Cybersecurity: How Safe Is Your Workforce?

Article by Davids Blackmore

In mid-May 2017 unprecedented global hacks brought organisations including the NHS, Telefónica and FedEx to a standstill.   Incidents such as this ensure that the public focus is firmly fixed on attacks by faceless criminal third parties.  However when it comes to the protection of vital corporate and client data organisations must also recognise the risks much closer to home, posed by their own personnel.  IBM’s “2016 Cyber Security Intelligence Index” found that 60% of all attacks were carried out by insiders.  Three quarters of these attacks were malicious, with the remainder involving reckless or inadvertent breaches by employees.  It may be necessary to think again about how we tackle cybercrime, given the potential business ramifications, financial, reputational and operational.

Employee risk

Cyber risk isn’t just a matter for an organisation’s IT department or about having the most-up-to-date software.  Employees need to be trained to understand cyber risk and given the tools to identify and deal with such risk appropriately.  This can only be done effectively if the whole organisation buys into the process.  This is fundamentally a governance issue: as with any other area of risk, it must be managed coherently with arrangements covering all of those who can access organisational information, including directors, employees and contractors.

Human error and malicious intent

Not all data breaches are deliberate or malicious: many are down to simple human error.  It may involve a lost memory stick, an email inadvertently sent to an incorrect email address or papers being left in a public place.  For example a mis-sent email sent from a London NHS Clinic in May 2016 attracted a £180,000 fine from the UK Information Commissioner after it revealed the email addresses of 700 users of an HIV clinic, the sender having typed the addresses into the “To” box rather than using the “Bcc” (blind copy) option.  Similarly, dating website Guardian Soulmates saw the email addresses of its subscribers made publicly available as a result of human error on the part of a third party contractor.

Breaches frequently involve individuals sending confidential data out of secure work systems to personal email addresses, including to “bank” information in the event of a future dispute or for the purposes of new employment.  For their “End-User Security Survey 2017” Dell commissioned a global survey of 2,608 professionals who handled confidential data at companies with 250+ employees in order “to find out how widespread the unsafe sharing of confidential data has become”.  Dell’s results showed that “72% of employees are willing to share sensitive, confidential or regulated company information”.

Data breaches can have a catastrophic impact.  A good example is the 2015 Panama Papers case involving the offshore law firm Mossack Fonseca.  An anonymous source leaked more than 11.5 million client files, going back four decades, to the German newspaper Süddeutsche Zeitungi.  When news of the leak broke, the firm vehemently denied that there was anything wrong with the integrity of its IT systems, stating that it had been the victim of a hack by an outside third party.  It ultimately transpired however, that the data had been disclosed by an employee of the firm, a disgruntled IT worker who systematically uploaded large amounts of client data over a prolonged period of time – purportedly because of moral concerns around worldwide income inequality.

According to the International Consortium of Investigative Journalists, an estimated $135 billion was wiped off the value of nearly 400 companies after the Panama Papers.  Like the hacks affecting the NHS and others, the case demonstrates the extraordinary power of modern technology to stop business dead in its tracks.

What can you do to minimise the risk to your organisation?

The Cyberedge Group’s “2017 Cyberthreat Defence Report” says that “once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defences, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year…”

So what can be done to address this problem?

There is no absolutely failsafe method of protecting your company data: an organisation is only as strong as its weakest link.  However businesses can be alert to the risks, put in place appropriate plans to minimise the likelihood of a breach and have a breach response plan in place.  This will ensure that if there is a breach the situation can be managed and damage minimised.  Insurance policies should be reviewed, as the right policy may provide specialist external support in the event of cybersecurity incidents.

Education, education, education.

Equipping employees with the skills to recognise and manage cyber and information security risks, raising awareness of cybersecurity issues and instilling a culture of good data management will help build an organisation that appreciates the importance and value of the data that it holds.  In particular a business should:

  1. Identify and understand the information held by the organisation, who it belongs to and why it is important.
  2. Identify the cyber risks that exist and the assets you are trying to protect.
  3. Put in place a robust (but workable and easy to understand) cybersecurity policy so your staff understand the risks faced by the organisation, how they must deal with information and what they must do if the integrity of the organisation’s systems is breached.
  4. Educate your workforce to recognise and respond to security issues which arise.

So are employees a risk to the integrity of your business?  Yes.  But they can also be your first line of defence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

October is Cyber Security Awareness month

Aviva Canada

Did you know?

In 2016, Canadians lost $40 million to online scams. With identify theft and other online security breaches on the rise, consumers need to be aware of how to protect themselves.

What is identify theft?

Identity theft is when someone uses your personal information – like your credit card, Social Insurance Number or name – without your knowledge or consent, to commit fraud. Some common ID theft scams include creating false lines of credit and making purchases using a stolen bank account or credit card.

According to the Ontario Securities Commission, your identity is at risk when:

  • you enter your credit card information online on a non-secure website
  • you click on an email link from what looks like a legitimate bank or online shopping service (eg. PayPal) and enter your account information
  • your personal information (Social Insurance Card, credit card or bank card) are stolen
  • you give out your credit card’s three-digit security code over the phone to a scammer who claims to be from your financial institution
  • any time your personal information is available to others

Aviva’s Identity Theft coverage is now even better

Aviva has introduced an enhanced ID Theft coverage – offering customers even more peace of mind as they tap, swipe and click their way through life. As one of the most comprehensive on the market, it features widespread financial protection if your identity is compromised, including:

  • an increased limit of $40,000 per policy term for all ID theft expense claims
  • a $5,000 limit per policy term to cover any financial loss due to ID theft
  • 24/7 credit bureau monitoring and two credit bureau reports for six months after an ID theft claim
  • access to your own ID theft case worker to help you identify and restore your finances and personal information after an ID theft claim

Don’t let thieves get the upper hand – learn more here or contact an insurance broker to add Identity Theft coverage to your home insurance policy.

How the cyberattack on Equifax unfolded and the fall out that followed

Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.

It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.

Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:

_ _ _ _

Early March: The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.

_ _ _ _

May 13 to July 30: Hackers have unauthorized access to Equifax Inc.’s files.

The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.

_ _ _ _

July 29: Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.

The company says in later communication that it “acted immediately to stop the intrusion.”

_ _ _ _

July 30: The same team observes more suspicious activity and the company takes the affected web application offline.

_ _ _ _

Aug. 2: Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.

_ _ _ _

Sept. 7: Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.

“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.

_ _ _ _

Sept. 12: An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.

_ _ _ _

Sept. 14: The Federal Trade Commission says it is opening an investigation into the hack.

The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.

_ _ _ _

Sept. 15: The Office of the Privacy Commissioner of Canada launches investigation into the breach.

Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.

_ _ _ _

Sept. 19: Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

____

Oct. 2: Equifax provides an update saying a completed review determined that personal information of approximately 8,000 Canadian consumers was impacted, down from its original estimate of 100,000.

However, it said the review added about 2.5 million Americans to the list of those affected by the massive cyberattack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.

Beazley Canada strengthens its cyber risk team

Specialist insurer Beazley has appointed Miki Ho as cyber risk underwriter. Based in the company’s Toronto office, Mr Ho’s focus will be on developing Beazley’s portfolio of cyber liability and technology risks for large enterprises in Canada.

Mr Ho joins Beazley from Allianz where he was a senior underwriter for cyber and professional liability risks, following previous underwriting and broking roles with a portfolio of clients in the financial institutions sector.

Paul Bantick, Beazley’s Technology, Media & Business focus group leader says: “We are excited by the opportunities we see to support Canadian businesses against the risks of cyber liability and data breach. With the cyber and technology risk landscapes changing rapidly and the number of data breaches unabated, the demand for cyber insurance products is growing strongly. With Miki having joined our team, we are well placed to take advance of this growing demand and the opportunities that exist in the Canadian market.”

Phil Baker, head of Beazley Canada, adds: “Beazley is a market-leading provider of cyber liability, technology errors & omissions, and miscellaneous professional liability coverage, with a global team structured to deliver local solutions. Miki will play a pivotal role in delivering those local solutions to brokers and clients in Canada.”

Note to editors:

Beazley plc is the parent company of specialist insurance businesses with operations in Europe, the US, Canada, Latin AmericaAsia and Australia. Beazley manages six Lloyd’s syndicates and, in 2016, underwrote gross premiums worldwide of $2,195.6 million. All Lloyd’s syndicates are rated A by A.M. Best.

Beazley’s underwriters in the United States focus on writing a range of specialist insurance products. In the admitted market, coverage is provided by Beazley Insurance Company, Inc., an A.M. Best A rated carrier licensed in all 50 states. In the surplus lines market, coverage is provided by the Beazley syndicates at Lloyd’s.

Beazley is a market leader in many of its chosen lines, which include professional indemnity, property, marine, reinsurance, accident and life, and political risks and contingency business.

For more information please go to: www.beazley.com

SOURCE Beazley

N.S. sends teen suicide expert to Cape Breton, promises new cyberbulling law

By Brett Bundale

THE CANADIAN PRESS

HALIFAX _ As a Cape Breton school board grapples with multiple teen suicides, the Nova Scotia government is sending a youth mental health expert to the grief-stricken community and promising new anti-cyberbullying legislation this fall.

Dr. Stan Kutcher, a Dalhousie University psychiatry professor, will travel to Cape Breton Monday to talk to families, schools, and the community about mental health concerns and what supports they need.

He is expected to report back to the province in the coming weeks.

The parents of a 13-year-old girl who took her own life on Father’s Day said bullying led to her death, and more needs to be done to protect other young people. They said their daughter, Madison Wilson, was subject to verbal abuse at school and through social media.

Premier Stephen McNeil said the province needs to have a broader conversation about bullying, especially online attacks.

“I can’t imagine how some of these young kids who are exposed to that are feeling,” he said Thursday. “We need to have a public conversation about what’s happening online. Our children can’t get away from it.”

McNeil said he hopes the province will engage the public in a broader conversation when it rolls out its updated anti-cyberbullying legislation.

Nova Scotia’s Cyber-Safety Act, the first law of its kind in Canada designed to protect victims of online harassment, was struck down in late 2015 after the province’s top court ruled that it infringed on Charter rights.

The law was passed in response to the death of Rehtaeh Parsons, a 17-year-old girl who was bullied and died after a suicide attempt.

Justice Minister Mark Furey said Thursday the recent suicides in Cape Breton, with at least one tied to cyberbullying, underscore the importance of the new legislation.

“We’re positioned now to introduce legislation this fall,” he said.

Furey said he hopes Kutcher, an expert on adolescent mental health, will be able to inform the province on what steps can be taken to support the community.

“Dr. Kutcher is a recognized mental health expert so his presence and participation in the discussion in Cape Breton will help the families, the school and the community deal with these tragic circumstances,” he said.

Darren Googoo, chairman of the Cape Breton Victoria Regional School Board, said this week the board is drafting a letter to the provincial Education Department with the idea of starting a dialogue on the issue.

“Our students are dealing with the trauma associated with the loss of a schoolmate and, going into the summer months, we want to make sure that we have a more co-ordinated approach with our provincial partners in health, in terms of providing services,” Googoo said.

Education Minister Zach Churchill said the province needs to “work together” to better understand the factors that contribute to teen suicides.

“We do have a collective responsibility to better understand these things, to learn from them and do our very best to improve the supports available,” he said. “We need to have an honest, open and frank conversation.”

However, it’s unclear whether additional resources, such as guidance counsellors or psychologists, will be made available.

In fact, Health Minister Randy Delorey said the province put additional resources in place for schools but it’s up to the board to decide “where exactly the resources are being allocated.”

He said questions about “how they’re choosing to spend their resources” are better directed to the school board.

However, he did admit that mental health is an area of priority for the province that requires more attention.

Understanding Cyber Threats, Monitoring Data Leakage & Monitoring Reputational Damage

Article by Aaron Baer

Organizations around the world were recently (and rather rudely) reminded of their data vulnerability when WannaCry unleashed its international ransomware attack that seized data remotely and demanded a ransom for its release. This attack provided an important reminder of the risks associated with data breaches and it forced many organizations to take a cold, hard look at their data protection strategies.

In light of this incident, there has arguably never been a better time for organizations to prioritize monitoring and managing digital risk. A recent report published by Digital Shadows (the “Report“) highlights the need for more sophisticated strategies as organizations’ digital footprints continue to expand at an overwhelming rate. As their digital footprints expand, organizations are exposed to new levels of external risk that are not adequately protected by traditional tactics.

A digital footprint is comprised of information left behind as a result of an organization’s or individual’s online activity – it exists outside the boundaries of internal protection. Employees, suppliers and many others with access to corporate data contribute to an organization’s digital footprint on a daily basis, and they (often unknowingly) expose sensitive information in the process.

While most information in the digital footprint is benign, there is a significant portion that is not. Threat actors focus on a subset called the ‘digital shadow,’ which includes exposed personal, corporate or technical information. Usually this information is highly confidential, sensitive or proprietary. Information left exposed in the digital shadow can be embarrassing for a company and can be leveraged by attackers looking to exploit, launch ransomware or other cyberattacks.

At the same time, organizations should be mindful that cyber-attackers are leaving their own digital footprints and digital shadows behind. The Report suggests that the most effective external digital risk management strategies involve monitoring this activity in order to gain insight and plan defensive strategies.

At a basic level, the Report suggests that external digital risk management requires identifying, assessing and taking steps to mitigate risk exposed by the digital footprint. More importantly, however, external digital risk management should involve: 1) understanding cyber threats, 2) monitoring data leakage, and 3) monitoring reputational risks.

Understanding Cyber Threats

According to the Report, tailored threat intelligence capability is the key to understanding cyber threats. Such intelligence should be premised on four main areas:

  1. Indications and warnings;
  2. Actor profiles;
  3. Campaign profiles; and
  4. Emerging tools.

In order to leverage threat intelligence, organizations should adapt their approach to their particular business. Further, they should focus on who the threat actors are, what they are planning, what tools they are using, and what tools may be developed in the future. Simply receiving generic information is not enough. Involving human analysts in the process, it is suggested, will help weed out irrelevant information and ultimately deliver capable and tailored intelligence.

Monitor Data Leakage

Organizations should be vigilant about monitoring data leakage, since attackers can use leaked data to their advantage. The Report suggests focusing on sensitive code, private encryption keys, employee credentials, confidential documents, intellectual property, and social media over-sharing. These areas of data leakage leave organizations particularly vulnerable, not only to attackers who seek to leverage this information in targeted cyber-attacks, but also to competitors and corporate espionage. Knowing the type of information leaked can provide insight into how the information might be used against you in the future.

Knowing when, where and how this information has been leaked is critical to implementing effective mitigation tactics. For example, if employees are leaking sensitive confidential information through the use of personal email or social media, organizations should be aware of this so that they can implement training and disciplinary procedures to counteract the behaviour.

Monitor Reputational Damage

Finally, the Report suggests that monitoring for reputational damage is a key component of effective external digital risk management. Organizations should be aware of ways by which their goodwill and branding are being leveraged online. According to the Report, the top five risk areas include:

  1. Phishing;
  2. Domain infringement;
  3. Spoofed profiles;
  4. Brand defamation; and
  5. Mobile application issues.

Being able to monitor and detect these activities can not only mitigate reputational damage, but also the negative impact on employees and customers.

In the context of cybersecurity, risk is a well-developed concept. The Report suggests that all risk management strategies should take into account external digital risks. As organizations continue to expand their global online presence and digital footprint, risk mitigation strategies must continue to evolve at the same pace.

As set out in another article recently published on The Spotlight, there are many ways to ensure your organization’s data is adequately protected in order to prevent costly data breaches. Organizations need to recognize the true scale of the cyberattacks they face, adapt to the changing landscape, and incorporate these best practices to protect their bottom line from the costs of data breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Page 1 of 1112345...10...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest