Established in 2003, CDW Canada is a leading provider of technology solutions for business, government, education, and healthcare, combining local knowledge with true expertise in international logistics to deliver consistent, service-driven solutions.
Head of Cybersecurity and Solutions Development, Theo van Wyk is an expert in Canadian security practices, with over 20 years of experience in the cybersecurity sector. Mr. van Wyk strategically guides customers to develop a balanced security approach, ensuring the recommended security solutions enable their governance, risk and compliance program while supporting the needs of IT operations. He is also responsible for leading the team that oversees the technical go-to-market strategy and solution alignment between various expertise domains. Mr. van Wyk spokes with us recently about changes in cyber threats over the last few years, the assessments that can be done with the help of professionals to identify weaknesses, and how the company’s prepare, defend and respond framework helps organizations navigate the cybersecurity risk landscape.
Services and solutions
“CDW Canada is a national organization,” Mr. van Wyk explains. “We’re a solutions provider, and we’ve come a long way from being solely a product resale organization.”
Since evolving into a services and solutions provider, CDW Canada has taken home a number of industry awards, such as Canada’s Top Solutions Provider and others, which is a testament to how well the company has navigated the shift.
The need for this shift has come about because of the changing state of cyber threats, exacerbated by some of the unique changes in business the world has been forced to content with over the last few years.
“When it comes to cyber threats, while a lot has changed, a lot has also stayed the same. One of the top threats continues to be against our people. When we look at attackers today, they think of their work as being part of a business. Bad actors are looking to make money, so they’re also looking for efficiency on their side.”
With the pandemic creating a move towards a hybrid workforce, teams are now far more widely distributed, making a targeted attack on people more commonplace and often more successful.
“Trends we’ve seen accelerate include things such as ransomware and financial fraud-ware, where attackers will trick users into transferring money, or whaling, which is another term for where corporate executives specifically are targeted for attacks. We’ve really seen that increase.”
Interestingly, as the workforce becomes more hybrid and distributed, workplaces have begun to adapt their services accordingly, such as making more available online or moving things into the cloud.
“It’s fantastic for users. We’re evolving how our businesses are operating and how we bring our services to market, but the challenge in return is that our attack surface is changing. Data is more accessible from anywhere in the world, and unfortunately, so are bad actors, who we’ve seen go after people’s credentials.”
Mr. van Wyk explains how another cybersecurity firm told him recently that 90% of attacks they are seeing are simply login attacks, where people have found a way to get login credentials and used them to enter a site.
“It’s not the traditional old way that Hollywood likes to romanticize about fancy attacking techniques – it really is the human element that attackers are looking at. I would say that is one of the top threats but also one of the top opportunities for Canadian organizations.”
It is common to see an opposing difference in sophistication and frequency, with attacks increasing in sophistication usually forcing the attack vector to slow down. However the current risk landscape appears to be bucking that trend.
“As processes are becoming more automated and open in availability, the sophistication piece is becoming key to how social engineering is designed and executed. What we’ve noticed, for instance, is the ability for attackers to compromise a trusted vendors’ email accounts. They will use it to send emails and actually monitor its activity for a while to find out relevant information. Then they’ll craft their attack in a manner that when the email is sent, it looks like it’s coming from the person you trust, but it’s not authentic.”
The most concerning finding, however, is that in addition to the sophistication and frequency of these attacks rising in recent months, there has also been a significant rise in the success of the attacks – more of them now lead to breaches in security defenses.
“Attackers are really taking their time, they’re carefully crafting their attacks and this is where severity comes in. Because we’re building teams to move faster, be distributed and have more access than ever, when something like ransomware penetrates a network, it can be devastating because it can spread very effectively.”
Another factor is third party landscapes, where third parties or supplies are compromised for the express reason of getting inside a larger, more secure organization. This has resulted in a lot more diligence being needed when dealing with third parties.
“This is why the conversation among organization is shifting to consider – what should I be asking of my third party providers? What should I be asking from people that I’m doing business with to make sure that their security is not putting me at risk?”
Cybersecurity risk landscape
Looking at the current risk landscape alone can make things seem very bleak for organizations out there looking to protect themselves from these kinds of attacks, but they should be by no means at a loss for ways to counter.
“There are a number of security frameworks in the industry that organizations can adopt and apply,” Mr. van Wyk explains. “At CDW, we understand that security starts with employees; it starts with us as humans. That’s an organization’s first and last line of defense.”
Not only are people often the weak spot that attackers target, but the outcomes can be different depending on how quickly employees respond to and report an attack, which can help shrink the time that attackers have to do something malicious.
“We need to simplify the process. One of the top things you can do for defense against any attacker is to build a digital citizen. Traditional security training used to focus on why security is important for the organization, but our lives are become more integrated with tech every day. Today, it’s important to build security-aware users that can practice this at home as well.”
For CDW, this has been distilled into a three-step process known as prepare, defend, respond, which can be developed into complex processes for large organizations, such as those the company works with, or just as easily used at home.
“In the prepare phase, think about how you’re using your data and your services. What are you actually doing on this device? As a user example – am I doing banking on this device? If the answer is yes, you probably want to then take steps to protect it. For a large organization, this can include something like a threat risk assessment. Once we have that in place, the defend piece comes naturally, and that’s how I protect myself.”
This involves making changes to your device to counter any risks you have identified from your device usage. For a user doing online banking, this could be as easy as turning on passcode or face recognition so that others cannot access your phone, or even adding multi-factor identification in case this fails.
“Perhaps the most important part is respond. If things go wrong, what do I do? If I suddenly see a suspicious transaction, or if I accidentally click on a link from a corporate perspective, do I know who to call and advise? In a larger organization, do I have an incident response plan, something that I can accurately execute on that can tell my teams how to contain the attack and come back to a trusted state?”
In order for organizations to build this kind of security best practice into their culture, in addition to creating digital citizens of its employees, it must get the message of prepare, defend, respond trickling down throughout the organization.
“One of the findings revealed in our latest Security Study is the significant difference in security posture among organizations where security is prioritized by all levels of decision-makers and is also being talked about at every level. It’s important for an organization’s leaders in to speak security, show the importance, and show that they’re practicing it, as well.”
Another important method is what Mr. van Wyk calls “making security right-sized”, in the sense of designing security plans that are relevant to the size of the organization that will be utilizing it.
“What we’ve found is that users, and humans in general, tend to buy into something when not just told what to do, but when we can grasp the reason and see how our absence contributed to it. When leaders are leading by example so that users and employees are seeing best practices, training and internal buy-in is made easier because employees already feel comfortable following the same path.”
Even though there are a number of frameworks available online to help organizations implement a response and recovery plan, there really is no substitute for employing cybersecurity specialists such as CDW to get the best possible results, especially when it comes to making your security ‘right-sized’.
“This is where bringing in an expert who has done this before can really help you ask smarter questions. The biggest concern we see is if an organization goes out and implements a standard framework or response plan. These can be very complex and can become overwhelming very quickly. In many cases, it is more complex than what the organization needs.”
This is where CDW’s prepare, defend, respond framework really comes into its own, allowing organizations to understand exactly where their data is, how it is being accessed by users, how services are being used, and where the vulnerabilities in their network exist.
Once all this has been established then a response plan can be created and customized to be applicable. The truth is that if it’s overly complex it will be put away and never used again, making it redundant.
“It has to be actionable, that’s why it has to be right-sized and relevant. It also needs to be continuously updated, because organizations change as they go and so does technology.”
CDW’s research has shown that organizations which regularly test response and recovery plans have been identified as having mature security landscapes, highlighting how security awareness has been embedded into the organization’s culture.
“One of the biggest mistakes I see organizations make is what we call the blame and shame game,” Mr. van Wyks says. “Building a healthy, safe space for security awareness training free of blame and shame is critical.”
CDW works a lot around gamification, where organizations can make friendly competition out of security training, taking any shame out of making mistakes and driving a desire to report issues for the good of the organization.
“It has to be ingrained to be the point where it is natural for the employee or the user to know automatically what they should be doing and feel it’s a safe space. They need to know which number to call and which email or contact is the person to reach out to.”
As with all things, organizations can over train, so it’s important to manage the frequency carefully. In its investigations, CDW has determined that delivering quarterly training sessions tends to be the sweet spot, where organizations get the best results.
“We spoke to some organizations that said they were training monthly, and interestingly, the return on delivery was minimal for monthly training versus quarterly. There is definitely a saturation level where you can over train your user community.”
In terms of technology, the dominant method is for organizations to take care of security in the cloud, which has become a place where security operations and processes can be leveraged, allowing organizations to scale and move with their environment.
“It’s very difficult to secure your dynamic cloud environment with a traditional security network tool. At the end of the day, we really emphasize the identity piece. Use technologies that match how your business operates, but definitely focus on your user authentication. Protect your user, protect the device they’re moving around with, and then think about that attack and how to protect those services.”
One of the tools CDW will soon be launching is a short, anonymous questionnaire for organizations to take and receive a score for key cybersecurity metrics, giving all organizations an idea of where their security level is.
“We want to show Canadian organizations that we’re all facing the same attacks and threats; we’re battling the same battles. It’s important to see how your counterparts are doing and maintain an open dialogue and ongoing discussion. We all have to work together to secure these services, and if you need help, that is where an organization like CDW with our security professionals will be more than happy to engage. We’re very passionate and are experts at what we do – let’s make our organizations secure so that we can keep operating and serve our customers.”
CDW is helping a variety of Canadian organizations navigate a complex and ever-changing IT market, where threats are coming thick and fast. To learn more about today’s top security challenges and how CDW can help, visit: www.cdw.ca/securitystudy.