Attendees of Capacity Canada’s Board Governance BootCamp 2023 had a unique opportunity to hear from Eldon Sprickerhoff, a founder & strategic advisor for eSentire, a global leader in Managed Detection and Response (MDR).
Eldon’s comprehensive talk began with an update on the current landscape of common cyber threats.
A surprising perspective was how easy it is for cyber criminals to scale attacks by using readily available tools on the dark web, to which he connected the dramatic rise in successful cyber-attacks and front-page stories. Eldon explained the consequences of successful attacks, including the impact on operations and financial implications, but also the larger risks to organizational reputation, donor trust, and, ultimately, its mission.
Eldon laid out the 13 most frequent forms of cyber-attacks in plain and understandable language. He also outlined how malicious actors use simple techniques such as phishing and ransomware, passwords, and social engineering as the main entry points for those attacks. Beyond explaining these approaches, Eldon helped attendees understand why the risks are present and sometimes hard to defend. Attendees, however, benefited from practical advice, including implementing more effective employee training and monitoring of phishing attempts and enhancing password security and management with techniques like 2nd-factor authentication – or even moving away from passwords to more secure passphrases, which are gaining adoption. Social engineering, or exploiting human vulnerabilities, was acknowledged as the most difficult challenge.
Organizations who thought cyber insurance was a catch-all protection soon learned how important and challenging it can be to prove that prudent and reasonable mitigation efforts were taken to satisfy insurance conditions. Many attendees noted “contributory negligence” and other terms to understand the limitations of their coverage.
Framing the more extensive discussion of board governance, Eldon had a strong perspective that Cybersecurity is a topic that will challenge the accepted best practice of “noses-in, fingers-out.” He cited the limited understanding and availability of cyber expertise, “it won’t happen to us” complacency, and the slow rate of cyber security adoption and regulation against the explosive pace of technology available to malicious actors.
Against this challenge, Eldon encouraged leaders and board members to adopt an approach of Cyber Resilience with a philosophy that a cyber incident is “no longer a matter of IF, but a matter of WHEN. The keywords of a recommended framework for Cyber Resilience were: anticipate (prioritize cyber preparation and protection), withstand (detect, investigate, disrupt, contain attack), and recover (how to return to standard operations and perform an investigation that can bear legal scrutiny). Above all else, it was a reminder that this is an ongoing arms race, and organizations must continuously adapt and evolve to stay ahead of the threat curve.
Many attendees left BootCamp 2023 with Cybersecurity as a top priority for more attention in executive and board agendas.
