Introduction to Cyber Security
Cyber security refers to the body of technologies, processes and practices designed to protect networks, devices, programs and information from unauthorized access.
Cyber security is important because government and organizations collect, process, store and send information. Much of this information is sensitive, and unauthorized access or exposure could have negative consequences.
The most difficult challenge in cyber security is the rapidly evolving nature of security risks.
What is cyber security?
Cyber security describes the discipline dedicated to protecting information and the systems used to process or store it.
Cyber security encompasses the following elements:
Application security involves keeping software and devices secure from attack.
Cloud security refers to protecting information in cloud-based digital environments (in servers not on the organization’s own premises) and maintaining the security of the cloud.
Disaster recovery and business continuity define how an organization responds to a cyber security incident or other event that causes loss of operations or information.
- Disaster recovery dictates how an organization restores its operations and information to the same operating capacity as before the event
- Business continuity is the plan the organization falls back on while trying to operate without access to normal resources
End user education teaches us (the users of technology) about what we need to know and do to keep ourselves and our organization cyber safe.
Endpoint security is the process of protecting end-user devices such as desktops, laptops, and mobile devices.
Information security protects the confidentiality, integrity, and availability of information in storage and in transit.
Mobile security is the security of mobile devices including mobile phones and tablets.
Network security is the practice of securing computer networks and protocols against intruders and attacks.
What is cybercrime?
Cybercrime is generally defined as a criminal offence that targets a computer system or an electronic device, or where a computer system is used as a tool to commit the crime.
Cybercrime occurs when malicious actors take advantage of vulnerabilities in software, hardware and human behavior online. Their goals include obtaining information, which can be sold, traded, revealed or used to perpetrate more cybercrime.
These malicious actors are often referred to as threat actors.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Cybercrime is a significant threat to every organization, government and individual in the world. Cybercrime is increasing in frequency and complexity every year. By 2025, cybercrime is expected to cost the world $10.5 trillion USD.1 To put that number in perspective, the gross domestic product (GDP) of the United States was $22.68 trillion USD in 2021.
Motivation plays an important role in what threat actors target. For example:
If the motivation is political, the target could be sensitive information that if purposefully leaked could cause reputational damage
- A version of this is called hacktivism, in which hackers steal, modify or limit access to information, websites or emails as a form of protest
- If the motivation is financial, the target could be access to critical information or systems that could be ransomed for money
Malicious threat actors take a similar approach to perpetrate a cyber attack. Understanding this approach helps you detect and counter potential attacks.
First, a threat actor will:
Do research on the target organization. Knowing the organization well allows them exploit human or system vulnerabilities. During this phase, you may experience unusual emails, texts, or calls.
Then, they will:
Coordinate resources and tailor tools needed for the attack. Many threat actors have a large tool kit available. This includes malware or vulnerability exploits, and tools to support the social engineering attack. It’s unlikely for you to have indicators of this activity.
Then, they will:
Execute the attack. This typically involves exploiting one or more avenues, entries or software vulnerabilities, to gain information or system access. This is where you may notice computer issues or even encounter a ransom message. During social engineering attacks, you will receive emails, texts, or phone calls enticing you to act on the threat actor’s goals, often through a simple click or a request for specific information.
Finally, they will take actions to:
Achieve goals. Unless the threat actor was able to get the desired information, they will continue to use their increasing level of access to achieve their goals. You may not be aware that anything is happening, but unusual computer or network activity could be visible.
Why am I a target?
If you handle information and use information systems, you are a target.
Like anyone in your organization, you could be targeted by threat actors attempting to get access to organizational information or information systems.
While your organization takes steps to reduce and eliminate threats, threat actors will target people like you to gain access to information and information systems. Your organization therefore relies on you to stay vigilant and help detect anomalies that may indicate that an attack is imminent or underway.
To understand why you might be a target for threat actors, you need to consider:
- What services does my organization provide? If these services were disrupted, would this cause hardship?
- What information and networks do I have access to? Could the information or networks hold value for a threat actor?
- Am I an easy target? Am I skeptical of requests asking me to do something, and am I willing to think critically and ask questions before taking action?
We all play a significant part in protecting our organization’s information and assets. If we are part of an organization, no matter what our job title is, we are a conduit to the organization’s most critical information and information systems. In cyber security, these are known as crown jewels.
What to do if you're a victim?
If you think that you may have been the victim of a cybercrime, you should take the following steps:
Gather information including copies of the emails or text messages.
If you believe you might have revealed sensitive information about your organization to a threat actor, report the incident to the appropriate people within your organization.
Immediately change any passwords you might have revealed or that you suspect were compromised. If you used the same password for multiple accounts, make sure to change the password for each account. Never use the password again. It may now be known to threat actors.
If you believe your financial accounts may be compromised, contact your financial institution immediately. Watch for any unexplainable charges to your financial accounts.
Report the incident to your local police and get a file number for future reference. Like any other crime, a cybercrime needs to be reported to the proper authorities right away. Timely reporting is important to ensure all potential digital evidence is properly preserved for a law enforcement investigation.
Report the incident to the Canadian Anti-Fraud Centre toll free at 1-888-495-8501. Visit the Canadian Anti-Fraud Centre’s what to do if you're a victim of fraud page for more information.
Call Service Canada at 1-800-O-Canada if any of your federally issued ID was compromised (for example social insurance number or passport).
Call your province/territory. If you believe your driver's licence or health card was compromised, contact the provincial or territorial ministry responsible for transportation or the provincial or territorial government department responsible for health.
Here are common cyber security best practices that you can adopt. Use them on all your devices – laptops, desktop computers, mobile phones, and smart devices. These best practices are easy to adopt and significantly reduce risk.
Security software provides significant protection against malware, with very little impact to you as a user.
Each system, device, network and account you use needs to be protected by a strong password. Using long and complex passwords helps thwart password cracking or brute force attacks that attempt to guess your password.
A factor is a piece of evidence you provide for authentication, or in other words, proving you are who you say you are. Multi-factor authentication uses two or more factors such as a password and verification code that you receive on your phone. Use of MFA is strongly encouraged for all accounts and devices with this option.
Encrypt all sensitive information using approved encryption methods. Your organization should have an approved method of encryption that can allow for safe transfer and storage of sensitive information.
What would happen if the information you use was no longer available because it was lost or stolen? Ensure that your organization is routinely (weekly) backing up your data, or more frequently on critical files. Your organization should keep backups stored separately, offline and off-site, to reduce the impact of a disruption. Encrypt backup media containing sensitive information, and test and verify data backups at regular intervals.
Operating systems and applications often require updates, or patches, to fix performance and security problems. One of the most important actions you can take is to keep your devices up to date with the latest versions of installed software. Check whether your organization manages this centrally or whether you are required to take any action.
Organizations generally have adequate security on their networks to keep you safe while working in the office. However, public Wi-Fi does not have these same protections. Cyber criminals on the same network can read and capture the traffic on that network. Public Wi-Fi can easily be a vector for malware. Avoid using public Wi-Fi.
If you connect work devices to your home Wi-Fi, take steps to make this network cyber safe. Change the default administrator and Wi-Fi passwords that come with both your router and modem. Use strong, unique passwords that are difficult to guess. If your organization has a virtual private network (VPN), this increases the security of your connection to your organization’s systems.
Be suspicious of unsolicited phone calls, text or email messages from individuals or institutions asking for information. Use the contact information from previous exchanges or a secure website to confirm the authenticity of an unsolicited message. Do not provide personal information or sensitive information about yourself or your organization until you are certain of a person’s identity and their authority to have the information.
Pay attention to the Uniform Resources Locator (URL) of a website. Hover your cursor over a link or attachment to reveal the URL or file name. Look for URLs that begin with "https". This is an indication that the communication to the site is encrypted and secure. A URL that begins with "http” will not protect any information you share or receive when it is in transit. Also check that the URL of the website you are visiting is correct and has no spelling errors.
More importantly, once you click on a URL you must check if a website’s connection is secure. Look for the small lock icon beside the URL on the top left-hand side of your browser. Any icon other than the small lock icon or no icon means that your connection and information are not secure.
A combination of the correct URL beginning with “https” and a lock icon indicates that the communication to the site is encrypted and secure.
In the next section, we will go one step further and talk about practicing good cyber hygiene.
Cyber hygiene refers to incorporating good cyber habits or practices into your daily routine.
Adopt these habits to help you and your organization stay cyber safe:
Classify information with the appropriate sensitivity level, label it properly, and store it accordingly.
Disable your camera and location services when not in use. In most cell phones and laptops, this can be toggled off or on within your settings under privacy.
Clear your browser cache and delete cookies regularly. There are a variety of cookies, but in general a cookie is a small piece of data used to identify and track your visit to a website. In most cases cookies are harmless and improve your internet browsing experience. However, cookies can be used to hijack your browsing sessions and reveal information about you and the websites you visit, including banking and other sensitive information.
Lock your computer when you step away. At the end of the day, properly log out of all applications and log out of your system/network.
Ensure all privacy and security settings are reviewed and enabled on all applications and social media platforms.
Be cautious about people you don’t know who may approach you online.
Avoid oversharing on social media platforms or websites. Many organizations have a policy that discusses who can share organizational information on social media. However, some do not. Avoid sharing organizational information on your personal social media accounts. It could be used against your organization and can put you at risk. Before you post it, ask yourself, could this information create a cyber security risk? For example, are you sharing information you might use in a password?
Think before you click on any links or email attachments. Only interact with emails or websites that you know are safe, and check with the sender by phone if you have doubts about an unexpected attachment.
Best practices for managers
People managers have a critical role to play in cyber security. As a leader, you help ensure your team has the resources it needs to protect your organization’s information and assets.
Help your team prepare by:
- Learning the indicators and signs of compromise and ensuring that your team is aware of them as well
- Providing team members with training such as regular simulations so they can recognize social engineering attacks
- Building rapport with the security personnel in your organization to ensure that you have open lines of communication and established trust
- Empowering team members to question any communication that seems suspicious (even from senior leaders) and to hold off taking any requested action until the communication is confirmed as authentic
- Identifying processes for reporting suspicious communication and determining the authenticity of suspicious communication
- Listening to people who have concerns about suspicious communications and directing them to the appropriate authority
- Supporting people should they mistakenly identify a legitimate email as a threat
You need to understand your information environment and any possible threats to this information.
You should regularly conduct a team security audit with a focus on:
- Compliance with local security policies
- Proper information handling
- Team member security responsibilities
- Adherence to policies and best practices
- Regular security awareness activities
People manager checklist
- Are all the information assets within your team appropriately identified with the correct sensitivity classification label?
- Are your employees fully aware of their security responsibilities for the information they handle?
- Do they know what needs to be protected and what doesn’t?
- If you’re not sure, consult with your security official to better understand the team’s information environment, and provide your team with adequate guidance
Free applications (apps)
Here are some tips to help protect your personal information when downloading free software or apps:
Choose trusted sources such as Apple’s App Store or Google Play for downloading software or applications. Although they’re not entirely free of malware, these sources have security mechanisms to limit malicious and insecure software and apps.
Check permissions that the apps request and determine if they are justified. If they seem excessive, it’s better to opt for a less intrusive option.
Know what you’re agreeing to. Before you install software or applications, review the terms and conditions.
Use the private browsing option on your device. This safeguard deletes cookies, temporary internet files and browsing history after you close the browser.
Download cautiously. It’s better to avoid danger than to deal with the consequences of a malicious app.