The third one is a new addition to the old saying. With an unprecedented amount of
information available online, and the ever-increasing sophistication of those practising cyber-espionage, you or your clients have about the same chance of getting hacked as the sun does
of rising in the east.
“The scale and sophistication of the leakage of intellectual property is almost at a crisis
point,” says Salim Hasham, a Toronto-based partner at PwC who leads the firm’s cyber-secu-rity practice. In fact, he says terrorism will soon be surpassed by cyber attacks as America’s
primary national security threat.
“A country’s ability to innovate and [compete] in a hyper-connected world is increasingly
Even though this is a growing, multibillion-dollar industry, no business is too small, too out
of the way or too inconsequential to avoid a cyber attack. All executives and business owners
can do is protect their interests as much as possible to minimize possible entry points.
The proliferation of attacks is on the rise across all sectors including financial, utilities and
energy, oil and gas, according to Rafael Etges, Toronto-based IT leader at Ernst & Young.
There’s no shame in being hacked. Individual businesses are being attacked by larger —
often considerably larger — adversaries, including organized crime and foreign states. For a
local law firm or a tier-two financial organization, it’s very difficult to combat a foe backed by
significant resources and intent on breaking into your systems.
“The defender has to protect every entry point at all times. The attacker only has to be
right once to penetrate,” Etges says.
So, once you’ve discovered that your system has been compromised, what do you do? For
starters, isolate the computers that you know have been infected, and call on your IT department to shut down your network.
Next on your to-do list should be informing your senior management team and rounding
up everyone who should be aware of the breach, including your lawyers, human resources
professionals, as well as people in communications, audit and IT. When you’re all seated
around the conference table, try to get the facts right so you don’t lose control of the situation. Then trigger your incident response plan.
Having a well thought out course of action for when you’re attacked will come in very
handy when the inevitable occurs. Relationships with external consultants, law enforcement
officials and legal counsel that can be mobilized on extremely short notice are essential.
“If you have a plan, you’re going to avoid making those decisions under pressure and pan-
icking,” he says. “It’s a bit of a paranoid state but it’s healthy to think ‘we may get breached’ or
Cyber-criminals deploy automated tools on the Internet that search
out and find vulnerable targets — they don’t discriminate based on size,