As part of the federal government’s efforts to improve Canada’s cyber security resilience, The Canadian Centre for Cyber Security just published a suite of voluntary guidelines for critical infrastructure providers, which could also provide inspiration for security strategy in other sectors and for small- and medium-sized businesses (SMBs).
Aimed at banks, utilities, municipalities, and hospitals, among others, the centre’s Cyber Security Readiness Goals (CRGs) toolkit outlines 36 cross-sector cyber security practices that are in line with other jurisdictions, including the U.S. Cross-Sector Cybersecurity Performance Goals and the U.K.’s Cyber Assessment Framework. The toolkit includes goals related to cloud computing and artificial intelligence (AI).
The CRGs are voluntary, according to the Cyber Centre, and their intent is to establish a foundational standard for cybersecurity practices, a baseline that connects with other existing frameworks and guidance, both in Canada and from the country’s international partners. The centre emphasizes that the CRGs are not to be viewed as a comprehensive cybersecurity framework or a one-size-fits-all approach to cyber security.
For the most part, the CRGs align with existing frameworks already employed by CIOs and IT leaders, including the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, through a “govern” pillar, which includes a cyber-related privacy goal, while providing Canadian context for existing centre cybersecurity guidelines. Notably absent from this version of the CRGs is “vulnerability disclosure,” which the centre says is a valuable practice that will be considered for future updates.
The release of the CRGs toolkit comes advance of Bill C-26, pending legislation that would alter Canada’s Telecommunications Act for telcos and implement the Critical Cyber Systems Protection Act (CCSPA) that would require federally regulated telecommunications, transportation, energy pipeline, and financial services companies to establish and implement cyber security programs, report cyber security incidents, comply with cyber security directions from the government, and mitigate supply-chain and third-party risks.
Bill C-26 has already been passed by the House of Commons and is before the senate. If it becomes law, it won’t likely come into effect for another year as regulations and reporting deadlines have yet to be determined.
While the CRGs are aimed at critical infrastructure providers, the centre said they can be adopted by any public or private organization, and if you’re an organization that’s looking to bolster your cybersecurity practices, a managed services provider can help.
There are many ways artificial intelligence (AI) and machine learning already impact cybersecurity. You can expect that trend to continue in 2024 – both as tools for data protection as well as a threat.
Balancing Cybersecurity Innovation Amid Evolving Threat Landscapes
Even as you implement AI and machine learning into your cybersecurity strategy through the adoption of tools like Security Orchestration, Automation, and Response (SOAR), Security Information and Event Management (SIEM) and Managed Detection and Response (MDR), so are threat actors. They will continue to update and evolve their own methodologies and tools to compromise their targets by applying AI and machine learning to how they use ransomware, malware and deepfakes.
With small and medium-sized businesses just much at risk as their large enterprise counterparts, SMBs must take advantage of AI and machine learning as mush possible. AI-directed attacks are expected to rise in 2024 in the form of deepfake technologies that make phishing and impersonation more effective, as well as evolving ransomware and malware.
Deepfake social engineering techniques
Deepfake technologies that leverage AI are especially worrisome, as they can create fake content that spurs employees and organizations to work against their best interests. Hackers can use deepfakes to create massive changes with serious financial consequences, including altering stock prices.
Deepfake social engineering techniques will only improve with the use of AI, increasing the likelihood of data breaches through unauthorized access to systems and more authentic looking phishing messages that are more personalized, and hence, more effective.
Countering Cyber Threats and Harnessing Innovation in 2024
If hackers are keen on leveraging AI and machine learning to defeat your cybersecurity, you must be ready to combat them in equal measure – just as AI and machine learning will create new challenges in 2024, they can also help you bolster your cybersecurity. While regulations are being developed to foster ethical use of AI, threat actors are not likely to follow them.
AI will also affect your cyber insurance as your providers will use it to assess your resilience against cyberattacks and adjust your premium payments accordingly. AI presents an opportunity for you to improve your cybersecurity to keep those insurance costs under control.
Conclusion
There’s a lot of doom being predicted around the growing use of AI and machine learning. And while it does pose a risk to your organization and its sensitive data, you can use it to bolster your cybersecurity even as threat actors leverage AI to up the ante. A managed service provider with a focus on security can help you use AI and machine learning to protect your organization as we head into 2024.
