Robust cybersecurity programs and resilience strategies are essential for today’s businesses, as cyber threats continue to evolve and to impact critical operations.
According to a 2022 survey by the Canadian Federation of Independent Business, nearly half of small businesses (45 percent) had experienced a random cyberattack in the past year, and 27 percent had experienced a targeted attack. Cybersecurity is a critical concern for Canadian organizations. Cyber-attacks, data breaches, malware, supply chain attacks, IoT vulnerabilities, and other risks can be existential for many businesses — potentially putting them completely out of business.
A robust, structured cybersecurity program is essential to mitigate these threats, safeguard data, maintain operational continuity, and protect a company’s reputation. But not all cybersecurity programs are created equally — and neither are all cybersecurity providers.
That’s where Iron Spear Information Security Ltd. comes in. As a specialized cybersecurity advisory firm, Iron Spear provides tailored solutions for businesses looking to enhance their security compliance, conduct control testing, or develop and operate cybersecurity programs.
Mediaplanet chatted with Jason Grimbeek, CEO at Iron Spear Information Security Ltd., and Drew Carmichael, Iron Spear’s Vice-President of Cybersecurity, to learn more about cybersecurity programs, assessing cyber risk in supply chains, cyber resilience, and more.
What initially inspired Iron Spear’s focus on cybersecurity programs and why are these programs critical for businesses today?
Jason Grimbeek: I started Iron Spear 12 years ago to transform businesses toward proactive cyber practices, rather than just reacting to audit reports. A structured cyber program eliminates disjointed, ad hoc approaches. Vendors often sell flashy tools that promise everything, but companies still get breached because they’re not taking a programmatic approach. A well-formed program aligned to industry standards must span the whole enterprise and be measurable. Companies are now realizing that this is what executives and boards need.
Drew Carmichael: This is the evolution of cyber from a side activity to a business enabler. An organization with a well-formed cyber program can be seen as a leader in their industry. It’s not just an overhead activity now — it’s a differentiator that makes them better than their competition.
How do you see the role of cybersecurity evolving in relation to supply chain cyber risks?
DC: COVID and other events have really shown us how dependent we are on global supply chains, and this extends to the digital world. Organizations are realizing they can outsource various IT functions but not the risks those functions introduce. It’s crucial to understand these risks, whether through monitoring service providers or creating legal frameworks to hold them accountable. Being more rigorous in managing third-party relationships is key.
JG: It’s not just about incoming supply chains. We also need to consider downstream impacts. We must ensure our cyber practices don’t negatively affect our partners and clients. A well-managed supply chain includes demonstrating good cybersecurity practices both upstream and downstream.
How do you approach understanding a company’s unique cyber risk profile?
DC: Risk management is about understanding the value of your assets, the potential threats, and how well you’re equipped to stop those threats. Iron Spear helps companies by performing maturity assessments, evaluating companies’ cybersecurity programs against common frameworks like ISO 27000 or NIST. This helps organizations understand their risk tolerance and take steps to mitigate risks where necessary.
Are most companies prepared for the cybersecurity risks associated with industrial automation and IoT?
JG: The biggest issue with industrial automation and operational technology (OT) is resistance to change. These systems are old, reliable, and typically isolated from the rest of IT, so the engineers running them don’t want to change. But as businesses evolve, they need real-time data, which requires interconnectivity between automation and IT — and that brings new cybersecurity risks. There’s people resistance, especially from those who’ve been doing the same job for decades. But the evolution is happening.
DC: The irony is that OT, which controls critical infrastructure like power and water, is more risky than conventional IT. Yet the rigor applied to securing OT is often outdated. While many people are working hard to secure it, the mindset remains, “If it’s not broke, don’t fix it.”
JG: In one test, we broke into a Samsung smart TV and used it to access the rest of the organization. No one expected the TV to be the weak link.
Can you talk about the concept of cyber resilience and why efficient recovery is the best defence?
JG: Cyber resilience is like having a pump on a boat — ready to handle water if it leaks. No company is 100 percent secure, and breaches are common. The more prepared you are, the faster you can recover and the less impact it’ll have on your organization. Companies need more than just an incident response plan — they need a full resilience plan, including a business impact assessment, cyber response plan, business continuity plan, and disaster recovery plan.
DC: And it’s not just about designing the plan, but also testing it. At Iron Spear, we run tabletop exercises to build muscle memory for responding to incidents. This helps our clients understand their roles and decision-making rights during a cyber event, ensuring a quick return to operations, which is the core of resilience.
Visit ironspear.ca to learn more and start securing your organization today.
