than a handful of generic videos or a short quiz. These programs aren’t always meaningful or relevant to the user, and they rarely take strict action to educate or correct behaviour in cases where phishing campaigns fail. In our work with clients, we repeat the same phrase: “Security is something you do, not something you buy.” 

Rethinking the perimeter 

Clients often ask if their existing firewalls, anti-virus software and web filters effectively mitigate their risk exposure. With very few exceptions, the answer is no. In a hybrid environment of remote users, cloud servers, cloud services and various applications, relying only on a traditional, perimeter-focused security model is usually an incomplete strategy. As an alternative approach, we suggest clients adopt a risk mitigation model focused on essential assets using the “crown jewels” approach. In most organizations, risk is overwhelmingly held by three asset groups: data, identity/access management and the services/applications that connect, process, access and store your data. When you adjust your focus to embrace a crown jewels approach, you identify your assets of value, better understand potential risks and can apply mitigation strategies in a more effective manner.

Third-party risk management

As mentioned above, third-party services and applications are a growing aspect of the IT landscape. However, we regularly encounter situations where third-party vendors and applications are given privileged access to sensitive data and systems without an appropriate level of assurance. Failing to properly manage third-party relationships and services can lead to a number of preventable negative outcomes: loss of data, loss of system availability, data integrity issues, failure to meet regulatory or contractual requirements and loss of reputation. Senior management must ensure there is a proactive Third-Party Risk Management (TPRM) program in place that identifies and mitigates risk prior to adoption, limits exposure, monitors compliance and allows clients (and their advisors) to retain control. If you do not have a program in place to manage vendor risk and address basic security concerns, it is likely you are being exposed to a predictable threat event. You can always outsource your services, but you should never outsource your risk management responsibilities. 

Baker Tilly Canada’s Ignite series features insight from audit, tax and advisory experts that covers a range of topics affecting financial planning for individuals and businesses both today and in the future. From SMB advisory and wealth management to tax policy and digital transformation, Ignite articles aim to inspire action.

Meet the Author

Blair Brown Blair Brown
Courtice, Ontario
D (905) 372-5757 x 1212
E .(JavaScript must be enabled to view this email address)