Advisor Sumit Bhatia on how to deal with cyberattacks
Headlines of high-profile cyberattacks have become common in recent years. Like a domino effect, these incidents can lead to reputational damage, intellectual property theft, operational disruptions and recovery expenses. Keeping information safe is a growing concern. Canadian Grocer recently spoke to Sumit Bhatia, an executive in residence and advisor with Rogers Cybersecure Catalyst at Toronto Metropolitan University and chief business officer at BHive—a not-for-profit startup incubator founded in collaboration with the City of Brampton to attract international startups—about the biggest threats companies face today and the role generative AI plays for both attackers and defenders. This interview has been edited for clarity and length.
What is the greatest threat to a company’s data security?
In the cybersecurity world, we often say the biggest threat is people. We still have a long way to go to build capacity within the organization to realize this is not just a technology issue. This issue lies with how an organization operates. So, often when we hear about things like a DDoS [Distributed Denial-of-Service] attack or a malware attack or a social engineering attack, at the heart of that is usually an error made by some human who might not have secure passwords or could be clicking on the wrong link, or it could be an insider threat from somebody who’s not happy with the organization. So, there’s lots of different facets to it.
READ: How can retailers prepare for a riskier world?
How can companies be proactive rather than reactive?
It starts with building a cybersecurity plan within the organization that is the responsibility of all people and w ill include t ra ining. How do you communicate basic principles to all members of the team so they realize this is something they have to do? I suggest doing it during orientation of new employees with regular training drills like sample phishing attacks so folks are more familiar with how to deal with them. The Canadian Centre for Cyber Security has published the Baseline Cyber Security Controls for Small and Medium Organizations and it’s a great place for businesses to get familiar with things they can do. The good part about the baseline controls is, I would say, about 70% of them are things that can be managed within the organization. They don’t need specialized experts, but it does require building a culture and a practice where they’re constantly doing things like multi-factor authentication, configuring an employee’s personal device that is used to access work, offering VPN connections and antivirus tools. And, of course, that they’re managing access control more effectively so they know who in the organization has access to different parts of the systems.
Do Canadian companies have the staffing expertise they need to work against cyber threats?
We’re seeing a real shortage of cyber talent. And because cyber talent is so highly specialized, it’s very hard for small and medium companies to retain or hire that talent. But, one way that challenge is being addressed is through the re-skilling and upskilling of their labour forces. We’re also starting to see cybersecurity education not just from the lens of a degree program or a graduate program or a specialized certification … certain core capabilities can be performed by students who come out of a bootcamp program—there’s six-month, three-month and online programs. And depending on the size of the organization, it’s a good opportunity to lean on those programs for recruiting talent at the baseline level.
Is generative AI likely to increase the frequency and severity of cyberattacks?
GenAI’s effect on cybersecurity is quite significant. It has the ability to replicate social engineering at a high level ... So, when you receive an email that’s being generated by a GenAI tool, it can be so close to a human writing it that it’s hard to review. Also, the frequency and volume of the attacks it can generate is quite high. The way it collates data is quite significant. But, I’m cautious of talking about GenAI as just a threat because these tools are also able to combat some of these issues. So, generative AI is also being used in cybersecurity tools to provide security analysts with some incredible strategies and tactics.
READ: Expert shares how grocers, CPG companies can prepare for a cyber attack
How can a grocery company manage third-party cybersecurity risks?
Ask questions when you're engaging with those third parties. What kind of cloud environment are they going to store your data on? What kind of monitoring technologies do they have? All of that is extremely important to know. From there, figure out where their responsibility ends and a retailer’s responsibility starts. You have to constantly interact with your third-party [vendors] and your procurement bodies to know what changes are being implemented in their systems, because they're also continuously engaging new technologies and it’s hard sometimes to keep an eye on them. So, building a service-level agreement with them where it becomes their responsibility to update their clients and their customers on these things is quite critical. And then, of course, having clarity on their processes when they engage with new technologies and understanding how they manage operational risk.
Should grocery companies customize cybersecurity training for different staff levels?
Absolutely. Cybersecurity is something that must be incorporated in all parts of the system. So, for instance, in a grocery store, you've got systems for things like inventory control, employee databases and time sheets, check in and check out [and] point-of-sale systems. One of the biggest, I think, errors a lot of retail ecosystems make is they grant blanket access to all systems when employees don't necessarily require that.
The other part I'd say is [retailers are] using multiple SaaS applications. They should have a better idea of who's responsible for configuring those applications and for the security of those applications [and] because a lot of that data sits in a cloud environment, retailers have to know whether they're responsible for it or the cloud provider is responsible for it. And then I'd say configuring and managing control on the point-of-sale systems because that is where the transaction is taking place. So, they should think about how to implement the right controls.
READ: The battle against retail theft and loss
How can organizations engage employees around cybersecurity in a way that isn’t intimidating?
Don’t start from a place of fear, but build a culture of support. I think employees, when they're scared around their actions, they tend to make more mistakes. The first thing is starting with basics like multi-factor authentication or if you're bringing your phone to work having policies around how you manage your devices at work. The other piece is tailoring training to certain roles. So, somebody in finance can understand how cybersecurity affects them differently than somebody who is, let's say, standing and operating a point-of-sale machine. The other things we're seeing is gamified learning experiences. So, running security awareness training in a fun and engaging way versus feeling like [employees are] going back to school. The other piece we find a lot of success with is building a culture where they feel confident reporting something even when they're not sure. So, it doesn't have to be an attack or it doesn't have to be something that's gone wrong, but feeling confident to say, “I suspect something or I'm not sure of something” and building a path around that so they're rewarded for flagging an issue.
When it comes to cybersecurity, what should be top of mind for grocers and CPGs?
I always come back to education as the dominant thing. In the retail sector, folks still think of cybersecurity as a winter tire. They think, "Hey, I can put it on when I think it's important." I think about cybersecurity as the wheel itself and just making that shift to say this is the foundational component of our technology ecosystem. This is not an add-on. This is not a Band-Aid. This is not a secondary set of tools. This is built into how we structure our systems and the operational framework. That's incredibly important. And from an education perspective, recognizing the impact of cybersecurity is not just a breach on the system, it holds a financial risk, a reputational risk. When you see the risk is across the organization's operations; you start thinking about cybersecurity differently. That would be my biggest takeaway—reframe the conversation around security as a big part of your strategic operating framework and not technology.
This article first appeared in Canadian Grocer’s June/July 2024 issue.
