Last episode we spoke about how startups can establish a solid legal foundation as they get things rolling; In this episode we talk with Nigel Russell from CyberSecure Canada about online security and the steps you can take right now to not only protect your business, but your entire supply chain, online.
CyberSecure Canada is the country's cybersecurity certification program for small and medium-sized organizations. Certification enhances your competitive advantage by letting your supply chain know you're a trusted business partner.
Shift by Alberta Innovates focuses on the people, businesses and organizations that are contributing to Alberta's strong tech ecosystem.
Last episode we spoke about how startups can establish a solid legal foundation as they get things rolling; In this episode we talk with Nigel Russell from CyberSecure Canada about online security and the steps you can take right now to not only protect your business, but your entire supply chain, online.
CyberSecure Canada is the country's cybersecurity certification program for small and medium-sized organizations. Certification enhances your competitive advantage by letting your supply chain know you're a trusted business partner.
Shift by Alberta Innovates focuses on the people, businesses and organizations that are contributing to Alberta's strong tech ecosystem.
Jon Hagan:
So today we've got Nigel Russell from CyberSecure Canada. Welcome, Nigel. Nice to see you.
Nigel Russell:
Hello, nice to see you too.
Jon Hagan:
So I just got an email recently that was talking about cybersecurity. And then in the email, they were talking about how it grew into a $1 trillion issue in the States. I'm not sure if it's in the States or if it's globally, but during the pandemic. So now typically, when people think about cybersecurity, they think about large firms, large organizations and institutions that are getting hit. But now, Nigel, from your perspective, that's not always the case.
Nigel Russell:
Yeah, no, thank you for that introduction, Jon. And that's a great question. I mean, the fact of the matter is, is that 98% of companies in Canada are either SMEs, small and medium enterprises, or startups, right. So the likelihood of a startup or a small business getting attacked, is actually much higher than a larger company only because there are higher in frequency, there are more startups and small businesses across the country, right. And hackers like to target small businesses. And there are three main reasons behind that that I can share with you, right.
Katie Dean:
That is amazing. Like, I didn't know that, that small and medium businesses are more likely to get attacked. That is a total surprise to me.
Nigel Russell:
I mean, it was a surprise to me too when I first found that out, right. And there's a very malicious reason as to why that's the case, right? So hackers in Russia, in China, internationally, domestically, they know that when they attack a small business in Calgary, Edmonton, they may not have a cyber specialist. So when a hacker attacks that business, they know that the odds that they're going to get a ransom or a payment from them, is much higher than if they were to target a firm with cybersecurity experts and specialists, right. So oftentimes, you see hackers, specifically targeting mom-and-pop-shops, startup tech companies, Fintech companies that are working with incubators, right? Because they know they don't have the capacity. They don't have the time. They don't know what to do, right? Where are they going to call if they've never even thought about cybersecurity, right.
Nigel Russell:
So oftentimes, we're seeing startups and SMEs being increasingly targeted, because the foreign hackers, they're getting a lot smarter. Like these guys aren't dumb. They're very sophisticated. So the attacks that they're going to launch, very strategic, systematic, they know what they're doing, right?
Jon Hagan:
I'm curious, Nigel, what do some of these attacks look like?
Nigel Russell:
So some of them may be as basic as a phishing expedition, right? So as a startup or SME, you may get an email from a very legitimate looking business that wants your contact information to share with another client, right? What they do with that information, depending on how much they acquire from you, could be used to access your company through a backdoor in your IT and IM systems. And then once they're in, they're in, right?
Jon Hagan:
Sorry, what's IM? I got the IT.
Nigel Russell:
Okay, yeah. We're in an acronym world right now. That's my bad. IT, Information Technology. And then IM, Information Management.
Jon Hagan:
Okay, thank you.
Nigel Russell:
So they'll phish for information from you, they'll become your friend, right? They'll build that relationship with you over email. And believe it or not, lots of people, unfortunately fall for these expeditions. Not to say that they're not extremely intelligent and expert folks, but the people launching these attacks are very sophisticated, right? And they'll manipulate, they'll use social engineering tactics to enter your business.
Jon Hagan:
You know what, social engineering tactics, that's very interesting, because I was on Facebook the other day, and someone had posted something saying, you get these posts that come up all the time saying, hey, what's your favorite band? Or what did you listen to in the 70s? And I've always thought those were fairly innocuous. But this post was somebody talking about how these can be social engineering posts specifically to get data from you. Have you heard anything about that? Does that sound familiar?
Nigel Russell:
That's a great question. And I can maybe speak to that from a cybersecurity risk management perspective. Whatever you do online that's affiliated with your business should be viewed with some level of risk assessment, right. So if you are a business owner or a founder or if you're using any accounts related to your business, you probably shouldn't be scrolling through Facebook or Instagram account where you're providing information online, right? Like, you can totally do that if your systems are secured and you know that they're secure. If you have an IT, or IM specialist on your team that those things have been vetted, right, but like you said, Jon, the internet has become arguably a scary place, right? So it's better to be safe than sorry, right?
Katie Dean:
So Nigel, you're stressing me out right now.
Nigel Russell:
That's what I'm here to do.
Katie Dean:
This is just making me be like itchy to go change all of my password. So for all the listeners listening, take this time to go change every single password you have. But, Nigel, I know that you were a part of CyberSecure Canada, and you have some options so that we know this scary cyber security issue might not be that [crosstalk 00:06:01]
Jon Hagan:
Mitigate that fear.
Katie Dean:
Mitigate it, yes. Jon, yes. So tell us about the program that you offer and what you can do for SMEs and startups.
Nigel Russell:
Absolutely. So the Government of Canada recognizes the importance of cybersecurity for small and medium businesses and startups, right. So the program that I'm helping to lead and develop is called CyberSecure Canada, the best way to look at this program is that it's an extremely light touch cyber audit, the best way to view our program is it's almost like a crash course, in cyber essentials, right? So as you walk through this, if you don't have any cybersecurity expertise, you're going to leave this program with foundational knowledge in cybersecurity that you can use at your business as a long term asset, right. So that's the best way to view this program. It's a light touch, cyber audit. And we've designed it specifically for small business in mind, right? Because we want to make sure that all businesses I mean, if we want to be utopian here, all businesses in Canada, are secured, right? Because we want to make our economy stronger. And we want to add confidence to our supply and value chains, right?
Nigel Russell:
We want Canada to be a global leader in cyber security. So when there are foreign investors and buyers, and they're looking at companies to invest in, they look at the Canadian market, right, in the future. And ideally, they see, wow, more companies in Alberta have gone through a government of Canada cybersecurity approval process, right, or more of them have gone through these robust cybersecurity posture assessments and frameworks, right? So from a competitive and global landscape perspective, getting cyber secure, makes a lot of sense. Right?
Katie Dean:
Right, because they're more likely to invest in a secured company. That makes sense to me. Yeah.
Nigel Russell:
Absolutely. Totally.
Jon Hagan:
Nigel, define for me a small to medium enterprise for this program?
Nigel Russell:
Absolutely. So I'd say our program is suited for any company, under 500 employees, of course, but I'm going to be honest with you guys, and everybody here, the sweet spot for this program is for any company with fewer than 50 or 100 employees, right? The rationale here is that if you have a cybersecurity expert, or an IT team with a cybersecurity specialist, you're probably meeting most of our programs areas of compliance, right? But if you're a startup, or if you have 40 employees, and you're growing rapidly, and you haven't thought about cyber security, and you're like, hey, this is probably a good idea I'm seeing in BNN, every morning, there's a cyber attack in the States, this and that, right? Like, yeah, have we invested in this, right? Why not?
Jon Hagan:
Right, do you recommend it for founders just getting off the ground?
Nigel Russell:
I'd say if they have the time, right? Because I understand as a founder, or as a startup, you're looking at how many hours you can spend a week, right? You may not have the extra 5, 10, 15, 20 hours a week to spend on cybersecurity, right. So I understand that there are concerns around timing, right? But as a founder or as a small, very small company. Absolutely. I'd say look into the program. Even just cruise through our website, see if it's a natural fit for you. You're probably going to pick up a few things as well, right. So you may see a stat or you may see some terminology around cybersecurity that you may have heard about or you've never heard about. You click on link and you're like, wow, this is really interesting. And it applies heavily to my business, right? So even at a fundamental level, I'd say look into it. It's worth the time.
Jon Hagan:
So what's the URL? Where do people go?
Nigel Russell:
So people can visit CyberSecure Canada by you can literally just google at cybersecurecanada.ca. And then I also strongly recommend that folks look at the Canadian center for cyber security. So we work very, very closely with them. And they house the federal government's cybersecurity talent, right? So if you're a startup or a small business in Edmonton, Calgary and you want to connect with some federal folks in cybersecurity, we can do that for you. We can connect you with the right people.
Katie Dean:
So getting started contacting CyberSecure, Canada, going through this process, you have 13 security controls, what is next, then? What is the next step on getting the certification?
Nigel Russell:
That's a great question. So I can give you kind of a practical example, if you want, how this like how does this actually work? Like something old programs, okay, what's going on, right? So I think I'll break it down for you. And if I use any acronyms, Jon, feel free to interrupt me. I know, some, even for me, it's like, oh, what are we talking about?
Nigel Russell:
But the best way that this program works is that I would connect with the business and see if it makes sense for them. Right? It makes a lot of sense, especially for companies that have thought about cyber security. And there are some internationally recognized standards in the fields. There are lots of certifications offered through ISO. So that's the International Standards Organization, and NIST, which is the National Institute of Standards Technology, right? So these are kind of our go to larger industry standards, right. So some companies that I've connected with in the prairies have already looked at them, which is fantastic, right. And if they have, our program fits very nicely.
Nigel Russell:
So back to the practical example, I'll connect with them, see if it's a natural fit. If it is, I will refer them to our online self assessment that is completely free. This is something I'd recommend to anybody, like anybody because it's a free tool. Once you go through it, you will be connected automatically to one of our programs, certification bodies. These guys are basically the auditors in the process, who will connect with you after you go through the survey and they'll give you a free posture assessment.
Jon Hagan:
Sorry, Nigel, one question, these auditors, are they Government of Canada as well?
Nigel Russell:
So that's a great question. So these are actually independent business. Right? So these guys are cybersecurity experts. They do this day in day out. So they're independent businesses, right? But they will connect with you after your online self assessment. And they'll be honest with you, they'll tell you, hey, Jon, you're meeting five of the 13 criteria, or hey, Katie, you're actually meeting 12 of the 13. Right?
Katie Dean:
Unlikely, but yeah.
Nigel Russell:
But that's the dynamic there, right? So they give you that free posture assessment. So even if you don't want to go ahead further in the process, you've just gotten a Government of Canada approved cybersecurity posture assessment, right, which you can use.
Jon Hagan:
Okay, just to be clear, again, Nigel, the posture assessment tells you how many of the 13 areas you've got covered?
Nigel Russell:
Absolutely, that's totally correct. And after that, if a business wants to go ahead and get certified, the certification body will of course, let them know what they need to work on. And then me, the CyberSecure Canada team, the Canadian center for cyber security, we're here to provide them with resources, right? So on our web pages, we've got content relating to all 13 areas of compliance in order to be certified, that folks can reference, right, but we can point them in the right direction, if you will.
Jon Hagan:
I see. Okay. So if they're working with the auditor, they get their posture assessment. They go, I want to go forward. I want to get all 13. So you guys are providing references for them. But what role does the auditor play going forward? And does this me, who's getting involved, are they paying any money for that service?
Nigel Russell:
I like these questions. So a beautiful thing about our program is that there are virtually no contractual obligations, which is awesome. I think. So for founders or a startup, you don't have to sign another document, right? So you're not signing a contract when you first connect with the auditor. They're basically providing you with that posture assessment, right. The only time that a contract and payment is involved is when they actually get certified, right. So in that final process, so hey, Jon, you're meeting all 13 criteria. I'm going to schedule a two hour call next Friday and let's go through the auditing experience. Once we go through that, there is a payment that's made to the certification body that hovers at about $2,000.
Jon Hagan:
I see.
Katie Dean:
Okay, that's the certification body, not the Government of Canada? I just want to make that clear.
Nigel Russell:
Yes, yeah. So that's another beautiful thing about the program, you're not paying the Government of Canada here, you're paying an independent business that's conducting the audit on behalf of the Government of Canada.
Jon Hagan:
So because we're talking about cyber security and data and information, once the Government of Canada has a company's information, what's done with that?
Nigel Russell:
Absolutely. So that question comes up all the time and rightfully so, when you're putting in lots of sensitive information online, and then relaying that to an independent business, you want to make sure that it's safely secured, right. So when businesses access our online self assessment, you actually have to sign in to your specific concierge CRA account, GC key, lots of acronyms there, my apologies. But basically, if you're a business owner, you have a CRA account that you sign into online, that's what you go through. So you're going through one of the safest online portals to provide your information to an independent business. The businesses that we're working with have been vetted by the Standards Council of Canada, they've gone through rigorous, rigorous assessments to ensure that any information sent to them is encrypted to the maximum.
Katie Dean:
I mean, I'd assume because I mean, they are cybersecurity experts. But I mean, I'm glad that they were evaluated too.
Nigel Russell:
Totally right. Yeah, they're cyber security experts, too. So they're keeping your data safe. Absolutely.
Jon Hagan:
So we'll take your word for it.
Nigel Russell:
Yeah.
Katie Dean:
So I want to switch gears a little bit here. So it's great that you guys have this program. And I do think that it is very valuable to all the startups and SMEs listening, and everybody could just go change your password, I'm going to really hammer that point home so many times. But the thing that is really interesting to me about your program is that, and especially in Alberta, we know that we have a really large tech sector in Alberta, and artificial intelligence is a big thing here. But what's really interesting to me is a lot of these companies, it's the cybersecurity threat, or the cyber threats isn't just affecting them. If they have data with any other businesses or any other people, it could actually like seep into their businesses it's going on. So does that make sense?
Jon Hagan:
Almost by association.
Katie Dean:
By association. So it's a bigger issue than just one company?
Nigel Russell:
Totally, so you kind of hit the nail on the head there. That's a great question. I love the way that you framed that. So another really good way to look at cyber security and getting cyber protected, is that you're not doing business alone, right? You're connected to a supply chain, to a value chain, and you've got your vendors, I can give you a pretty interesting stat. But it's also kind of scary. I'm not going to lie.
Katie Dean:
I mean, you've already terrified us enough, it's like add to it, it's fine. We're ready.
Nigel Russell:
I'll give you I'll give you an interesting stat. So internationally, the average number of vendor relationships per business is 5800. Right? So, okay, hold on.
Jon Hagan:
5800 different vendors associated with one business?
Nigel Russell:
Correct. And you may be asking yourself, how does this work? And like, that number seems too high, right? So I'll break it down for you. But yeah, it's interesting, but also a little bit scary, right? But I'll go back to your example, Kate. If you're a startup tech company in Edmonton, who have you worked with? So you can count out those number of businesses or those incubators and associations. You've probably also worked with them government entities, and perhaps in France, right? Who are they connected to? Who are their contacts connected to?
Katie Dean:
It's like not six degrees of separation from Kevin Bacon, it's six degrees of separation from the SME.
Nigel Russell:
I love it. That's actually a beautiful way to look at it.
Jon Hagan:
It's expediential.
Nigel Russell:
It's expediential, right? So literally this step really helps to show that, to visualize it, right. You can map it out, you can connect the dots. It's really not just you that's getting cyber protected when you go through an audit, it's your entire value chain, right? So you can really flex a cyber audit and tell your stakeholders, tell your membership, tell your people, hey, you can count on us, you know we're reliable.
Jon Hagan:
It's almost corporate responsibility to maintain that level of rigor, to get a certification, to have that audit done. So you're protecting your value chain with your customers.
Nigel Russell:
Totally. And you kind of hit on another theme there, Jon, with respect to corporate responsibility on cyber security. What we're seeing in the fields is an emergence of this idea of corporate accountability and responsibility to ensure everything is cyber protected. I think a good way to look at that, or to analogize that theme, is that it's very similar to ESG. Right? And for folks who don't know what that is, it's Environmental and Social Good Governance, right.
Nigel Russell:
So, as a company, let's take a hypothetical example here, right? You're an oil company in Alberta, or Saskatchewan, you're making investments, you want to make sure your investments impact the environment, and its surrounding communities in a positive way, right? We're seeing a similar trend in cybersecurity, when you're investing in a company, or when you're investing in something, your shareholders, or the companies you're working with, probably want to know that your systems are cyber protected. Right? So like you said, it's a matter of accountability and being protected.
Katie Dean:
Well, and I just think about it from a provincial standpoint, too, right. And the economic impacts that it has, on our province, one startup or one company gets attacked, and I'm thinking about the long term implications of just one business being attacked. And from an economic standpoint, what that looks like, that's terrifying.
Nigel Russell:
That's a scary thought, right?
Katie Dean:
This is a thing, it's terrifying. It's real.
Nigel Russell:
So that's exactly it, though, right? So I mean, we're going back to that value chain, that supply network, if you're the victim of a cyber attack in Calgary, it will affect dozens, if not hundreds, if not 1000s of other businesses. Let's say you're attacked. And for whatever reason, you don't know what to do. You haven't thought about cybersecurity, and you don't have cyber insurance, right? The attackers want you to pay a $500,000 ransomware payment. You pay that, right? Those hackers now know that folks in southern or northern Alberta are willing to pay ransomware, right. So you've just set a dangerous, arguably, precedent for your community, right? So this goes, again, value chain, supply chain, you really want to make sure you're protected. So you're not the one to set that precedent, right?
Jon Hagan:
Didn't we just see the meat industry get hit by some hacks recently?
Nigel Russell:
Absolutely.
Jon Hagan:
Last week or two?
Nigel Russell:
Yeah. I mean, arguably, scary stuff coming out of the States, too, right? Where one fifth of the American beef supply was compromised because of one malicious cyber attack. So one fifth, right.
Jon Hagan:
Unreal.
Nigel Russell:
That's a huge number.
Jon Hagan:
20%. So Nigel, what this really strikes me as the program that you're offering is that start doing these audits, but training founders, training entrepreneurs, early on the importance of cybersecurity, because I think especially in this day and age of last few years, we've got a boom in sole proprietorship's in small startups and stuff. Now, what are your thoughts about companies or these sole proprietorship's, again, who are people working on Etsy, people working on Facebook, people working on these social media platforms, do they have to be as concerned as well?
Nigel Russell:
At the end of the day, we're really trying to educate people on cyber security. So I'd say absolutely, if you're a sole proprietor, if you've got a very small shop or a small business, I'd strongly recommend learning more about cyber security, right? Because you're the type of person that hackers love. Because if you're not a cyber expert, you don't have a team. Do you have contacts in any government or business who have cyber expertise, right, so as a sole proprietor, you're very at risk, right? Should a hacker attack you because they love folks who don't know what to do, right?
Nigel Russell:
So I think at a fundamental level, you shouldn't be too concerned, right? I'm not trying to scare anybody too much. But it's a good idea to think about it. And to go online and see what you can do to just protect yourself at a basic level. Like Katie, you've been saying, change your passwords. That's huge. Change your passwords every now and again. You can look at our programs, 13 areas of compliance, and you can work towards them. Who says you have to go through the entire certification process? Maybe you want to go 50% on a few of them. Or like you said, Jon, maybe you're on Etsy and you work with some client data, you've got a few credit cards on file. That's all a hacker needs. If you've got $1 in your bank account, that's $1 they can have, right. So I'd say yes, don't be too concerned, right? We're not trying to scare anybody, but absolutely build some of that talent, that skill set because you can really use that in your network, right? People will look at you with much more confidence.
Katie Dean:
Right, something is better than nothing, essentially, right? Somethings are.
Nigel Russell:
Exactly. Yeah. Anything in this space is better than nothing. And having that foundational set of knowledge, like I know what cyber security is, and here's how I'm taking steps to be cyber secure this year, next year. Here's my roadmap, right? There's tons of value towards chipping away at it.
Jon Hagan:
It's almost something that should be taught in secondary school. When kids are in junior high in high school, I don't know what they're doing now, going into it in some depth, because kids are going to become adults who potentially become entrepreneurs and startups, but just also maintaining the sanctity of your personal information [inaudible 00:26:54]being smart online-
Katie Dean:
Well, and it's something because our world is so online, exactly. Yeah.
Jon Hagan:
Yeah.
Nigel Russell:
Actually a really interesting theme, Jon, and I'm not sure if you've been having conversations with some provincial folks here. But what I will say is that the government of Alberta is looking at some very interesting avenues to better educate students on cyber security. That's a longer term trend happening, if you will, and some other provinces are leading in this space. So in Manitoba, through the Manitoba Institute of trades and technology, they have actually launched a cybersecurity certificate for high school students who take it through grades 10 to 12. And when they leave high school, they've got a Polytechnic equivalent certificate in cybersecurity. Like, how cool is that?
Katie Dean:
That would be so helpful. Yeah.
Jon Hagan:
And how valuable.
Nigel Russell:
What they're finding is that students love it. The program is designed to be a two or three year process. They're finding some grade 10 and 11 students are finishing it in four months. So they're actually making the program harder. They're giving it more requirements. And they're finding that no, for older folks there who have designed a program like okay, maybe they don't know about this, or you know what I mean, but they're finding that the students are rushing through it. They're like, oh, this is easy, like, what are you talking about, I know how to be cyber secure. So it's also generational, right? But they're making the programs harder, they're making them more advanced. So as students leave high school, and in some Manitoba high schools, they're coming out with a Polytechnic certificate, and industry loves it.
Katie Dean:
This isn't surprising. A few episodes ago, we actually had a student, a high school student who was like a really cool entrepreneur and innovator. So to hear that the students are pushing the boundaries of innovation. I'm not surprised. I think that that is wonderful. And I mean, just the way that our trends are going, our children are online so much they learn online. So it makes sense that this is something that is going to be taught in schools, and I really hope that Alberta does take that into consideration for their next round of education revamps.
Nigel Russell:
Absolutely. I mean longer term yes. From what I can tell those conversations right there, there are discussions happening about like you said, Katie, kids are already using the internet every day, right? Like we want them to just have some baseline information on how to use it safely.
Katie Dean:
Yeah, it's like here's how to type on a keyboard. And here's how to prevent cyber attacks [crosstalk 00:29:43]
Nigel Russell:
Yeah, exactly.
Jon Hagan:
That's a good course, I should probably take too.
Katie Dean:
So Nigel, this podcast is really about engaging with entrepreneurs and talking about the innovation ecosystem in Alberta. So if you don't mind, I would like to talk about the future of cybersecurity and what that looks like. So I was doing some googling in prep for this interview. And one of the things that I'm learning is that there's all these different types of innovations coming out about different ways people can protect themselves. So there's a company who's looking at getting away from passwords altogether. There's two-factor authentication, which Google is a big fan of and they just implemented. So I know that you probably can't speak to the tech itself. But do you see any trends coming for cybersecurity, and things coming out of the government that you could tell our listeners about?
Nigel Russell:
Absolutely. Those are some great questions. One of the biggest trends that we're seeing in the entrepreneurial space in Canada, and Alberta is the use of artificial intelligence to block and prevent cyber attacks, right. So there are some very, very innovative companies. And I'll give you an example. There's a very innovative company out of Vancouver called Think Technologies. And they provide AI services to their clients, to protect them against cyber attacks, and cyber threats. The way that that works is way above my head. But I speak to it from an entrepreneurial point of view, they basically leverage AI to forecast where attacks may be coming from, and the frequency of those attacks, right. So they use their AI systems to basically deflect those attacks, right, in those internal systems and whatnot, right. But I'd absolutely say you're seeing the emergence of many more companies using AI, right?
Nigel Russell:
Because it's a whole lot faster than having a cybersecurity guy on his computer all day, no deflecting the one by one, right. So you're creating almost a shields against a handful of businesses. They're also some super innovative companies in the States, too, that are doing this where they provide cybersecurity protection for thousands of businesses, especially in the defense space, right? Where they're using AI to deflect any emails that may be suspicious, or any backdoor type of attacks, where a foreign attacker may be trying to access an IP address, right? Or they're trying to manipulate somebody's computer virtually which they can do, right. So that's a huge trend that we're seeing right now.
Nigel Russell:
From a government perspective, one theme that we're seeing, and this is a longer term kind of food for thought for everybody listening is how will cyber security fit in to procurement processes, right. So as an entrepreneur or as a small business, as you're growing, you're more than likely going to work with some government at some point, so maybe the city of Edmonton, maybe the province of Alberta and hey, maybe the Government of Canada. Longer term, and strategically, it may pay off to think about cyber security, and to say, hey, if I go through a government of Canada approved cybersecurity check, or if I go through an internationally recognized cyber security check through NIST or ISO or SOC 2, there are so many out there.
Nigel Russell:
What are my odds of working with them better? Will I get through those systems faster? Right, let's say hypothetically, right, longer term, the Canadian Revenue Agency sets up a new financial online portal or they're trying to digitize some of their processes, and they open up a pilot and to get through that pilot, if you're cybersecurity, you can get through it faster, right? So it just some food for thought for listeners, right, it will pay to think about cyber security in the long term from a government perspective, right, in the short term it makes sense for all of the reasons we've already talked about already, it pays to be protected, I'm sure.
Katie Dean:
Well, in the risk of not being protected is so much higher than just protecting yourself right at toss. What do you say around 2000 bucks just to you know, get the certification, but the risk of not doing that could be millions.
Nigel Russell:
Katie, I'm going to give you another stat.
Katie Dean:
Oh, God.
Nigel Russell:
I'm going to give you another stat.
Katie Dean:
Hold on, I need to prepare, okay, go.
Nigel Russell:
You ready for this one?
Katie Dean:
Yeah.
Nigel Russell:
So yeah, the cost of our program hovers at about $2,000. The average cost to a Canadian business is between 19 and $26,000 for an attack. A couple years ago, a report estimated that number is closer to $53,000.
Katie Dean:
Well, 2000 bucks feels like chump change compared to that that is[inaudible 00:35:08]
Nigel Russell:
I know, I'm giving you some scary stats. And you know what? I'm going to give you another scary stat here. I apologize.
Katie Dean:
I tod you now that we can handle it. Okay, go.
Nigel Russell:
Here you go. So I'm sure everybody is familiar with CFIB, the Canadian Federation of Independent Business, if you're a small business or an entrepreneur, I'd say look into them. They're a great resource. They estimate that 61,000 small businesses, since the pandemic hit, have been involved in some type of cyber attack.
Katie Dean:
That's insane. Why? Is it because people are working from home?
Nigel Russell:
Yes and no, there are a lot of factors coming in from the pandemic. So internationally, the number of cyber attacks and threats has increased by 300%. So a three fold increase in cyber attacks.
Katie Dean:
Just during the pandemic?
Nigel Russell:
Just during the pandemic. So from March 2020, to I believe, April 2021. That's when those numbers were released. So we're seeing huge increases in cyber attacks and threats. Katie, like you said, people are working at home, that helps to explain it, we're moving towards this virtual world where everybody is digitizing. But throughout the pandemic, you may get a suspicious email from Health Canada, you may get an email from somebody in your network or your neighborhood, right, or where they're providing you with, quote unquote, advice on public safety and health. Right? So lots of the attacks that have occurred over the pandemic have been affiliated, or are involved the pandemic, that language around public safety and health, right? But Katie, you really hit it, right? Digitization, we're in that virtual worlds, and hackers are really taking advantage of that.
Katie Dean:
That makes a lot of sense but it's terrifying.
Jon Hagan:
It is, those are unreal numbers. Now, I know this is what the audit, and when people do their work, they'd be learning about this stuff. But just real quickly, in terms and we kind of touched on this earlier but when hackers get in there, they're not just putting ransomware on saying pay us this much money, and will free up your computer. They're looking for all sorts of other things, aren't they?
Nigel Russell:
They're looking for whatever they can get their hands on.
Jon Hagan:
Okay, data. Could they steal email lists, just whatever is in there?
Nigel Russell:
Totally, totally. So literally, we can go back to that, I think I said this earlier, if you've got $1 to your name, they want it. Like what's yours is mine, right? So if you've got $1, in your bank account, any money that you may have that they can get access to, if you've got any emails or client information, they can sell that to other hacker groups or to the black market, right?
Nigel Russell:
Let's say you're a small business in Edmonton, and you keep all of your client credit card information in a MS Excel spreadsheet, right? You've got it encrypted via password, right. But that's not going to stop some people, right? Once they gain access to your systems, they'll get access to your administrator services or authentication, so they can access that document, they will then sell that data to folks on the black market for let's say, five, $7 per credit card, right? So any information you have will be sold on the black market and will be leveraged by a hacker, organization or entity, right?
Jon Hagan:
And they can attack from anywhere?
Nigel Russell:
Totally, even if you don't think the information is that sensitive. Let's say you're a Fintech company in Calgary, and you actually don't have any client information on hand because you're smart, right? You know, cyber security, you're thinking about this. But what you do have on your computer are unreleased requests for proposals or statements of works, emails, tons of information that's not publicly disclosed. The hackers may then acquire that and then reach out to your contacts assuming your identity, what do you do then? They now have information that nobody but you has. So how does your stakeholder differentiate them against you? If they've assumed all of your identities, your email and they have all that information?
Jon Hagan:
It would look pretty legit, wouldn't it?
Nigel Russell:
Totally.
Katie Dean:
All of this has me thinking about blockchain and I know next to nothing about blockchain and I don't expect you to either, but I'm wondering we have this in our conference in the fall called Inventures. I would really love to speak to somebody who's into the blockchain kind of industry and cybersecurity and to see how those two can help, because to me, there seems to be a linkage there. But again, I don't know anything about blockchain really.
Nigel Russell:
Absolutely. Totally. I'll be honest, I wouldn't want to do a disservice to blockchain technology right now. I won't speak too much. But I will say it's a trend that you could analogize with AI, right. Like they're emerging trends in the field that we're seeing blockchain, from what I understand. It's a whole lot safer to use than using conventional internet systems. So I mean, I'm looking forward to learning more about that and Inventures too, to get up to speed with blockchain, because it's fascinating stuff, honestly.
Katie Dean:
Totally. And on the Inventures note, I will make a plug here. So one of our keynote speakers is that Isaac Ben-Israel, and he is one of Israel's top experts on space, cyber and technology related security. He is the head of the security studies program at Tel Aviv University, and also has the annual International cybersecurity conference. So this has been a really great chat to tie into one of our keynote speakers at Inventures in the fall, September, what is it? 22nd to 24th?
Jon Hagan:
Yeah, this is fantastic. It's an information that you just take it for granted, that level of security, you think someone else is going to take care of it. My computer safe, my Gmail will take care of it. I'm on Facebook, it'll take care of my privacy. And that's just as an individual, right?
Katie Dean:
Or you think that nobody's going to affect you, because you have a small business and nobody cares about or whatever, you kind of hubris right there.
Jon Hagan:
Right, yeah. But to that value chain discussion earlier, it's not just you, it's you and everybody you connect with.
Nigel Russell:
Yeah, at the end of the day, it pays to have some cybersecurity skills, right? Because even if you have cyber insurance, or you think you're protected, right, it really pays to know these things at a fundamental level, right, so completely agree with all that.
Katie Dean:
So Nigel, this was great. And to sum up, I'm going to tell people to number one, go change your freaking passwords right now. Number two, contact Nigel at cybersecurecanada.ca. And number three, come to Inventures and meet Nigel because you're going to be there hopefully.
Nigel Russell:
Totally. I'm excited.
Katie Dean:
So thank you so much, Nigel. This was great. It was terrifying. But it was great. Thank you so much for being on our podcast today.
Nigel Russell:
Totally. Thanks for having me.
Jon Hagan:
Thanks, Nigel.
Nigel Russell:
Thank you.