Cyber Security Best Practices for Deep Technology Businesses and Investors
Cyber is core to the success of every modern business, but also represents a significant exposure and reflects on the overall maturity of the enterprise. Strategic business planning requires due-diligence for cyber security owing to the presence of significant threats. Furthermore, cyber security is an integral part of the business operations including risk management and opportunity pursuits. Businesses with more robust security practices tend to fair better in a competitive ecosystem than those companies with less mature security.
There are already a great deal of cyber security standards, regulations, best-practices and guides available to anyone with Internet access. It can be overwhelming. Conversely, cyber standards tend to be esoteric and don't necessarily cover important non-technical elements of business one needs to build a cyber security plan. In this short paper we hope to provide a holistic view for deep technology firms – one that is simple, effective and easy to implement.
References are provided in a bibliography for those who want to delve deeper into the topic.
Deep technology (Deep Tech) companies provide solutions to substantive scientific or engineering challenges. The term originated from the R&D divisions at major defense and telecommunications corporations, but has evolved into small medium businesses found in the venture capital ecosystem.
In business context, deep tech has three key attributes: potential for impact, a long time to reach market-ready maturity and substantial requirement for capital. The demand for large early-stage funding for innovation and prototype development compels them to seek non-conventional funding like: angel and seed money, series A and subsequent rounds leading to trade, acquisition, sale or IPO.
Deep tech innovation creates new markets or disrupts existing ones in radical ways. The most prominent fields included quantum computing, artificial intelligence, advanced materials, next-generation mobile computing, advanced manufacturing, defence, biotechnology, block-chain, robotics & autonomous vehicles, photonics, micro-electronics, and quantum computing.
However, there are considerable technical, business and security risks. The underlying scientific or engineering problems being solved by deep tech companies generate valuable intellectual property and are hard to reproduce. The lengthy life-cycle and large investment of deep tech startups exposes them to IP property theft, which is occurring at alarming rates against Canadian companies.
This situation places them risk of foreign influence, control, interference, exploitation and espionage by industrial competitors and hostile intelligence services, principally from cyber space. The company's trade secrets and intellectual property will be stored and communicated electronically making them particularly susceptible to a cyber attack vector. Compromise can be catastrophic. This is why cyber security should be top of mind to deep technology company leadership.
The objective of this paper is to highlight the most essential cyber security practices for new deep-tech small medium businesses (SMB). The three threads we wish to present are:
Capitalizing Cyber Security as a Business Enabler;
The Cyber Security Business Case; and
A Cyber Security Checklist for Canadian deep technology start-ups.
CYBER SECURITY AS A BUSINESS ENABLER
Excellent Cyber security practices deliver: Improved efficiencies, enhanced understanding, business intelligence and telemetry, streamline processes, anomaly detection, cost recovery, trustworthiness, loss-prevention and sales.
Instrumenting your network and having accurate and real-time metrics of your business is essential. Security sensors can harvest business metrics. Similarly business intelligence systems can tell one a lot about security anomalies. Inefficient business processes and red flags can look a lot like security anomalies. Conversely, a security system can help detect and fix poor operational practices. Good financial management will often detect fraud.
A threat risk assessment provides an in-depth analysis of the competitive ecosystem to include malicious actors, informs red teaming of pursuits and proposals. Likewise sales are supported by competitive intelligence and supply chain security to understand threats, competitors, partners and clients respectively.
A rigorous attack surface analysis supported by a comprehensive open source intelligence (OSINT) investigation are key to understanding your organizational supply chain exposures and complete due diligence in Knowing Your Client (KYC).
Security provides rigour to many core business practices, the cost of which will pay for itself in business efficiencies and sales.
THREAT – FEAR UNCERTAINTY AND DOUBT (FUD)
Canada’s industrial base is highly-targeted by sophisticated threat actors aiming to profit from, or disrupt the industrial capability. Rapid digital transformation and introduction of disruptive technology, has vastly expanded the attack surface of the sector overnight. Adversaries have launched aggressive campaigns of espionage, influence and disruption.
Canadian Centre for Cyber Security (CCCS) says the number of cyber threat actors is rising, and they are becoming more sophisticated. The commercial sale of cyber tools coupled with a global pool of talent has resulted in more threat actors and more sophisticated threat activity. Illegal online markets for cyber tools and services have also allowed cybercriminals to conduct more complex and sophisticated campaigns.
Statistically, every SMB will be attacked through cyberspace. Whether you observe it or not, your networks are constantly being probes, spam and phishing messages are sent to your employees, competitors and criminals are scoping your business. Canadian deep technology companies are being targeted by hostile foreign intelligence services today. Canadian companies are permissive victims, particularly new high-tech start-ups who may not have robust security infrastructure, policies and procedures in place. In many ways, they are “building the airplane while it is in flight.”
The Canadian Security Intelligence Service reported that Foreign interference and espionage continued to persist and pose long-term, strategic challenges for Canada. Activities by hostile states are detrimental to Canada’s economic, industrial, military and technological advantage, and have a corrosive effect on our democratic systems and institutions.
Canada’s science and technology industry is highly-targeted by sophisticated threat actors aiming to profit from or disrupt the industrial capability. The rapid digital transformation and introduction of disruptive technology, has vastly expanded the attack surface of the sector overnight. Adversaries continue to launch aggressive campaigns of espionage, influence, interference and disruption.
The threats to Canadian prosperity are tangible: in a given year, 28 million Canadians had their data compromised. At any given time, 12% of computers, mobile phones and accounts are compromised. The economic impact of cyber crime and espionage in Canada has been measured at greater than $100 Billion per year.
Within minutes of establishing a corporate presence in cyberspace, malicious actors will interrogate your networks, and it is only a matter of time that they will be breached. The vast majority of individuals and organizations will never detect the compromise. Billion-dollar high-tech Canadian businesses have been brought down by cyber espionage. Canadian Small Medium Businesses (SMB) and high-tech start-ups are even more vulnerable.
The Canadian Centre for Cyber Security foresees Cybercrime continuing to be the cyber threat that is most likely to affect Canadians and Canadian organizations. Canadians will continue to face online fraud and attempts to steal personal, financial, and corporate information. Ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potentially destructive consequences of refusing payment. While cybercrime is the most likely threat, Canadian Centre for Cyber Security has warned that the state sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada. State-sponsored actors will almost certainly continue to conduct commercial espionage against Canadian businesses, academia, and governments to steal Canadian intellectual property and proprietary information. The threat of cyber espionage is almost certainly higher for Canadian organizations that operate abroad or work directly with foreign state-owned enterprises.
David Vigneault, the director of the Canadian Security Intelligence Service (CSIS) describes foreign interference and espionage, mainly through cyberspace, having done “significant harm” to Canada’s prosperity.
CRITICALITY OF INDUSTRY
The deep technology sector enables applied research and innovation essential to the economic prosperity of our country. Yet, both adversaries and competitors exploit the industry.
Our adversaries benefit from technological and industrial espionage, including the theft of intellectual property, and the threat of coercion through foreign direct investment. Specifically, the industry has been subject of persistent targeted cyber attacks remote and close access operations, illicit venture capital investment, covert procurement, industrial espionage, breaches of research facilities, illegitimate partnerships joint ventures, supply chain infiltration compromised suppliers and a shell game of export of Canadian technologies to dangerous states.
Canada is seen as a permissive target
These actions can have a profound impact on Canada’s technological advantage and industrial base. The unfortunate truth is that in many foreign jurisdictions, national industry and organized crime form an integral part of their country’s military and intelligence apparatus. Our adversaries finance spying through industrial facilitation and reciprocate by stealing intellectual property for their industry while criminals profit from the exchange. It is not a fair competitive playing field.
Western governments have long been reticent to involve themselves in the affairs of the private sector from cyber attacks even when assaults originate from nation-states. Although this is slowly changing, industry is a proxy target in renewed power struggle between nation states – rogue and criminal. Most vulnerable are Canadian deep tech start-ups who are directly targeted by hostile intelligence services, malevolent competitors and proxy criminal organizations. Intelligence gathering and espionage remained the primary motivation for state-sponsored cyber intrusions in 2019 and will be through 2024.
PACING THREAT AGENTS
Through the theft of intellectual property, misinformation, and deception, Russia looks to re-establish itself as a major world player in a multipolar world while China seeks to gain increasing economic and political advantage. As the gap with the West closes, the use of the cyber domain would serve as an effective coercive tactic in a time of conflict to target critical infrastructure. Russia has already sought to establish launch points for attack from within critical Canadian industry. The GRU have long been active in Canada and against Canadian interests. Canadian based private sector organizations have been subject to cyber exploitation, intimidation, mis-information influence, close-access operations and violence.
According to the Canadian Centre for Cyber Security, foreign state-sponsored cyber programs are probing Canadian critical infrastructure for vulnerabilities.
CrowdStrike Intelligence observed an 82% increase in ransomware-related data leaks. Targeted intrusion adversaries continued to adapt to the changing operational opportunities and strategic requirements of technology and world events. Russian, Chinese, Iranian and North Korean adversaries were all observed employing new tradecraft or target-scopes meant to respond to global trends. This included: Russia’s targeting of IT and cloud service providers to exploit trusted relationships; China’s weaponization of vulnerabilities at scale to facilitate initial access efforts; Iran’s use of ransomware to blend disruptive operations with authentic eCrime activity; and Democratic People's Republic of Korea’s (DPRK) shift to cryptocurrency-related entities in an effort to maintain illicit revenue generation during economic disruptions caused by the pandemic.
According to ubiquitous media reporting, China is engaged in a widespread effort to acquire Canadian trade secrets of companies using espionage, exploitation of commercial entities and a network of scientific, academic and business contacts.
The Cybersecurity and Infrastructure Security Agency has reported that the People’s Republic of China (PRC) engages in malicious cyber activities to pursue its national interests. Malicious cyber activities attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT (including managed service providers), international trade, education, video gaming, faith-based organizations, and law firms.
China's state-sponsored cyber attack on the Canadian government Research and Development Establishments cost hundreds of millions of dollars, according to federal documents that shed light on fallout. The costs to Canadian industrial deep-tech partners, owing to breach of intellectual property, was substantially higher and has been estimated in the billions.
China has rerouted the Internet traffic thousands of Canadian companies through China multiple times by altering/poisoning global Internet routing to facilitate systematic exploitation and IP theft.
TARGETED DEEP TECHNOLOGIES IN THE CHINESE FIVE-YEAR PLAN
The People’s Republic of China (PRC) 14th Five-Year Plan (FYP), for 2021 to 2025 set the overall direction and objectives for economic espionage.
The Strider Global Intelligence Team discovered rapid adaptations in PRC overseas talent recruitment and IP acquisition TTPs during the COVID-19 pandemic. Traditional in-person recruitment and travel to China have been replaced by new online-recruitment tactics.
Canadian deep tech companies working in the following areas can expect to be targeted by the PRC government talent recruitment and technology acquisition initiatives by hostile intelligence services, foreign militaries and organized crime:
Seven Digital Economy Key Sectors
1) Cloud Computing
2) Big Data
3) Internet of Things
4) Industrial Internet
6) Artificial Intelligence
7) Virtual Reality and Augmented Reality
Eight Manufacturing Sectors to Increase Core Competitiveness
1) High-End New Materials
2) Major Technology Equipment
3) Smart Manufacturing and Robotics Technology
4) Aero Engines and Gas Turbines
5) Beidou Industrialization Applications
6) New Energy Vehicles and Smart (Network) Vehicles
7) High-End Medical Equipment and Innovative Pharmaceuticals
8) Agricultural Machinery and Equipment
Seven Frontier Technology Areas to Attack
1) Next Generation AI
2) Quantum Information
3) Integrated Circuit
4) Brain Science and Brain-Like Intelligence Research
5) Gene and Biotechnology
6) Clinical Medical and Health
7) Deep Space, Deep Earth, Deep Sea, and Polar Exploration
EXAMPLES THE CLEAR AND PRESENT THREAT TO THE CANADIAN INDUSTRY
Canadian high-tech industry has been at the top of targeting and technology acquisition lists of Hostile Intelligence Services operating in Canada and remotely through cyberspace.
There are an overwhelming number of cases of hostile intelligence services approaching businesses under the guise of offering lucrative business opportunities in investment, or at trade shows, but whose real objective were espionage, control or influence. Corporations will notice that number of Linkedin members who identified themselves as an employees, are in fact, fraudulent. Criminal groups are increasingly leveraging ransomware as a primary attack vector against Canadian businesses.
Canadian firms report having their networks and social media accounts of staff and their families being aggressively targeted and also under physical surveillance by foreign agents and criminal proxies. Other Canadian companies have found electric eavesdropping devices hidden in their offices.
A security audit of an Ottawa based technology firm discovered multiple instances of hijacking malware associated with advanced persistent threats on the corporate network. Dormant spyware was also discovered, waiting to be activated. Widespread communications over mobile devices was active to a foreign country. A covert channel was discovered from the company’s financial and CRM systems to overseas competitors. The breaches likely existed for years. The company had none of the tools or capability to detect.
Foreign companies of some nations are well known to engage in unfair business practises including bribery, breach of trust, and intellectual property (IP) property theft. As is often the case, a foreign company hired hackers to break into the Canadian companies financial systems. Canadian companies operating abroad are under even more threat from extortion of employees, kidnapping, hostile takeover, trans-national crime, terrorism and para-military violence.
The Canadian Centre for Cyber Security assess that the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread.
The greatest exposures industry would appear to come from cyber exploitation, industrial supply chains, research partnerships and clients. However, the threat is not limited to spies and agent provocateurs, but clients or partners providing sensitive documents to competitors and adversaries, who have reverse-engineered and exploited the technology.
Hostile intelligence services have been discovered accessing Canadian defence industry secrets and technology through government research labs and academic partners. Academic and research organizations have a history of human and cyber compromise infiltration. Foreign states aggressively exploit academic openness to steal Canadian commercial technology, using “campus proxies” and industrial partnerships.
For example, China is exploiting western government funding and research institutes to leapfrog in dual-use quantum technologies.
Under Chinese law and strategy called “military-civil fusion,” Chinese companies and researchers must share technology with the Chinese military. Meanwhile under the Thousand Talents Plan China steals defence industry IP through academic partnerships.
Fifth-generation mobile communications will be integrated into all future technology. 5G represents vital high ground for China as part of their Military Strategy and Global Road and Belt initiative. Huawei is a key player in China’s Unified Front Strategy.
Canada has been subject to a persistent long-term and aggressive campaign of espionage by China. Huawei is perceived as a threat to Canada’s 5G programs. has alleged to have been a direct recipient and participant of intellectual property theft against Canada information communication technology industry using cyber exploitation.
The Director of CSIS (Vigneault) said China represents “the most significant and clear” challenge when it comes to espionage targeting Canadian campuses. China and Russia” were engaged in the “monitoring and/or coercion” of students, faculty and university officials in an effort to further their influence.
Canadian academics have collaborated on dozens of projects with Chinese military researchers – may whom have deliberately obscured their defence ties – raising concerns that Canada is inadvertently helping China modernize its armed forces. It has been reported that academic exchanges, jointly advancing technologies such as secure communications, satellite-image processing and drones, include the enrollment of Chinese defence scientists as graduate students and visiting scholars at Canadian universities. The PLA refers to a strategy of “picking flowers in foreign lands to make honey in China.”
Richard Fisher, a senior fellow on Asian military affairs at the International Assessment and Strategy Center think tank, refers to the strategy as “the global Chinese intelligence vacuum cleaner” – an effort to scour the world for dual-use technology, which has both civilian and military value. The aims have been broad, from seeking materials for space weapons to technology for next-generation hypersonic missiles, and such work “has been immensely profitable for China’s military modernization.”
Chinese President Xi Jinping has called for “rejuvenating the military with science and technology,” and China’s military budget is now the second-largest on Earth.
The next natural disaster of pandemic will trigger violent digital transformation, the result of which is that everything will be mediated by cyber technology. Meanwhile, our adversaries will choose this time to strike western democracies with cyber exploitation, misinformation campaigns of chaos while criminally capitalizing on the events and purposefully interfering within critical infrastructure sectors including: healthcare, emergency services, industry and defence. The capability of organizations to operate outside of the conventional office, adapt business processes, adopt next generation secure cyber technology and recalibrate to the new reality, will be put to the test.”
COVID19 has triggered dramatic digital transformation, the result of which is that everything is now curated by cyber technology. Overnight, the network has been pushed out of central control to the edge (onto personal mobile phones) up into the cloud (collaborative tools) - off corporate infrastructure.
There is no going back from the digital transformation precipitated by COVID-19. Our adversaries have invested heavily in dominating this technology. Industrial machinery may need to quickly re-calibrate for an Everything-on-5G World, where China is the most dominant global super-power.
Disruptive technology of: fifth generation mobile computing, artificial intelligence, big data, mobile communications, nanotechnology, quantum computing, cloud, social networking and the Internet-of-Things, are on a converging trend line - the emergent effect of which will be far greater than the sum of their parts. Artificial intelligence (AI), 5th Generation networks, Massive Internet-of-Things (mIoT) and Quantum Computing are promising a sea change in scientific advancement. The emergent effects from the entanglement of these technologies will create the perfect storm.
THREAT RISK FINDINGS
There is a clear and present foreign threat operating against Canadian high tech industries. Similar to other sectors, high tech does not fully appreciate the sophistication of the threat or degree of compromise. Most organizations are ill-equipped to detect, deter or disrupt advanced broad spectrum threats.
The common cyber attack vector is phishing supported by social media pretexting. Risks are migrating to mobile communications, remote collaboration and social media.
If one is not yet convinced of the advantages of cyber security for the business or threats to it, then one must still consider regulatory, legal and fiduciary obligations or brand risks. If a cyber incident does not take the business down, fines and law suits just may.
COMPLIANCE, LAW, REGULATION, POLICY AND STANDARDS
Deep tech companies are rightly focused on rapidly developing intellectual property and bringing it to market. Many are not aware of their privacy and security obligations. A business will likely be found to be non-compliant to most contracts and supply arrangements should they fail to comply to best cyber security practices, standards or certification,. A security breach, owing to negligence or misfortune, may also result in punitive damages. The following are highly-relevant examples:
Mandatory Breach Notification
On June 14, 2022, the House of Commons of Canada introduced Bill C-26, a new cyber security bill that will require mandatory reporting of cyber attacks against systems of critical importance to Canadian interests.
Privacy Legislation - Mandatory Breach Notification
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), all businesses are required to have necessary security and privacy safeguards in place and must report to the Privacy Commissioner of Canada breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals.
General Data Protection Regulation
The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. Take notice of the biggest GDPR fines:
Credit Card Payment Standards
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards.
Industry Sector Standards
To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.
ISO 27001 is the international standard offering guidance on cybersecurity management. It provides guidance on addressing a wide range of cybersecurity risks, including user endpoint security, network security, and critical infrastructure protection. ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
The Canadian Centre for Cyber Security has provided supply chain security guidelines and Contracting clauses for telecommunications equipment and services.
Criminal and civil suits, fines, penalties and settlements
It is not uncommon that cyber security breaches involving private or personal information or collateral damage to result in civil or criminal legal action. It is important to appreciate, that liability extends beyond the corporation and to individual company officers.
As a poignant example, the following reference highlights some of the biggest data breach fines, penalties and settlements:
Deep technology firms are often in the process of building the company while laser focused on disruptive innovation. Many may not have a cogent business strategy, action plan or security policy. At the very least, company leadership ought to address core security components within a basic business plan. This can take the form of a slide deck or short document.
There are quick checks that a corporation can undertake to gauge the security maturity of the enterprise:
Identify one’s Intellectual Property (IP), Trade Secrets and perform an Asset Inventory;
Determine the Value of Information Systems and Assets (confidential, integrity, availability) -
Complete a simple Threat Risk Assessment (TRA) and Privacy Impact Assessment (PIA); and
Review Policy, plans, procedures, guidelines and governance for their existence, completeness, then check awareness and compliance within the company by employees/partners.
Deep technology firms can benefit from explicitly addressing operational security controls directly in their business plan. This will help to establish best-practices and instill a security culture in the company. This, in turn, will improve overall maturity of business processes.
The next level of due-diligence considers a list of organizational controls for security:
Business plan and Strengths Weaknesses Opportunities Threats (SWOT) – a SWOT analysis is central to any business plan. If you don't do anything else, complete a one page SWOT. Then articulate how you might apply strengths to identified opportunities, mitigate weaknesses improve resiliency and reduce exposure to threats.
Competitive business plan – identify your competitors and challenges in the market place.
Foreign Ownership Control and Influence (FOCI) – Similar to supply chain security, it is important to assess who may be investing in your business. Complete a background-check and investigate their operating practices and intentions.
Inventory assets resources and information – determine and explicitly list what is most valuable to the business. Include capital, human resources and data.
Threat risk assessment – pinpoint most likely deliberate, natural, accidental threats to your organization. Ask yourself who are the actors. What are their motivations. What do they stand to gain and you stand to lose. Recognize any vulnerabilities that can affect the confidentiality, integrity or availability of resources or data. Roughly calculate the probability [likelihood] of key scenarios and the subsequent impact in terms of financial or reputational losses. Often risk is quantified in a simple chart that multiplies impact and likelihood of a threat scenario occurring. Next, one needs to determine how to mitigate or transfer the risks or accept and manage residual risks to the business.
Supply chain security – Threats and risks are quite often contacted through critical interdependencies that we have with suppliers, partners and clients as the business exchanges goods and services, funds, communications, data or knowledge. How resilient is your supply chain? The first step is to identify whom your company depends and then gain some visibility of their security posture. Do they pose a risk? Do they, in turn, have suppliers who have lax security or are perhaps competitors of threats. It is advisable to ascertain the providence, ownership and track record of those who you do business with beyond one level of separation.
Confirm the Cyber Security Threat Level and Risk tolerance – make a measured and considered decision as to what is your acceptable level of risk.
Authority, Responsibility, Accountability frameworks for security – Place someone in charge of cyber security and then empower them to make the right decisions. Too often companies separate those responsible for security from authority to mitigate or accept risks. Ultimate the company officers are personal responsible and liable for breaches.
Converged Security Practice – One person ought to be responsible for personnel, physical, and cyber security in the company because threat and risks frequently transition these domains. This will also facilitate a coherent integrated security plan.
Brand Monitoring - look outside of your environment and continually assess where and how your organization appears on-line and in the media. Are there indications of beaches or mal/misinformation?
Confirm Cyber Security Investment Levels – The average company spends 10% of their IT budget on Cyber security. Deep technology companies may wish to consider allocating more budget than average given the sensitivity of their intellectual property.
BASIC SECURITY CONTROLS
A more discrete view of cyber security maturity and business assurance of an organization often require a review of basic security controls by category:
Risk Management (RM) - Risk is defined as the product of damage and likelihood of a particular adverse event occurring. A threat acts against vulnerability, in what we describe as an exposure. Threats can be accidental, natural or deliberate. Damage or impact is associated with the value of the business assets. Managers need to have situational understanding the nature of internal or external threats in the context of the vulnerabilities and what is at stake with a loss of availability, confidentiality or integrity.
Asset Management (AM) – keep an up-to-date inventory of hardware, software applications (versions) and data.
Security Assessment (CA) – ensures that security safeguards match exposures identified by the threat risk assessment.
Audit and Accountability (AU) - determine who is ultimately responsible for security in the firm and ensure that they have evidence to make informed decisions.
Physical Protection (PE) – confirm that there is adequate physical access control and surveillance to facilities and systems with locks & keys, electronic passes, alarms, CCTV.
Personnel Security (PS) – conduct security vetting of all employees, contractors, partners and clients
Awareness and Training (AT) - perform security education across the firm. Re-enforce with messaging and security compliance testing.
Situational Awareness (SA) – present an integrated security picture to leaders in the business with an executive dashboard
TOP TECHNICAL CYBER SECURITY CONTROLS
The critical intellectual property [data] of deep technology firms is subject persistent deliberate threat by malevolent cyber actors and is highly-exposed because it is in electronic form. The most common attack vector is phishing using social engineering and deceptive links (click bate) to load malicious code onto the device or system. This tactic takes advantage of naive users, open systems and software vulnerabilities. These risks can be mitigated with security awareness and basic controls.
Cyber Secure Practices – Caution employees from clicking on attachments in messages before validating the sender. Establish a security culture and awareness.
Identification and Authentication (IA) + Access Control (AC) + Strong Multiple-factor Authentication – Everyone should be signing into devices, computers, accounts and systems with uniquely strong passwords and multifactor authentication using another means of communication for confirmation such as a passcode sent their mobile phone.
Domain ownership and DNS protection – Domain Name Services (DNS) are the address book of the Internet and represent a key security control point. It is important that your business use a trusted DNS registrar such as the Canadian Internet Registration Agency (CIRA) and take full advantage of their Canadian Shield initiative. Protect your business and personal devices from malware and phishing with a trusted DNS made exclusively for users in Canada. The CIRA Canadian Shield is a public DNS resolver that connects users the websites they as trying to visit and will block connection attempts to and from malicious sites. CIRA integrates dozens of threat feeds including from the Canadian Centre for Cyber Security (CCCS) and applies powerful AI to analyze billions of DNS queries globally every single day. This detects over 100,000 new threats daily to help keep your business safe. In addition to malware and phishing, CIRA also block sites with a high likelihood of being fraudulent or online scams. Over 3 million users already use this service. The service is free, offers exceptional protective value and the registration process takes 2minutes. [https://www.cira.ca/cybersecurity-services/canadian-shield]
Upstream Security Services – The Canadian Shield is an example of security services available from Internet and telecommunication service providers (ISP/TSP). Products and services include Spam filtering, denial of service protection, parenting controls, malware antivirus and firewalls. They are often included with your basic service. The advantage is they stop malicious activity and toxic content upstream or before ever reaching your business.
Establish Basic Perimeter Defences - enable security software on your network perimeter and devices such as firewalls and anti-virus.
Application, Account and Platform security controls - Lock down privacy and security controls on your device and applications like browsers and social media platforms and restrict access by applications to what is strictly necessary.
Whitelists and Blacklists – Maintain white lists for businesses and people you regularly communicate with. Scrutinize all other communications attempts. Conversely, block known malicious sites, e-mails or phone numbers.
Automatically Patch Operating Systems and Applications – on all systems and devices. A more formal deliberate and patch management/update process will be required when the business information communication technology (ICT) becomes more complex, to avoid unpredictable/unstable outcomes.
Back up and Encrypt Data – regularly and store a copy in a secure location off-set. These days it is possible to securely backup all data and applications for systems and devices in the cloud. Sensitive files should be encrypted.
System and Communications Protection (SC) + remote + mobile - There are plenty of secure communications applications for e-mail, text, messages, video conferencing. Check the providence of the application to ensure it is a trusted provider. Compatibility with clients and partners is also a factor.
FURTHER TECHNICAL CYBER SECURITY CONTROLS
Companies working on technologies actively targeted by deliberate threats may assess that additional security controls are necessary. More complex businesses will also benefit from deeper security controls because they also improve the general resiliency and performance of the business.
Establish Advanced Perimeter Defences – with Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Advanced Malware Protection and Unified Threat Management (UTM) systems. An IDS/IPS is a device or software application or cloud service that monitors a network or systems for malicious activity or policy violations and takes action automatically.
System and Information Integrity (SI) - Identifies, reports and remediate system flaws while provide protection from malicious activity. System integrity controls monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks, pushes system security alerts and advisories to facilitate action. Ensuring data integrity is a central to this security control, particularly for mission critical applications. The system also updates security mechanisms with critical signatures and threat intelligence as new releases become available.
Configuration Management (CM) – is a system process that establishes and maintains consistency of the IT infrastructure and network performance. In a security context, establishing the safe steady-state operation is key to quickly detect anomalies.
Secure Cloud and Outsourced IT Services – have become the gold standard for deep technology firms. Cloud represents virtually unlimited power and storage and the ability to scale infrastructure and processing to meet demand, and collaborate remotely. A business can purchase Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), secure cloud instances and security from the cloud. The three pressing considerations are: choose a trustworthy cloud provider, store/process data in a safe jurisdiction and consult a cloud security professional when setting up the service.
Secure Websites, Domains and Mail Servers – A website is the face of the company and has to be securely managed. Outsourcing web hosting to a trusted provider is a preferable option. However, your company should maintain strict control of the content, account credentials, [passwords] and administrative authorities including DNS registration and e-mail configuration. Take advantage of security services offered by the provider.
Media Protection (MP) – particularly involving portable media must be handled securely. The uncontrolled sharing of USB keys can bypass network perimeter safeguards and introduce malware onto vulnerable systems. It is preferable the data is transferred electronically through an data diode or can be scanned for malware.
System Maintenance (MA) – is a ongoing activity but one which needs special attention not to impact the integrity or availability of the systems, or interrupt the business. It is closely linked to patch management and security updates.
Incident Management and Response (IcM/IR) – are formal pre-planned activities that a business has established to detect, identify, analyze, and mitigate threats and hazards post facto. It is be definition reactive in nature but necessary should protective measures fail. Your organization should name a incident response team (IRT), an incident management team (IMT), or Incident Command System (ICS) in the company security policy. The plan should be exercised periodically.
Recovery (RE) – Disaster recovery and business resumption solution start with a plan and technical solutions like a high-assurance infrastructure, which uses multiple processors, hot (continuous secure backup), multiple (district) telecoms and Internet service providers in case one of them goes down or a content delivery network if you are more serious.
ADVANCED CYBER SECURITY CONTROLS
Security Information and Event Management (SIEM) – is a supervisory system that integrates the output from a large number of security sensors and logs to provide real-time visualization and analysis of security alerts generated by applications and network hardware.
Managed Detection and Response (MDR) and Managed Security Services (MSS) – is a outsourced cyber security service that combines the technology of a Security Information and Event Management system and human expertise to rapidly detect, identify and respond to threat activity or incidents. The chief benefits of contracting out security management is to relieve staffing and resourcing challenges. MDR/MSS are likely to be more cost effective, relieve alert fatigue, provide advanced analytical insight, investigative support, guided response and remediation.
Endpoint detection and Response (EDR) – records behaviours and events from endpoints (smart phones, laptops etc) and feeds them into a rules-based automated detection and analysis system. Anomalies are sent to the security team for technology-assisted human investigation.
Security Orchestration, Automation, and Response (SOAR) - links together the stack of security software applications in such a way that the entire security process for an organization automated with minimal human assistance.
Internal security audit and vulnerability testing – is the activity of reviewing policy, procedures, physical, personal and cyber systems for explicable security vulnerabilities or weaknesses.
Attack surface analysis – is a complete external view of the organization from the perspective of an attacker.
Penetration testing – is an in-depth active attempt by security professionals to penetrate a facility or systems and socially engineer access to sensitive information.
Continuous monitoring and surveillance vigilance – The best plans and defences requires continuous (real-time) monitoring to ensure that they remain effective.
Advanced Persistent Threat (APT) Detection and countermeasures – Six-generation malware and zero-day exploitations will often evade conventional security systems. APT detection generally require far more sophisticated methods and current intelligence
Threat Hunting – is the process of covertly looking for evidence of the presence of threat actor on your network or within global cyberspace. Requires deep understanding of adversary tactics, techniques, and procedures (TTP) and offensive cyber operations.
Cyber Threat Intelligence (CTI)– Security appliances, sensors and systems requires accurate, timely and relevant threat intelligence. Commercial products use intelligences as part of background processes and contribute to the cyber security intelligence ecosystem. It is also possible to subscribe to specialized CTI feeds directly.
HOW TO PROCEED
All of this can seem a bit daunting for deep technology start-ups, perhaps with no security staff or expertise. Fortunately, there is a robust cyber security industry in Canada that can quickly help improve your security posture and protect your investment.
Common cyber security services:
Professional Consulting - provide typical services like: Audit, Threat Risk Assessments, Policy writing, Security Testing Vulnerability Assessment (VA) Penetration Testing, Engineering, Architecture and design. They can help your business quickly get on your feet.
Security Integration – of all the necessary systems and components.
Managed Security Services – help your company off-load daily security duties and take advantages of economies of scale and expertise.
WHO CAN HELP
The cyber security ecosystem in Canada can be roughly sub-divided further, although much of this industry is converging. Deep technology forms can choose a provider that aligns with their vertical:
Cyber Security Boutiques – are specialists in the field and often combine professional consulting, integration and managed services for SMBs
Audit Firms – can help discover and mitigate issues across the business as part of an integrated risk management framework.
Defence Industry – have a unique view to esoteric security requirements of the military and bespoke systems.
Staff Augmentation – offer a quick and simple way to get temporary help in any security field.
Integrators – tackle large or complex systems engineering and architecture.
Security Vendors – can provide a range of support for their specific product.
Platform Providers, Cloud and TSP/ISPs – Have cyber security services packaged with their services that your firm can use with no additional cost, and a 24/7 help desk. They also offer additional enterprise-level security solutions.
Government – can provide general cyber security guidance and awareness to businesses. There is also a portal to report incidents.
Reporting an incident to Canadian Government Authorities is pretty simple. Visit the Canadian Centre for Cyber Security [link below] and follow the on-line instructions.
The new Canadian Program for Cyber Security Certification will help to maintain Canadian companies’ access to international procurement opportunities with Canada’s close allies and partners, including the U.S. DoD, where cyber security certification is required.
The Canadian Cyber Security Standard will be modelled after well-established standards developed by the National Institute of Standards and Technology (NIST), to ensure it is closely aligned with the standards incorporated in the anticipated future U.S. cyber security certification program.
The Canadian Program for Cyber Security Certification will be part of a continuum of Government of Canada cybersecurity certification offerings available to Canadian businesses. In addition to the new Program, the Standards Council of Canada will continue to accredit certification bodies who offer cyber security certifications for small and medium-sized suppliers (SMEs) that can be assessed and certified under the existing CyberSecure Canada standard.
Cyber security is a key business enabler and forms the basis for sound strategic planning and operations. Hence, companies with better cyber security maturity tend to also have a more robust and efficient overall business processes and are often more successful.
Deep technology can be found on the front lines of innovation where most of their intellectual property is potentially exposed to and exploitable by competitors over cyber space. Moreover, non-compliance to standards, regulations and law carries personal liability, brand and business risk.
Fortunately, there exist well-established organizational, procedural and technical controls to a roadmap and Canadian industry willing to guide you on the right path.
Discussion of Canadian cyber security ecosystem and recommendations:
Statistical Overview of Canada's Cybersecurity Industry in 2018
From Bullets to Bytes: Industry’s Role in Preparing Canada for the Future of Cyber Defence
ISO/IEC. Information technology – Security techniques – Information security management systems – Requirements, ISO/IEC 27001:2013
NIST. Cyber Security Framework, available from
Payment Card Industry. Payment Card Industry Data Security Standard (PCI DSS)
Global Cyber Alliance. Toolkit
Center for Internet Security. Center for Internet Security Controls, available from https://www.cisecurity.org/controls
Canadian Centre for Cyber Security. ITSG-33 IT Security Risk Management: A Lifecycle Approach, December 2014
Cybersecurity Maturity Model Certification (CMMC)
NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Non-federal Systems and Organizations
NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information