3 strategies for improving your cybersecurity posture

Getting the basics right can help an organization improve its cybersecurity posture, a former intelligence officer at the Canadian Security Intelligence Service (CSIS) said during an industry event Thursday. 

Three basic strategies — mitigate, separate and positive control — can help Canadian P&C organizations and their clients better protect themselves, said Andrew Kirsch, a cybersecurity specialist and founder of Canadian security consulting services company Kirsch Group. 

Mitigate 

Mitigation aims to lower your threat surface, Kirsch said during his keynote address, Cybersecurity: Safeguarding our Digital Frontiers. He spoke at the Centre for Study of Insurance Operations (CSIO)’s 2024 members’ meeting and reception in Toronto. 

“Reduce the amount of information about you that is available to use against you,” Kirsch said. “Your Facebook friends, LinkedIn contacts, make those private. 

“Don’t hang onto information you don’t need to hang onto.” 

Kirsch said he was once told, “the worst thing that ever happened was cheap storage. Think about how much stuff we just hang onto — dangerous thing to happen.” 

Separate 

Breaches are going to happen, but we can’t allow them to ripple though our entire lives and organizations, Kirsch said.  

For example, consider using “travel phones” when travelling and wiping them when returning from high-risk countries. 

Positive control 

“I tell people, ‘Do not write anything in email or post on social media that you will not put on a postcard and mail to your neighbour, your mother, your boss, your grandmother,’” Kirsch says. “Once you send out information, once you put that online, it’s out of your control.” 

It’s important to get the basics right, whether it’s complex new passwords, multi-factor authentication or back-ups that are not in the same place as everything else. 

Kirsch told the story of telling someone not to leave car keys in their purse by the front door in front of a window. “They said, ‘That seems like pretty basic security advice.’ I said, ‘I will stop giving it when you stop doing it.’”  

Hack Wednesday 

He told attendees they may have heard of ‘Patch Tuesday,’ when companies release software patches for security vulnerabilities. “And of course, what does that lead to? Hack Wednesday, because all the hackers reverse-engineer what the patch was; they realize that was the vulnerability and they can exploit it.” 

Kirsch said people are often proud they have cyber insurance and will tell him how much coverage they have. “I say, ‘The only number I want to know you have is a phone number.  

 “Who are you going to call when something happens? Because [going] from my screen doesn’t work [and] I’ve lost all my data to that $2 million [in cyber coverage], that is the insurance. That is the plan, that is what you need. 

 “So, when things go wrong, who are you calling? ‘Well, it’s my IT guy.’ That might not be the right guy.” 

And with the increasing sophistication of cyberattacks, it’s crucial for organizations to get cybersecurity right. “We are all access points to everyone around us and we’re made vulnerable by the least sophisticated person we’re connected to.” 

Feature image by iStock.com/filo