Melissa Carvalho Headshot
Melissa Carvalho
VP Global Cyber Security Planning Office & Customer Enterprise Identity and Access Management - Royal Bank of Canada (RBC)

The Future of Canada’s Cybersecurity Landscape

Published on

Takeaways

  1. The increasing connectedness of our world means that Canada has seen a drastic increase in cyber events, and this must be addressed by effective policy.
  2. Throughout COVID-19, Canadians rushed to implement digital solutions without strategizing for cybersecurity, making many vulnerable to bad actors.
  3. Diverse cybersecurity solutions that include all corners of Canadian society are needed to lessen the gaps that can create vulnerabilities.

Action

Education is the key to helping everyday Canadians and small businesses rise to the cybersecurity challenges posed by an increasingly digital world. Once people are aware of the threats, they can work together to create a truly diverse solution that reaches the widest range of consumers.


It is hard to narrow the trends down to just a few. Our world has just become increasingly more connected through mass digitization, and that is underpinned by the Internet of Things (IoT), 5G, the cloud. All this creates more opportunities for cybercriminals to attack individuals and organizations. The threat landscape has become a moving target and organizations need to adapt quickly.

Boiling it down to just five trends affecting Canadians, the first trend is that there is an increase in cyber events. There has been a 30% increase in cyber events every year over the last three years. When you look at these attacks or events that occur, they range from basic to highly sophisticated, from things like viruses to ransomware, malware, social engineering, phishing and smishing.

“Remote work and all kinds of emerging technologies have increased our threat landscape.”

The second trend is an increase in cyber risks. Remote work and all kinds of emerging technologies have increased our threat landscape. A recent Cisco report showed that in 2021, there was an estimated 27.1 billion network devices, which was up from 17.1 billion in 2016. You can imagine all the opportunities for bad actors to attack.

The third trend is that a single cyber event can be a game-changer, especially when we look at small and medium-sized organizations. Because of the pandemic, many small and medium-sized businesses were forced to focus on their digital transformation, but they never had a cybersecurity strategy. This means a single cyber event can cripple a small and medium-sized organization and put them out of business. 

“Because of the cloud, third-party solutions and remote work, organizations are no longer confined to a single network and must now guard against cyber events in third parties.“

A fourth trend that we are seeing in the marketplace is that your cybersecurity is only as strong as your weakest link. Because of the cloud, third-party solutions and remote work, organizations are no longer confined to a single network and must now guard against cyber events in third parties. People now have to be aware of the security of the third-party organizations that their organization might be connected to. They now have more cyber events to worry about. 

The fifth trend is consumers are more cyber aware. Cyber-savvy Canadian consumers are starting to ask questions about a company’s privacy policy or how many breaches they have had. Something near and dear to my heart is whether a company is just using a simple user ID and password system because more and more Canadians want multifactor authentication.


What are the main concerns surrounding cybersecurity risks in Canada?

Cybersecurity is a vast area. My main concern is in my specialization, which is a specific preventative domain of cybersecurity called identity and access management. It is focused on identity and what access users have. 

When I think about that and the trends I just mentioned, I am most concerned about the consumers and citizens of Canada. As we pushed solutions along with lockdowns and restrictions, we did not really think about cybersecurity. We raced to market. I am concerned about small and medium-sized businesses as they are struggling to stay afloat and fortify their ability to defend against bad actors targeting their weak defences. One of my major concerns is for Canadians who are not cyber-savvy or who have limited access to technology.

Let me expand on this a little bit. When talking about Canadians who are not cyber-savvy, we do not need to look too far. I just think about my own father who is a senior. During the lockdowns, he tried to transact digitally online, but he struggled to figure out who to trust and not trust from a content perspective. While my family worked hard to educate him on things like phishing and when to open an email and not open an email, he was still rather confused. Recently, he had a fraudulent transaction occur and now, he is too scared to do anything digitally and his anxiety level goes up when he has to transact online.

I also think about those who have limited access to technology. When we offer things like vaccine bookings or vaccine passports, we had no other choice but to do so with the only digital identification that was readily available: the health card. Those who did not have access to their health cards relied on things like pop-up clinics and services that might have been offered to the homeless population. Diversity and inclusion are really important in cybersecurity not only because we need to reach customers, but because gaps can cause vulnerabilities that can be exploited by bad actors.


How are Canadian SMEs doing in terms of cybersecurity?

That is a lot to answer. One of the things that RBC did in 2021 was we conducted a survey specifically for small and medium-sized businesses in Canada, and we noticed that SMEs are becoming increasingly more cognizant and concerned about cyber security.

One of the findings from the survey was that nearly half of those surveyed anticipated becoming a victim of cybercrime in the next 12 months. More importantly, 40% of those surveyed identified that they had already been infected by a virus and malware. This means that for the first time in a long time, many businesses are ranking things such as online fraud and property damage higher in their list of priorities, showing that SMEs are highly concerned about cybersecurity. Cybersecurity threats to businesses were compounded by the fact that we raced to put digital solutions in place and adopt technology fast during the pandemic.

“86% of SMEs reported being more knowledgeable about cyber threats. 68% said they are prepared for a potential cyber threat.”

However, one of the positive trends that we have seen is that Canadians are on the right track. SMEs are changing according to the environment and paying attention to new challenges as they emerge. They are also responding to these risks with the resilience and determination that we have come to expect of Canadian organizations. 86% of SMEs reported being more knowledgeable about cyber threats. 68% said they are prepared for a potential cyber threat.

The only question is should we really expect small businesses to be cybersecurity experts on top of everything they have to manage on a daily basis? The constraints faced by businesses point to a concerning trend: 57% of business owners are handling cybersecurity themselves, 23% of them rely on in-house information technology (IT) teams and only 20% of them are outsourcing this service. It has become really important to educate small and medium-sized businesses and make them aware of the services they can leverage.

Content continues below ↓

How educated are individual Canadians on cybersecurity and what can institutions do to raise awareness on this issue?

I do not have a recent study that illustrates how educated and protected Canadians are. There are global data points that we can look at. In 2020, real or suspected threat activity increased 45% from 2019. More importantly, there were more than 37 billion data records breached across all industries globally in 2020. There was a 600% increase in phishing attacks and a 4,000% increase in ransomware attacks. From these statistics, we can extrapolate that it is vital to protect and educate Canadians.

“There needs to be an organization to help craft cybersecurity and digital privacy policies in Canada.”

In terms of institutions and academia, RBC has done a lot to bring them together. There needs to be an organization to help craft cybersecurity and digital privacy policies in Canada. RBC struck a partnership with Ryerson Leadership Lab and Rogers Cybersecure Catalyst and now we are onto the next phase of that partnership.

Together, we created the Cybersecure Policy Exchange (CPX). In the next 12 months, CPX will host a number of public engagement initiatives, convene roundtables with industry policy experts and ultimately make recommendations. It has three areas of focus: social media in Canada, the Internet of Things and devices and biometric and facial recognition technologies. Maintaining trust with our clients is critical and we need to continue to work together to keep organizations and clients safe and secure.

Governments can also start collaborating and offering decentralized identity solutions. We have seen this across provinces, specifically in Ontario, which announced in 2022 they will also be launching a digital identity service. We have to look at identity as more than just a human being – it is AI solutions and other increased automations. Identity just is not simply a person.

“We need to ensure that our cybersecurity solutions are as diverse as those we are offering them to.“

We need to ensure that our cybersecurity solutions are as diverse as those we are offering them to. Small businesses need to look at working with consumers and taking their feedback. Most importantly, we need to think about the ethical manner in which we deploy and maintain cybersecurity solutions for the future.


What needs to be done – and by who – to best protect Canadian individuals, institutions and businesses? 

Education and awareness are key. We need to grow our next generation of individuals, not only cyber individuals but business individuals who come to market, focusing on academia and institutions as we do so. Education should be the primary focus for strengthening cybersecurity. Educating people and helping them collaborate should be our priority.

One thing everybody should remember is solutions that are built for everyone should be built by everyone. If we work together across geographic and organizational boundaries to build our solutions, we will be able to learn from each other and accelerate our ability to offer rigorous and secure solutions that can help boost the Canadian economy.

Melissa Carvalho Headshot
Melissa Carvalho
VP Global Cyber Security Planning Office & Customer Enterprise Identity and Access Management - Royal Bank of Canada (RBC)

Bio: Melissa Carvalho is the Vice President of the Global Cyber Security Planning Office and Customer Enterprise Identity and Access Management at the Royal Bank of Canada (RBC). She is also an Advisory Board Member at the IT Media Group. She has worked extensively on Identity and Access Management for a variety of different corporations, including Scotiabank, TD Bank, Deloitte and more.

Organization Profile: The Royal Bank of Canada (RBC) is a Canadian multinational financial services company and the largest bank in Canada by market capitalization. The bank serves over 16 million clients and has more than 86,000 employees worldwide. Its Cyber Security Centre is dedicated to helping Canadians stay informed on the latest in cyber security insights and best practices.