Is Your Business Ready to Defend Against Cyber-Threat?

The biggest threat to our domestic security could very well be lurking within a computer on your desk.  According to the US’s Director of National Intelligence James Clapper, cyber-vulnerabilities are now the number one risk facing the United States and its allies; ahead of terrorism and weapons of mass destruction.[1]

And yet, despite this very real and credible threat, business organizations and institutions continue to take only the bare minimum measures to protect themselves from cyber-risk. As a result, many organizations are woefully unprepared to fend off a cyber-attack.

Some of the biggest brands in North America and the world — Target, Home Depot and eBay — have experienced significant cyber security breaches.  However the most vulnerable Canadian companies of all to the threat of cyber-risk are small to mid-sized business, 60% of which have no security strategy in place and no way to prepare their networks to securely support new mobile or cloud-based models.[2]

So, it is not about “if” a data breach will occur in your business.  It is simply a matter of “when.”  And clearly, we need to devise a better and more proactive way to help businesses of all sizes manage that risk.

In a new whitepaper [3] by Canadian Centre for Cyber Risk Management (C3RM) Managing Director Doug Blakey and Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University, the Centre for Cyber Risk Management (C3RM) introduce Cyber Risk Management by Design (CRMbD). CRMbD is a best practices framework for cyber risk prevention, aimed at protecting not only the individuals within an organization, but the organization itself.

Using seven foundational principles, CRMbD introduces a cyber-risk prevention strategy that can be used to:

  • protect individuals from personal identity theft; save early-stage companies such as start-ups from losing their intellectual property (IP);
  • minimize media embarrassment and financial loss for mid-sized businesses resulting from a cyber-breach; and
  • mitigate broad scale risk to enterprises and their trading partners in the event of a successful attack.

Cyber-risk is a significant threat to our personal privacy and business security.  However, by changing our mindset and by improving our approach, we can substantially reduce the risk to individuals and to business of all sizes.  C3RM’s CRMbD framework sets out a proven and very practical approach for businesses to employ in assessing that risk, and to containing it from the very beginning.

Interested in learning more about the CRMbD framework and how it can help your business minimize cyber-risk?  Request a complimentary copy of the whitepaper “Cyber Risk Management by Design” today.

By Doug Blakey,President, Watsec Cyber Risk Management ( and Director, Canadian Centre for Cyber Risk Management (C3RM) (


[1] Worldwide Threat Assessment of the United States Intelligence Community.
[2]Armina Ligaya, “ Canada’s small and medium-sized firms vulnerable to cyber attacks,” Financial Post, December 2014.
[3] Canadian Centre for Cyber Risk Management “Cyber Risk Management by Design – An Approach for Managing the Privacy and Security Risks Associated with the Use of Cyber Systems”


CRSP Part 4: Understanding Rogers’ Cyber Breach and Why Every Organization Must Improve Employee Cyber Awareness

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP) – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.

“There are no limits to the majestic future which lies before the mighty expanse of Canada with its virile, aspiring, cultured, and generous-hearted people.”
-Sir Winston Churchill [i]

Canadians are known as “generous-hearted people” around the world. When it comes to electronic business communications, has this become a liability?
According to a recent article in the Globe and Mail, “Rogers Communications Inc. says that a security breach it is attributing to “human error” has resulted in outsiders gaining access to information associated with dozens of its medium-size business accounts.” [ii]

In this case the “human error” was made by a Rogers’s employee who was tricked into giving enough information to a social engineer “hacker” who then gained access to internal records related to some of Roger’s commercial clients. The hacker then threatened the employee and his family as well as demanded money from Rogers in exchange for not leaking information about this breach to the public.

What is social engineering and how can the cyber risk associated with it be avoided?

As defined in Wikipedia, “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.”[iii]

Social engineering has become an extremely common means for gaining the information required in order to break into computer systems. Often a social engineer will glean information from multiple sources.  For example a phone call to a help desk support person or unsuspecting office worker, combined with an abundance of information available from social media outlets like Facebook, is all it takes to gain unauthorized access to business systems.

The clear message is to make sure all knowledge workers in every organization are fully aware of the cyber risks they face and how best to reduce that risk.

How are local organizations helping to address cyber risk?

The Canadian Centre for Cyber Risk Management (C3RM)[iv], based here in Waterloo Region, promotes cyber risk awareness for Canadian business. Comprised of businesses and organizations from across Canada, it promotes Cyber Risk Management by Design. This means addressing cyber risk from the outset when starting a new business, business unit, or even a business project that involves people and/or technology that affects people from either a privacy or security perspective.


[i] Churchill by Himself, Richard Langworth, page 156, Ebury Press, 2008.

[ii] Human error blamed for Rogers online security breach, Christine Dobby, Globe & Mail, March 2, 2015.

By Doug Blakey, President Watsec Cyber Risk Management, & Director, Canadian Centre for Cyber Risk Management.

CRSP Part 3: Two Local Companies Helping the Business World Function More Securely

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP) – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.

“Privacy – like eating and breathing – is one of life’s basic requirements.” – Katherine Neville[i]

On Wednesday February 4 Anthem Inc., the second largest health insurer in the United States announced that it had a major security breach affecting millions of their clients. In an open letter, Anthem’s President Joseph R. Swedish said:

“…attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information…”[ii]

This is another in a long list of security breaches over the last 18 months that have exposed the personal information of hundreds of millions of North Americans.

How are two companies in Waterloo Region helping to address this problem?

When any business gains privileged access to sensitive personal information, it has an obligation to safeguard that information. This means safeguarding it when at rest, such as when it is stored on a database server or on a mobile device like a smartphone, and safeguarding it when it is in transit, such as on the network between a smartphone and a server. One way to do this is to encode the information using a process called encryption. Encryption algorithms can be very complex and have different properties which lend them better suited for certain applications. They can also take a long time to develop and verify mathematically. Of many local companies involved with improving security and privacy, two in particular come to mind: TrustPoint Innovation Technologies Ltd. and BlackBerry. According to TrustPoint’s web site, “TrustPoint develops innovative security solutions for Machine to Machine applications including Wireless Broadband, Near Field Communications and Vehicle to Vehicle Communications.” [iii] These secure solutions become more and more important as emerging trends like driverless cars and the Internet of Things become main stream. And according to BlackBerry’s web site, “Pushing the world of business forward can only be realized when a trusted environment is in place. BlackBerry® is the first name in enterprise mobile security, and is committed to building the world’s most secure interconnected solutions.”[iv] BlackBerry develops devices and supporting software systems to enable businesses to leverage mobile technology with confidence. Doing this effectively is critical for modern businesses to continue to operate with the full trust of their clients, their partners, and their employees. TrustPoint and BlackBerry are but two of the companies heavily involved in the local cyber risk, security, and privacy business ecosystem. What they do helps organizations around the globe continue to maintain a critical ingredient for success – the trust and confidence of people. In the next issue we will look at more organizations from Waterloo Region’s vibrant CRSP sector that adds business value in other ways.

[ii]From the Desk of Joseph R. Swedish.
[iii]Designed for Machine to Machine Infrastructures.
[iv]BlackBerry in the Enterprise.

By Doug Blakey, President Watsec Cyber Risk Management, & Director, Canadian Centre for Cyber Risk Management.