Episode 14: Intangible assets at risk: How to get cyber smart

Lisa Desjardins, LD: You're listening to Canadian IP Voices, a podcast where we talk intellectual property with a range of professionals and stakeholders across Canada and abroad. Whether you are an entrepreneur, artist, inventor or just curious, you will learn about some of the real problems and get real solutions for how trademarks, patents, copyrights, industrial designs and trade secrets work in real life. I'm Lisa Desjardins and I'm your host.

The views and opinions expressed in this podcast are those of the individual podcasters and do not necessarily reflect the official policy or position of the Canadian Intellectual Property Office.

With the event of the pandemic, most of us are now expecting to find and even shop our products and services from our local businesses online. Entrepreneurs have been quick to respond to this and put photos, trademarks, product descriptions and so on online, so that we could keep shopping. It kept them alive. They also had to migrate their internal information like drawings, emails, ideas and other secret data online where they can be shared with their remote employees, investors, accountants and so on. It’s a pretty spectacular achievement especially considering that over half of small businesses employ less than 4 people and probably don’t have a big budget for computers and programs.

But while moving valuable information online is a solution, it often also means that the data is at risk of online thieves and cyberattacks.

So what is the government doing to help these small businesses better understand and avoid cyberthreats? To help us understand this, I'm thrilled to welcome Nigel Russell who works for CyberSecure Canada, Canada's national response to help small and medium-sized organizations protect themselves against cyber attacks. Nigel, welcome to this podcast.

Nigel Russell, NG: Thank you for having me.

LD: I'm really thrilled to have this conversation. I know it's an important one, not just for you, but for many other small businesses across the country. But before we start, can you explain what is cyber security?

NR: So that's an excellent question. So cyber security is extremely broad and very vast, so I'm going to do my best to truncate it down to its basic elements. So cyber security in a nutshell refers to all of the systems, the software, the digital tools and everything else relating to the computers, the tablets, the phones, everything we use on a daily basis with respect to its security.

So again, this is a very broad and it can be a nebulous topic to talk about. But cyber security is really about securitizing the devices that we use every day. So for small businesses we're talking about tablets, laptops, desktop computers and enterprise phones that most companies use to connect themselves to their employees. So I apologize to your audience again, if that was quite broad, but in a nutshell, that's what cyber security is.

LD: Hmm, but it's… it can also be a broad problem so, could you tell me a little bit about yourself and the kind of work that you do with CyberSecure Canada?

NR: Absolutely! So I'm headquartered in Calgary, Alberta and I work to develop and promote CyberSecure Canada, but more importantly my role in Western Canada is to educate small companies and start-ups on the importance of cyber security. So I'll just walk you through what I do on a daily basis or weekly basis to give you and your audience a better perspective. So I'll connect with companies to tell them why cyber security is so important, how we can save that money. I'll host workshops and webinars on cyber security with business incubators and chambers of commerce to let their membership know what the Government of Canada is doing to help them in this field. And at the end of the day that's why CyberSecure Canada is here. We're really here to promote the importance of cyber security to start-ups and small businesses.

Because as we all know, there are only so many hours in the day. There are only so many hours in the week and month that start-ups and small businesses have access to and for very valid reasons cyber security may not be on the top of the list. So, that's why we're here to kindly remind them or to let them know why it may be very strategic to think about cyber security in the short run so that they can position themselves for long term success, right? Because our mission is to really prevent as many companies as possible from going through an unfortunate cyber attack.

LD: Thank you. So I guess one thing that could be perhaps helping to prioritize cyber security for small companies is to understand it a little bit more in say of an applied setting. So, can you give some examples of say how intellectual property assets like brands and trademarks and so on, how can they be lost in a cyber attack? Like if I was a researcher or if I had my own company.

NR: So that's an excellent question, and it's one that I've received and that our team has received with the Government of Canada time and time again over the last 2 years, and especially since the pandemic hit in March 2020. But some of the assets and some of the digital properties that we're speaking to are confidential trademark information, confidential trade secrets, your client relationship information and data that you may have saved in a Word document or an unprotected Excel sheet that God forbid somebody gain access to, and then they were able to leverage that information in malicious and nefarious ways.

But it's really a lot of those digital assets and properties that we may take for granted that they're secured, right? But in the event that a cybercriminal or malicious actor would gain access to one of your devices or one of your enterprise computers where you have your trade secrets or designs or intellectual property strategies and your planning in that field.

In the event that they gain access to that, they can leverage that to sell it on the dark web, to reach out to your competitors and sell it to them, or to simply broadcast it via their Internet channels.

Right, so these are the things that we may not think about, but given that most intellectual property assets are either digitized, or you know intangible, it's really important that we also think about their digital safety.

How are we keeping these items safe from actors who may want to maliciously use them?

LD: Very, very important. What does your organization and I guess, other government organizations do then to help companies who are vulnerable to cyber attacks?

NR: So that's a great question as well. So the Government of Canada launched CyberSecure Canada to help small companies and companies who don't have 30, 40, $50,000 annually to invest into cyber security. So CyberSecure Canada is just one tool at their disposal to help prevent them from going through a cyber attack. And the way that CyberSecure candidate does that is through, it's through a few different mediums actually.

So our team launched e-learning modules online. We have 13 extremely comprehensive online e-learning modules that will walk you through what you need to know about cyber security. The key benefit in leveraging these documents is that they've been designed, approved and vetted by the Government of Canada. Because there are tons of alternatives in the ecosystem and as a small business or a start-up you may have already been solicited by a cyber security consultant or shop and they may even have a series of online e-learning content.

The key advantage of ours is that you know they're extremely objective. They've been developed by public servants, and they've been developed for the public good. So I highly recommend folks leveraging those just to get a better sense of what cyber security is and what you would need to do to achieve the CyberSecure Canada certification. So for companies who want to take it to the next level and they really want to take cyber security more seriously, they can work towards obtaining these CyberSecure Canada certification. And I'll truncate this process down to its most basic elements again, but CyberSecure Canada looks at 13 core areas of cyber security. That we feel all businesses should meet. If you meet all 13 you then get certified.

And really quickly on the certification and to give some folks some perspective: most of the firms that have gone through this program, they've gotten certified because they want to show their investors, their angel investor network, their overseas partners, that they really take IP, data and information privacy very seriously, right? And it's one thing to tell your partners, and when you're creating your relationships it's one thing to say that you take it very seriously. But when you can actually leverage a tangible Government of Canada certification on cyber security that can pay off in spades and in dividends over time.

So most of the companies that I've worked with, they've gone through the program to show their partners in Texas, California, New York, the UK, elsewhere in Europe that they really take information and data privacy seriously, and they've invested some resources into it. And in addition to that, there are more resources available by the Government of Canada through the Canadian Centre for Cyber Security, through the RCMP Anti-Fraud Centre, through Public Safety, and even through the Canadian Intellectual Property Office. So there are various channels, there are multiple channels on offer that small businesses can tap into.

LD: There are some companies that offer insurance. A cyber security insurance. But this is only part of the solution, why?

NR: So you're asking the perfect questions here, because this one does come up quite frequently as well. So many start-ups and small businesses will invest into cyber security insurance on the assumption or with objective that they will never go through a cyber attack. So unfortunately cyber security insurance does not guarantee that you will not go through a cyber attack, but that your insurance provider and under writers will provide you with some level of compensation should you go through a cyber attack.

The key point to understand in this area and it is a very grey zone in Canada at the moment is that most often your insurance company will specifically require that you invest X number of dollars or a percentage of some business revenues towards cyber security. But some companies who sign up for cyber security insurance may not for very valid reasons again, they may not have invested into cyber security over the past calendar year or fiscal year, and if they go through a cyber attack, their insurance provider may not provide them with coverage.

So the key thing here is that start-ups and small businesses read very closely what they are signing up for. Because we certainly want to avoid situations where smaller companies sign up to cyber security insurance for let's say 2 to $4000 a year and they unfortunately, neglect their internal cyber security controls and protocols. So huge thing here, and this goes without saying, but it pays to pay attention and to read very closely in the contracts that you sign with your insurance providers on cyber security.

LD: It's hard. It's hard to ask people to be proactive when they can't see the benefit. I think our office certainly has the same kind of challenge to talk, you know, to small, to medium enterprises… until it's too late. But you're meeting with companies on a daily basis, trying to explain to them why they need to act. What are some of the things that you found really makes it click or how to get them engaged?

NR: Right, so that's another really, really good question. So I think the one thing about cyber security is if we're if we're to be honest, cyber security is another form of assurance. We're not providing insurance, it's a form of assurance where we're trying to prevent the likelihood of a company going through a cyber attack, or being the victims of cyber criminals.

But from the main draw to investing into cyber security and what's worked best from a CyberSecure Canada perspective is just educating people on cyber security and getting to know why they have or why they have not invested into cyber security. So if you were listening to this podcast, I'd asked you as a thought experiment or experiment in in working with in this field: ask yourself why have you not invested into cyber security and whether you should? But again there may be very valid reasons we're still, we're at the tail end of a pandemic. There are dozens of other business priorities that may take precedence over cyber security.

But, it's important to think about these things, to think why or why we have not invested into cyber security. But the really key thing here is that cyber security… we're going to get down to basics on this one to… cyber security can save your company money. The average cyber attack cost in Canada is about $50,000. Most companies who go through a cyber attack foreclose. Because they do not have $50,000 in working capital that they can pay via Bitcoin payment through a ransomware attack, right? So thinking about cyber security proactively can save you money in the short and long run, and it'll increase your company's odds of success in the next 10 to 20 years. To ensure that you're still here and you're not going to be unfortunate small businesses or smaller organizations that goes through a cyberattack who thought it couldn't happen to them but then it did.

LD: How common are these cyber attacks?

NR: That's, so that's an excellent question, and Lisa, I apologize to you and your audience, I'm going to throw out some statistics here that may come across as a little threatening, but I just want to provide everybody with perspective on how frequent these attacks really are.

So since the beginning of the pandemic in March 2020, cyber attacks have increased by 300% globally.

If you are in the supply chain, dominant sector or industry, they have increased by 430%.

The main reason behind this is that most companies have digitized or they've moved some of their critically important business online. Which naturally, as you can imagine, has opened the floodgates for cybercriminals and malicious hacking organisations because they now have more potential victims to go after.

In Canada, last year and in 2020, the latest available data that we're working with shows that about 1 in 4 small businesses have had some relationship to a cyber crime. So they've either received an email that's trying to gain access to one of their systems, or they've had a ransomware attack trying to penetrate their business. Unfortunately, in 2020 alone, 61,000 companies, so 61,000 small businesses in Canada went through a cyber attack, right?

So there are over a million small businesses in the country and a good chunk of them, 61,000 went through a cyber attack and the most common attack that occurred in 2020 were ransomware payments. So lots of these companies received emails that looked highly authentic, highly genuine and they clicked on a link that they shouldn't have and they unfortunately downloaded a ransomware software onto their computer that led them to a Bitcoin or ransomware payment.

So that's what we're looking at, and it happens. So again 61,000 companies about annually, go through a cyber attack so it happens a lot more frequently than we think. And another really important thing to recognize here is that much larger and more sophisticated companies with robust IT and cyber security protections also go through cyber attacks.

So here the logic is that if it can happen to some big names in industry, it may be able to happen to you. And hackers know that if they target a small business in Winnipeg, in Ottawa, in Calgary, wherever, you probably lack the resources to even respond to this cyber attack. So why would they go after a larger company where their odds of success are much lower, when they could instead, target a smaller company without the resources needed to even take action.

So hopefully that answers your question. And again, not trying to present a threatening scenario or outlook, but this just proves that now is the time to start thinking a little bit about cyber security.

LD: That's an excellent answer, and I think my body temperature just went down by 2 or 3 degrees. That's really scary. You've mentioned a lot of different programs and ways to get more cyber smart. I think if I were a company I'd probably be running around in circles trying to find out “OK, where do I start, where do I start?” I have a little time, just a little time, and I'm on a shoestring budget, where do I start to get cyber smart?

NR: Perfect, perfect question and I would be in the same boat if I were a start-up or a small business listening to this. So first top recommendation. I would highly recommend leveraging CyberSecure Canada's online e-learning content. So again, we have 13 online e-learning modules, we've got an additional module that summarizes everything, what you're getting yourself into from a learning perspective. But I would highly recommend just having a look at them or assigning one of your junior staff, or you have an intern, or your IT personnel may have extra capacity. Highly recommend that they leverage these e-learning modules because it's not only an opportunity for them to learn more about cyber security for your businesses needs, but it's an opportunity for them or yourself to upskill.

Through these learning modules you will gain some skill sets and a basic fundamental knowledge about cyber security, so I would highly recommend those. In addition to that, there are some excellent tools procured by the Canadian Centre for Cyber Security that you can access freely and readily online. I would highly recommend those tools. They have guides on what you can easily do this afternoon or tomorrow to protect your business against cyber criminals.

And then, for those of you who want to take it to the next level, you can get in touch with CyberSecure Canada or the Canadian Centre for Cyber Security to initiate the CyberSecure Canada certification process. As part of that, there are no contractual obligations. There are no time limits. There are no parameters set to that relationship. So you can come and go as you please, you can have a conversation with us. Again, we meet with tons of companies every day to learn more about your cyber security needs and to assist you as best we can.

And lastly, the last, the last tool I would, I would provide here and again so in the event that you go through a cyber attack or know of a company that goes through a cyber attack, please reach out to the RCMP Anti-Fraud Centre and they will assist you immediately. They have excellent staff that are available 24 hours a day and they are there to assist you with all of your cyber security needs. In the event that you go through a cyber attack.

So maybe I'll leave it at that, but rest assured, hopefully I've provided confidence following some of those statistics. But there are tons of folks here to support you with your cyber security and tons of resources that are here to help you.

LD: Thank you, Nigel. Incredibly appreciated that you help us help inventors, creators and businesses who have already realized their dream to commercialize their ideas. Thank you for helping them and us protect their intangible assets. It's been a real pleasure. Thank you, Nigel.

NR: Absolutely, thank you.

LD: You've listened to Canadian IP Voices where we talk intellectual property. In this episode, Nigel Russell, who is a policy analyst and CyberSecure Canada advisor at CyberSecure Canada, explained how important it is for Canadian firms to learn about ways to remain cyber smart and limit the risk of becoming a victim of a cyber attack. Take the first step and learn about ways to protect your online intellectual property assets by visiting Canada.ca/cybersecure, where you will find access to free e-learning modules, online self-assessment and access to auditors, experts and so on, on cyber security.