Aon, announced the acquisition of Cytelligence Inc, a Canadian-based cyber security firm

The acquisition combines Aon’s industry-leading investment in cyber security with Cytelligence’s unique technical expertise in incident response and digital forensics services to strengthen Aon’s cyber security client value proposition 

CHICAGOFeb. 4, 2020 /CNW/ — Aon plc (NYSE: AON), a leading global professional services firm providing a broad range of risk, retirement and health solutions, announced today the acquisition of Cytelligence Inc, a Canadian-based cyber security firm that provides incident response advisory, digital forensic expertise, security consulting services and cyber security training for employees to help organizations respond to cyber security threats and strengthen their security position.

The acquisition will help Aon expand its current coverages within the cyber market at a time when cyber claims are almost doubling year-over-year. The 2019 Cybersecurity Almanac published by Cisco and Cybersecurity Ventures predicts that cyber events will cost $6 trillion annually by 2021, as companies are digitizing most of their processes and are often operating remotely. Global cyber insurance premiums are expected to grow from $4 billion in 2018 to $20 billion by 2025. According to Aon’s 2019 Global Risk Management Survey, cyber-attacks were identified as a top ten risk facing organizations and is predicted to be one of the top three risks for organizations in 2022.

“As the number of network intrusions, data breaches, ransomware attacks, and similar threats continues to increase in both frequency and severity, expertise in cyber incident response becomes critical to organizations and insurance companies,” said J Hogg, CEO of Aon’s Cyber Solutions. “The Cytelligence team are deep experts in cyber incident response, ransomware mitigation, and cyber security training for employees, which will help cement our position in both North America and globally as an industry leader.”

Cytelligence will join the growing portfolio of Aon’s Cyber Solutions, which combines digital risk management services, security services, professional risk solutions, and a global risk consulting practice. This acquisition enhances Aon’s 2016 acquisition of Stroz Friedberg and now allows Aon’s Cyber Solutions to offer an even more holistic portfolio of services to clients from proactive security services, to incident response, to risk quantification and insurance broking.

“Together, we will deliver complete proactive solutions from risk assessment, cyber risk policy underwriting to secure insurance coverage to protect critical assets, to cyber breach response, effective and efficient cyber incident remediation, meticulous data collection and data preservation,” said Daniel Tobok, CEO of Cytelligence. “Put simply, everything that is connected to the internet can be compromised. proactive companies and their Boards are preparing now with proactive actions with penetration testing, vulnerability assessments, security audits, and training of their employees.”

Cytelligence has offices in TorontoOttawaNew YorkSan Francisco and Miami. The firm employs professionals in cyber security and education, investigations, and forensic analytics. The firm was founded in June 2016.

Mr. Tobok will join Aon as the Canadian President, Aon’s Cyber Solutions.

About Aon
Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.

About Cytelligence
Cytelligence is a leading international cyber security boutique with deep expertise in Cyber Breach Response, Cyber Breach Investigations, and Digital Forensics. We are known for our technique: well planned, well executed and detailed-oriented engagements. Our Offensive Security Consulting includes: Penetration Testing, Vulnerability Assessments, Security Audits, and Secure Development Lifecycle Management, including code reviews.

SOURCE Aon plc

Cybersecurity in Canada 2019: It was an ‘awesome’ year for attackers

Cybersecurity in Canada 2019: It was an ‘awesome’ year for attackers

By IT World Canada

No country is immune from cyber attacks. But 2019 saw Canadian organizations victimized like never before.

Arguably the worst breach — not only in 2019 one of the worst in Canadian history — was the theft of personal information on 15 million people in Ontario and B.C. held by medical test laboratory LifeLabs. This data included patient names, addresses, email addresses, login passwords, dates of birth, health card numbers and in some cases lab test results.

The second worse breach was the theft by a suspected employee of information on all 4.2 personal banking customers in Quebec and Ontario of the Dejardins credit union.

Copied were names, addresses, birthdates, social insurance numbers, email addresses and information about transaction habits. Not stolen were passwords, identification questions or secret codes.

While more people were victims of the 2015 hack of Toronto-based dating site Ashley Madison, it isn’t a financial or health institution and subscribers didn’t have to give real names.

Getting a handle on how many data breaches there are in this country is getting better now that most organizations have to report them to the Office of the Federal Privacy Commissioner (OPC).

In November the OPC estimated the personal information of 28 million Canadians had been exposed in the first 12 months of mandatory reporting — and that didn’t include the LifeLabs breach.

Small wonder Ed Dubrovsky, managing director for incident response at Toronto-based Cytelligence said “unfortunately it’s been an amazing year” — for attackers.

Among the publicly-reported incidents

  • Attacks through suppliers were responsible for many incidents. Freedom Mobile blamed a third party for hosting an unprotected database with personal and credit card information on thousands of the wireless carrier’s subscribers on the Internet. TransUnion Canada said attackers compromised a Winnipeg leasing company to get access to personal information on some 37,000 Canadians held by the credit reporting agency; Verizon’s annual Data Breach Investigations Reporton thousands of incidents around the world, noted that 21 per cent of data breaches are caused by errors, either by employees or third parties;
  • Questions were raised about the dealings of some organizations with suppliers. In December the city of Hamilton, Ont., notified residents of a potential disclosure of their personal information through Alectra Utilities, which provides water billing service for the municipality. According to a news report an India-based subcontractor to Alectra had access to customer data it held, and there may have been other subcontractors whose staff could also see personal data. The incident raised questions of consent;
  • Nova Scotia’s privacy commissioner blamed the government for not doing enough security testing before making a new provincial Freedom of Information website live, allowing two people to hack the site in 2018 and make off with 7,000 documents including personal information of 740 people;
  • Think small businesses won’t be attacked? Consider our report on a Halifax vegan restaurant whose Facebook page was defaced.

Among other newsworthy events in 2019

  • The U.S. increased pressure on Canada not to allow Canadian wireless carriers to buy wireless network equipment from Chinese manufacturer Huawei for security reasons. A decision will likely be tied to the outcome of a Vancouver extradition hearing for Huawei’s CFO and the detention by China of two Canadians;
  • A Bank of Canada executive was among many experts urging organizations to collaborate more on cyber best practices and threat information. In a related move the Canadian Cyber Threat Exchange (CCTX) lowered fees for public sector agencies;
  • To help improve the security maturity of small and medium-sized businesses the federal government launched a cyber certification program. The hope is it will also increase public confidence in Canadian firms selling products online.

Dubrovsky sees some complacency in the attitude of Canadians and organizations. “We’re just accepting this is a risk,” as a result of the almost daily stories of breaches. “Unfortunately I don’t think there’s enough being done, still” by IT departments. “We don’t understand the threat actors are also ramping up both the damage they’re causing and the monetary demands.”

READ FULL ARTICLE MORE HERE: 

Source: IT World Canada

New Geneva Association & IFTRIP task force to address emerging cyber terror risks

The Geneva Association is launching a joint task force on cyber terrorism and cyber warfare with the International Forum of Terrorism Risk Reinsurance and Insurance Pools (IFTRIP). The special-purpose task force aims to conduct research on cyber terrorism risks across the re/insurance industry. Its initial findings will be published in mid-2020.

The launch of this new task force was announced at the IFTRIP 2019 International Conference in Brussels, Belgium. It will be led by Rachel Anne Carter, the Geneva Association’s Director of Cyber, supported by Julian Enoizi, CEO of Pool Re and Christopher Wallace, CEO of Australian Reinsurance Pool Corporation and president of IFTRIP.

Read the press release

TransUnion says data on 37,000 Canadians may have been compromised

TransUnion says someone fraudulently accessed data using a customer’s login credentials

The personal information of about 37,000 Canadians held by TransUnion may have been compromised this past summer, leaving both of Canada’s credit monitoring agencies with data blemishes on their record.

The TransUnion incident is much more limited than the high-profile data hack at credit monitoring agency Equifax Inc. in 2017, which exposed the information of 147 million people, including about 19,000 Canadians.

TransUnion said in a statement Wednesday that someone fraudulently accessed its data through the use of one of its business customer’s login credentials between June and July.

Company spokesperson David Blumberg said that while the investigation is ongoing, the company maintains that the fraudulent login was not a failure of its systems.

“The unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s system,” he said.

Canadian Western Bank (CWB) confirmed that the credit report data was accessed through an account at its leasing division.

“In August, we learned that CWB National Leasing’s account was illegally used by an unauthorized third party to perform unauthorized credit checks,” said company spokesperson Maya Filipovic.

She said no personal information held by CWB National Leasing was taken, disclosed or misused in any way.

Type of personal information accessed

TransUnion did not disclose what kind of personal information was compromised by the fraudulent login.

A credit check by a bank or lender could give access to an individual’s name, date of birth, current and former addresses, information on existing credit and loan obligations, credit repayment history and potentially their social insurance number.

TransUnion said it learned of the breach in August and has notified those whose information may have been accessed as well as the privacy commissioners.

The incident is the latest of numerous data breaches in recent years, including the Equifax breach. More recently, Capital One said in July that data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June that the data of about 2.7 million accounts was hit with a breach.

The problem is that no system is foolproof, said Hasan Cavusoglu, an associate professor of management information systems at the UBC Sauder School of Business.

“The reality is this is a moving target. Organizations are every day exposed to new type of attack vectors, new kinds of threat actors.”

He said customers have little choice but to have their data held with TransUnion and Equifax.

“As long as you do some kind of transaction, your data will inevitably fall into these companies.”

The two credit monitoring agencies collect a variety of financial data to help banks and other lenders figure out how reliably a customer might pay them back. The model means the agencies want to collect as much information as possible to clearly represent someone’s credit worthiness, said Cavusoglu.

While breaches are impossible to rule out entirely, major financial institutions like credit agencies have significant incentives to keep the data safe, he said.

“Reputational damage as a result of these kinds of attacks is tremendous, let alone other kind of maybe regulatory sort of penalties as well as some legal costs associated with it. So they don’t want that reputational damage.”

Chicago-based TransUnion continues to look for ways to strengthen its defences against unauthorized access of any kind, and supports customers in efforts to protect their data, Blumberg said.

Dispelling 5 Common Cybersecurity Myths

Dispelling 5 Common Cybersecurity Myths

There’s a lot of existing advice and information on cybersecurity out there, but don’t fall victim to any of these common misconceptions that give you a false sense of security.

Myth #1 – All your vendors maintain appropriate security controls

The reality is, your organization’s security is only as strong as your weakest vendor. Vendors can create unforeseen vulnerabilities by not adhering to their own policies. When you first contracted with a vendor, their cybersecurity controls may have been sufficient, but are they continuing to comply with and update them in response to the changing cybersecurity landscape? In the past, each cyberattack would be looked at individually, but now they’re being linked together, creating a domino effect. Many of the large breaches we’ve all heard about can be attributed to a hacker compromising a vendor and leveraging that access to pivot and attack the vendor’s customers. Make sure you’re checking in quarterly or annually to ensure that your partner’s policies and procedures are up to date, reflect current practices and are being followed. Additionally, request that they provide a copy of their cyber insurance policy.

Myth #2 – Cloud services have built-in cyber protections

Almost every company utilizes cloud services in one form or another. The security team for a cloud service company is on the front lines of the internet’s most critical information security issues and their domain continues to expand. Cloud services have responded by operating within a shared security model. The cloud service company controls the physical servers through to the configuration level that is accessible to users. The user retains responsibility for the actual data and services that are being run on the virtual server, unless otherwise stated in your contract. It’s essential that organizations thoroughly understand their responsibilities and how to best leverage the provided security features to ensure they’re taking necessary precautions to avoid an incident. A hybrid security plan that takes into account both on premise and cloud systems is critical.

Myth #3 – It’s possible to predict the next big cyber attack

Today’s headlines are full of cyber breaches that impact not only the companies that experienced the breach, but their customers and beyond. Though there’s a lot of dialogue around the devices, companies and systems that could potentially be attacked, there is no way to predict exactly when or where the next large-scale attack will occur. This is very similar to thinking we can predict earthquakes; despite monitoring seismic activity for patterns, there is no way to predict exactly when and where the next “big one” will occur. So how should businesses and consumers prepare for a cyberattack? If you lived in an earthquake-prone area you would purchase a house that is built to code, have emergency supplies and have earthquake insurance. Prepping for a cyber event is no different; you take precautions and put controls in place to mitigate your risk and reduce impact. Precautions include purchasing cyber insurance, implementing an effective cybersecurity program and developing incident response, business continuity, and disaster recovery plans. Insurance provides the peace of mind needed in the event of an attack and the support to help you get back up and running while reducing financial impact.

Myth #4 – What worked in the past is good enough

In this ever-changing cybersecurity landscape, traditional methods of securing your perimeter, protecting data and addressing privacy concerns are not enough. The main shift we’ve seen is more visibility into what actions a company is taking to reduce their risks. Cybersecurity cannot effectively operate in a silo; it’s the responsibility of every employee and department to incorporate security controls into their daily business operations. To do so, create a layered approach to securing both internal and external resources to properly address risk. Make sure you are increasing your security budget every year to continue to add to your infrastructure tools and ongoing training and education. Providing your team with continued education and new technology is critical in minimizing the risk and impact of a breach.

Myth #5 – My business is not a target

With the sheer amount of news coverage on large-scale cyber attacks, it can lead businesses to become numb to them and contribute to the notion that they’re not important enough to be the next target. In truth, smaller organizations are often a target because of the access they provide to a larger target. Acceptance of the fact that it’s generally a matter of when, not if, a cyber incident will occur is difficult for many companies to adjust to. In the past, breach prevention was the only goal, but today, having a security team that is realistic and accepts that a breach is likely will make them stronger and faster to respond. Companies will ultimately be judged on both the controls they had in place to prevent a breach and their response during and after an incident. Incorporating cyber insurance into your overall cybersecurity plan will not only provide peace of mind to your customers, but also help minimize the impact and downtime after an attack.

Managing Cyber Risk

Remain vigilant and protect your company with the most up to date cybersecurity and insurance options. Don’t fall for the myths or become numb to the countless news stories of breaches. As it’s commonly said, it’s not if your company will face a breach, it’s when.

Source:

Slice

Photo Credit: ILSTV.com

Canadian banks look to in house hackers to improve and test cybersecurity

Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all.

The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TD Bank’s vice-president of cyber threat management.

“We’re doing it exactly how our adversaries would do it… So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.

Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyberthreats increases.

A Senate report last month entitled “cyber.assault: It should keep you up at night” sounded the alarm about the potential consequences of major cyberattacks in Canada.

“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the Standing Senate Committee on Banking, Trade and Commerce. “We must take the appropriate steps now, or soon we will all be victims.”

Bank of Canada governor Stephen Poloz has also raised concerns about a cyberattack.

In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.

New regulations that require Canadian businesses to alert their customers about privacy breaches or face hefty fines took effect at the beginning of this month.

In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.

BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada. At the same time, Simplii also warned that “fraudsters” may have accessed certain personal and account information for about 40,000 clients.

BMO’s chief executive Darryl White said he could not comment on the details of the privacy breach, as an ongoing investigation is underway, but noted there was a “very immaterial impact from a fraud perspective” and no material financial fallout.

“We are a lot smarter as every event goes on. And there are events every day, there are events every hour of every day… It’s a continual improvement exercise,” White told reporters after the bank’s recent investor day.

Meanwhile, BMO is also turning to in-house ethical hackers to test their systems. According to a recent job posting, BMO is seeking a senior manager with a certification in ethical hacking and whose responsibilities include managing a team of “network penetration testing” specialists.

CIBC did not respond to questions about whether it utilizes ethical hackers.

“We leverage internal and external expertise, and work closely with industry and government to enhance cyber security resilience, threat intelligence and best practices,” a spokeswoman said in a statement.

Alberta-based bank ATB Financial in a recent job post said it was recruiting a “Senior Penetration Tester” with ethical hacking experience. An ATB spokeswoman said the posting is to fill a recently vacated role.

The Bank of Nova Scotia also established its own in-house “red team” of hackers to test its defences, said its chief information security officer Steve Hawkins.

“Scotiabank has used and continues to use third-parties to handle this penetration testing. However, because the volume of global cyber threats has significantly risen, the Bank wanted to have its own capabilities in-house and created its own red team this year,” he said.

With the string of data breaches in recent years, what does worry TD’s Lovinger is the cumulative amount of data that has been exposed.

“Hackers now sit on a wealth of information… That they can now leverage to do more targeted attacks,” he said.

Royal Bank of Canada has had in-house ethical hacking capabilities for a few years now, as part of its cybersecurity program, said Adam Evans, the bank’s vice-president of cyber operations and chief information officer.

“We want to make sure that we are testing our defences to make sure they stay relevant,” he said.

RBC has been upping its cybersecurity budget and adding to its team annually. It now has roughly 400 cybersecurity professionals, up 50 per cent from three years ago, but a talent gap looms, Evans said.

Demand for talent in Canada is climbing by seven per cent annually and there will be more than 5,000 roles to fill between 2018 and 2021, according to Deloitte. By 2022, the cybersecurity workforce gap is expected to reach 1.8 million, it said.

As of October, there were 1,024 cybersecurity vacancies for every million Canadian job postings, up five per cent over the past year, according to Indeed Canada. That’s up 73 per cent since the beginning of 2015, said Brendon Bernard, an economist for the job search platform.

Meanwhile, several Canadian banks have made recent investments in research or capabilities abroad or in universities at home to tap cybersecurity talent. For example, TD opened a cybersecurity-focused office in Tel Aviv, Scotiabank announced a partnership with an Israeli cybersecurity company and RBC made an investment in research at Ben-Gurion University.

“With the talent gap in cyber, it’s something that organizations are going to have to address,” said Evans. “Because there is just not enough qualified people out there.”

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest