Making a point: Aon says airlines, retailers need to criminal proof loyalty points

By David Paddon


TORONTO _ A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.

The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.

The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.

“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.

If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.

However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy _ a newer but increasingly common insurance.

“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.

The multinational advisory firm said in its 2018 cybersecurity report that many industries _ including those with points programs _ will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.

In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.

“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”

So-called bug bounties  a way to reward ethical hackers who find bugs so they can be exterminated have been used to good effect by tech companies.

Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences following the lead of tech companies and financial services providers.

Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet and for good reason:  “I think there’s bugs in the bug bounty program.”

One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.

“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”

Here are some of the trends, challenges and threats that await us all in 2018

By Joey | Security Boulevard 

We had an interesting year in 2017. If any trend is obvious, it’s that 2018 will continue to be interesting for the cybersec industry. How interesting? Here is are the 18 trends that we think will be making the headlines and should be on your radar for 2018.

The Return of the Spam

In 2004 Bill Gates said that spam would be dead in 2 years. Over a decade later, things are still pretty bad. While we can stop greater than 99.95% of spam email, it’s the very few that do get through that are increasingly sophisticated and preying on user vulnerability. You used to get emails focused on Viagra and reclaiming lost fortunes. Now, the spammer is more interested in having you click a malicious link and getting your password or triggering a ransomware and then doing the real damage from there.

Are we getting more spam today than ever before? We are the highest in a few years. However the spam we are getting, and the tiny amount getting through, is much more dangerous.

Continued Growth of Socially Engineered Threats

We talk a lot about this one. Social engineering is the fastest growing area in cyber crime. From Q2 to Q3 2017, there was a 74% increase in phishing attacks.

As Roger Grimes suggests that nearly 100% of attacks can be attributed to unpatched software and social engineering. “A single unpatched software program has at times accounted for over 90 percent of the web-based exploits” and the rest, save perhaps a single percent, goes to social engineering. There are predictions that Business Email Compromise (BEC) will hit $9 billion in 2018. It’s hard to know how accurate of a prediction it is, but BEC is a very serious and growing threat.

The Growth in Cloud and BYOD

An interesting trend in 2017 was a shift from urgency and fear in spam messaging to more social and rewards-focused scams. With the proliferation of BYOD, mobile and remote work, scammers realize that the value is in accessing the work network, rather than an immediate smaller payoff from an individual. And by enticing you with an e-card or mail order bride, they can arouse enough curiosity via your private email to get into your business network. Watch for email and cyber security measures that will protect devices and cloud networks, not only inboxes

In a similar vein, as businesses continue the shift to the cloud, and the traditional idea of a firewall falls, businesses will look for new ways to secure their IT networks, such as Email Archiving SolutionsEncryptionURL DefenseMobile Defenseand….training! With the growing diversity in how and where employees are accessing networks precludes strong awareness and training with a people-first approach.


The last year saw several big ransomware attacks make headlines. Most of their damage was in reputation, legal cost and confidence to the institutions (though the scammers made their own pay). 2 Interesting drivers of this growth are RaaS (ransomware as a service) where unskilled cybercriminals can launch attacks and a growing underground economy.

Ransomware is also growing in concert with Phishing and social engineering, both big trends we are watching in 2018. It will also be interesting to see how cryptocurrency valuations impact ransomware growth.

Blockchain Security

Speaking of cryptocurrency, there has already been significant investment in blockchain as security technology. Guardtime, out of Estonia, claims to be the largest blockchain company by revenues (perhaps before the most recent sharp surge in cryptocurrency valuations), and has secured all of Estonia’s medical records using blockchain tech. Blockchain has the potential to eliminate passwords, provide advanced encryption, and create tamper proof infrastructure. This will be a fascinating area to watch in 2018.


The government should play a big role in the internet in 2018. Besides net neutrality and data privacy rights, in the EU GDPR comes into effect in 2018. This will dramatically have an impact data policies on multinationals operating in the EU.

After Uber’s second data breach and lengthy delay in disclosure, it is only fair to expect the US to follow suit at some point and create a national legal framework. Then again, they have a lot on their plate at the moment (and it looks only to be getting busier). National legislation will help companies react more sensibly after attacks.

AI in Response to Social Engineering Attacks

A lot of the hope in curbing some of the email and cyber risk is being placed on AI and Machine Learning. Ideally, we can reach a “singularity-like moment” where our algorithms get so advanced that any attempted scam or attack is known well in advance. It’s very challenging – because social engineering and targeted phishing are where the challenge lies. Human error is probably the biggest source of risk today. Can AI stop human error? Here’s hoping.

Domain Spoofing and Suspicious Domain Registrations

In ProofPoint’s 2017 Q3 threat report they noticed an alarming 20 to 1 ratio of Suspicious domain registrations to defensive registrations. This as suspicious domain registrations grew by 20%. There are a lot of frightening numbers in there. They found malicious URLs up 2,200% Q3, year over year.

There’s a lot in there to be frightened about, perhaps brands believe they are have covered their defensive bases. Perhaps as detection of malicious and spoofed URLs becomes faster and are taken offline earlier, scammers are being forced to do more work (or find more ways to effectively automate it). Either way, spoofing and malicious URLs will be a serious threat for those unprotected – and will certainly make headlines in 2018 for the wrong reasons.

Data borders: Kaspersky, China, GDPR

2017 was an interesting year in cross border cyber security. Kaspersky got banned from UK government systems where sensitive information is present. And then late in the year Trump approved a federal ban on Kaspersky.

There are questions as to whether they worked with or were compromised by the Russian government – at the bare minimum it appears that sensitive data, such as from the NSA was being stored in Russia.

Along with other legislation, we expect more governments to begin looking at companies who are exporting your data out of country of origin. “Data Localism” or keeping data in local data centers is already in place in Russia, China and Brazil.

Breach disclosure and other local requirements are also going to be a big concern in 2018. While data protection is a fast growing concern for many enterprises, the way in which disclosure requirements, “rights to be forgotten” and other legal requirements around data evolve will most likely be determined in 2018.

Cyber Warfare

We probably haven’t seen anything yet. Between apparent Russian meddling overseas, an expanding Chinese sphere of influence, and constant media reporting that the United States is on the brink of war with North Korea, who knows what kind of Cyber Warfare may break out, or what role it will play in more “kinetic” conflicts featuring drones, advanced missile systems, naval warfare and more. Of course, we could already be in the midst of this, with WannaCry apparently being sourced to North Korea.

Industry Specific Attacks

Scammers are increasingly targeting their attacks based on where the largest payout lies. These payouts are two-fold. The first on the single payout, finding large and accessible financial transactions. The second is in value of data.

The financial industry and heavy industrials have the large payout and transfers of funds. The Health industry has very valuable data. These industries will continue to see increasing amounts of attacks.

We’ve written extensively on health and security in 2017. We expect this trend to continue through 2018. One group purported that the majority of email addressed as from a healthcare provide were fraud! All the while, with companies with over $1 Billion in revenue, DMARC was properly used by 2% of companies!

Speaking of DMARC

While it might not be perfect, it is going to see mainstream adoption in 2018. It still has seen very low adoption rates in industries like banking, and when it is implemented, there are still often errors in implementation.

Quantum Computing

Long shot here, but could quantum computing be the savior of the industry? The simplest way that I see this, if you could make many times the calculations, wouldn’t that mean more attacks would be caught sooner? This will dramatically impact the development of AI (machine learning) and also speed up blockchain capabilities, all linked closely to the future of cybersecurity.

Hacked Therapy

Being hacked is a form of abuse. The trauma can serious negative impacts on its victims. Leaked private pictures. Destroyed credit ratings. All kinds of privacy invasion. 2017 saw what might have been the first conference “supporting victims of cyber crime”.  The trauma is enduring. Expect this conversation around cyber crime and mental health to become more prominent.

IoT Botnet Strike Disaster Looming?

IOT has long been discussed as being a risk. Now it seems that Botnets could be hiding on your connected devices. Mirai was one such example – a big reason being the use of default settings. It doesn’t appear that botnets are going anywhere just yet.

Biometric Authentication Compromise

Could the trend to biometric authentication results in a major breach? With iPhone and Samsung both experimenting and launching biometric authentication tools, there’s a lot of risk to be explored. Your partner or the person sitting next to you during a flight may not gain information relevant to your employer, but what are the limits? Could a major breach occur if a socially engineered attack was able to work beyond the constraints of biometric authentication? We might find out soon.

Simplifying Security

The complex technical environment that the security industry has known can make it seem pretty serious. While security skill ares no longer specialists, much of the available information about security is dense and technical, possibly putting off many of the users who organizations need to “know their stuff”. The reality of training and awareness is that we have to find the weakest links in the security chain and upgrade (no pun intended) their stack (no pun intended). People need plain-english information on security. It’s an imperative as an industry we can communicate in plain english and ensure awareness – to avoid human error as much as possible.

The Clearer Business Case.

It’s not always clear how to calculate a cost benefit on email security. “while 85 percent of firms believe that the economic costs from cyber attacks will increase in the coming year, only 23 percent have adopted a strategic plan to address business risks”. In the near future, any BCDR or security contingency will be based on a risk assessment, much like an insurance policy.

That’s the gist of it.

We aren’t going to bold in our predictions. Though perhaps one last bonus one is in order. We’ll go out on a limb and say if you are reading this, your company is better off. You’ll probably take steps to invest in your cyber and email security – if you haven’t already. The fact that you’ve read to this point makes you aware. And for that, we believe that your 2018 will be a safe and happy year!


Read more great articles like this one at: Security Boulevard 

Co-operators: New business insurance coverage provides privacy breach protection

To help protect companies from the rapidly growing threat of privacy breach, Co-operators General Insurance Company introduced a new product today that provides insurance coverage and risk management solutions for Canadian businesses. The coverage complements commercial insurance policies and is designed not only to cover costs associated with a breach and the resulting liability, but also to provide expert loss prevention advice and support in effectively responding and recovering from such an incident.

The new Privacy Breach product provides two distinct coverage offerings to meet the changing needs of small and medium companies.

“Cyber criminals are continually devising new ways to access personal data online, and virtually every business in Canadais at risk. As large companies improve their data security, cyber criminals look for easier targets, putting small and medium businesses at greater risk,” said Rob Wesseling, president and CEO of The Co-operators. “Having good data security measures can reduce the risk of privacy breach, but no company can eliminate it altogether. We are committed to helping to protect Canadian businesses, and our privacy breach coverage provides the resources and coverage to help them before, during and after a breach.”

Privacy Breach Expense covers costs of responding to and mitigating the impact of a privacy breach. Privacy Breach Liability covers the amounts a company is deemed legally liable for, as a result of a breach. The product also provides clients with access to CyberScout, a leading provider of preventative education, proactive protection services and incident remediation support, to help reduce companies’ risk and effectively respond in the event of a privacy breach.

A privacy breach is an incident resulting in improper or unauthorized access, collection, use or disclosure of sensitive or protected personal information. Some of the most common privacy breaches occur when personal information is stolen, lost or mistakenly shared. Such incidents can do serious harm to a company, including reputational damage, lost revenue, significant legal expenses and fines. A recent study by Juniper Research predicted that criminal data breaches will cost businesses a total of $8 trillion globally over the next five years.

The new Privacy Breach coverage is available from Co-operators advisors across the country.

About The Co-operators:
The Co-operators Group Limited is a Canadian co-operative with more than $48 billion in assets under administration. Through its group of companies it offers home, auto, life, group, travel, commercial and farm insurance, as well as investment products.

The Co-operators is well known for its community involvement and its commitment to sustainability. The Co-operators is listed among the Best Employers in Canada by Aon Hewitt and Corporate Knights’ Best 50 Corporate Citizens in Canada. For more information, visit

SOURCE The Co-operators

How the cyberattack on Equifax unfolded and the fall out that followed

Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.

It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.

Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:

_ _ _ _

Early March: The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.

_ _ _ _

May 13 to July 30: Hackers have unauthorized access to Equifax Inc.’s files.

The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.

_ _ _ _

July 29: Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.

The company says in later communication that it “acted immediately to stop the intrusion.”

_ _ _ _

July 30: The same team observes more suspicious activity and the company takes the affected web application offline.

_ _ _ _

Aug. 2: Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.

_ _ _ _

Sept. 7: Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.

“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.

_ _ _ _

Sept. 12: An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.

_ _ _ _

Sept. 14: The Federal Trade Commission says it is opening an investigation into the hack.

The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.

_ _ _ _

Sept. 15: The Office of the Privacy Commissioner of Canada launches investigation into the breach.

Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.

_ _ _ _

Sept. 19: Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.


Oct. 2: Equifax provides an update saying a completed review determined that personal information of approximately 8,000 Canadian consumers was impacted, down from its original estimate of 100,000.

However, it said the review added about 2.5 million Americans to the list of those affected by the massive cyberattack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.

Know the Odds: The Cost of a Data Breach in 2017

Source: Security Intelligence: Larry Ponemon & Wendi Whitmore

We’ve all heard that when it comes to experiencing a data breach, the question is not if it will happen, but when. You may be wondering about the actual odds of it happening to your organization.

Think about it this way: The chances of being struck by lightning this year are 1 in 960,000. When it comes to experiencing a data breach, according to the Ponemon Institute’s “2017 Cost of Data Breach Study: Global Overview,” the odds are as high as 1 in 4. Therefore, organizations must understand the probability of being attacked, how it affects them and, even more importantly, which factors can reduce or increase the impact and cost of a data breach.

Rapid Response Drives Down the Cost of a Data Breach

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 12th annual “Cost of Data Breach Study” is out. The findings revealed that the average total cost of a data breach is $3.62 million in 2017, a decrease of 10 percent over last year. Additionally, the global average cost per record for this year’s report is $141, which represents a decrease of 11.4 percent over last year.

Despite the reduction in cost, the average size of a data breach increased by 1.8 percent to 24,089 records. The influencers that impact the cost of a data breach are driven by the country and the IT initiatives underway.

The good news is that organizations can take measures to minimize cost and impact. The 2017 “Cost of Data Breach Study” found that having access to an internal or outsourced incident response team has been the top cost-reducing factor for three years running. An incident response team typically accelerates the time frame in which security events can be contained, which is a significant factor in reducing the overall cost of a breach.

The IBM X-Force Incident Response and Intelligence Services (IRIS) team specializes in providing incident response planning, program development, remediation and threat intelligence to clients in over 133 countries. The team has experience responding to and helping to contain many of the largest data breaches in the world.

Five Steps to Accelerate Your Incident Response

Listed below are five additional tips to help accelerate your organization’s response to a breach.

  1. Speed to respond is critical. The more quickly you can identify what’s happened, what the attacker has access to, and how to contain and remove that access, the more successful you will be.
  2. Set up retainers in advance. In the event of a breach, an experienced team of incident response experts can help you quickly identify and contain the attack, and minimize costly delays.
  3. Access the data needed to answer investigative questions. Be prepared to provide responders with logs and tools to help them understand what happened. For example, what did the attackers access and what did they copy or remove from your environment?
  4. Mitigate the attacker’s access quickly. Plan with the IT staff in advance to understand how to be effective and efficient in a crisis. Consider the following:
    1. How to execute an enterprisewide password reset quickly;
    2. How to reset your service accounts; and
    3. How many of your service accounts have domain administrator credentials.
  1. Establish an internal communications plan. If you have to shut down parts of your environment or reset thousands of users’ passwords, your employees will have a lot of questions. This speculation can have critical ramifications, so it’s important to document a plan to ensure that your employees understand what they can and cannot share publicly.
Insurance a second line of defence against cyberattack losses

Insurance a second line of defence against cyberattack losses

DAVID ISRAELSON | The Globe and Mail

Even if small or medium-sized businesses do everything to protect themselves against hackers, they may want to consider a second line of defence – cyberliability insurance.

It’s relatively new, but it’s a growing area for insurance companies. And with the advent of worldwide threats such as the recent WannaCry ransomware virus, it is suddenly a more urgent consideration than ever.

“We haven’t had a lot of requests so far, but it’s a huge field,” says Mark Lipman, president of Consolidated Insurance Brokers Ltd. in Toronto.

By the end of last year, the worldwide market for cyberinsurance was about $3-billion (U.S.), according to a report from Allied Market Research of Portland.

The market is expected to grow year over year by 28 per cent and reach $14-billion in gross premiums by 2022, Allied’s report says.

Mr. Lipman says that, to date, the SMBs his brokerage deals with tend to add on a small amount of cyber-related coverage to their standard commercial policies.

“It’s usually around $25,000 in coverage – which costs an extra $100 on a $1,000 commercial policy,” he says.

Mr. Lipman adds that his firm recommends that SMBs boost their coverage, because of the ever-growing risk of cyberattacks. “We put it [a recommendation] in all the letters we send, either to take coverage or to increase it.”

While this may sound like a self-serving sales pitch by insurers, trends and statistics suggest that the threat of attacks on SMBs is not only real, but also growing fast.

“Cybersecurity insurance is becoming a must-have for most businesses. There is simply no way for an organization to be completely protected from a breach,” say Rohit Sethi, chief security officer for Security Compass, a Toronto-headquartered firm that provides tech-based protection for corporate data.

“This is especially true for SMBs who rarely have security teams on staff and can scarcely afford many leading-edge security solutions. Insurance helps mitigate the financial impact to any company, but every business should treat it as an additional safeguard,” he says.

Small businesses appear to be growing targets for phishers, spear-phishers and cyber-ransomers. A report by security firm Symantec noted in 2014 that attackers targeted small businesses 34 per cent of the time – an increase from 11 per cent just three years before.

Lawyer Lisa Lifshitz, a partner at Toronto firm Torkin Manes LLP, says it has been estimated that criminals launch 3.5 new digital threats against SMBs every second.

Writing in Canadian Lawyer magazine, she said that, “29 per cent of all small businesses have experienced a computer-based attack that affected their reputations, involved the theft of business information, resulted in the loss of customers or experienced network and data centre downtime.”

While any SMB can be a cybercriminal’s target and suffer damage, the risk goes up if the business’s data is ultrasensitive. Since 2014, LawPro, the mandatory insurance program covering Ontario-based lawyers, includes coverage for up to $250,000 for cybercrime.

This coverage is “modest” for firms whose data can easily be compromised in, say, a $1-million residential real-estate deal. “We say modest because, like the fraud risks the profession has faced over the years, there is no way to predict the total possible exposure,” LawPro says.

Lawyers (and others) should always look to what’s covered and what’s not covered in their cyberpolicies, says Addison Cameron-Huff, a Toronto-based tech lawyer. “The interesting part of every policy is the exclusions,” he says.

Indeed, LawPro cautions its lawyer policy holders to “remember that any losses from cybercrime that are not connected with the provision of legal services will not be covered … [such as] damage to equipment or software, business interruption and reputational harm.”

Lawyers, and any other SMBs, can buy coverage that either pays out more or includes more possible types of losses. But it’s buyer beware, Ms. Lifshitz warns.

“Every insurance company deals with coverage differently. There are always going to be carve-outs” for situations that insurers won’t cover, she says.

Speaking in an interview, Ms. Lifshitz adds that insurance companies will do their own due diligence of SMBs before offering coverage. It’s the equivalent of having an inspector come to your house to see whether you have railings and fire alarms before you get home coverage.

If a smaller entity hasn’t taken the steps to become cyberinsurance ready, they’re not going to get coverage, she says.

The Insurance Bureau of Canada has published a checklist for businesses looking for cyberinsurance. These businesses should ask themselves:

– How many records with personal information does your company keep?

– How much sensitive commercial information do you keep?

– What security do you have in place that might reduce your insurance premium?

– Do you need to encrypt all your laptops, phones and tablets?

– Do any third parties you deal with have unencrypted media?

– Would you be able to make a claim on the policy you choose even if you haven’t discovered a breach for several months or years?

Page 1 of 712345...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest