Stay a step ahead: RBC gives tips to be cyber smart

Technology has made lives easier, connecting people and businesses in an unprecedented ways. But with the steady pace of advancement and change comes the heightened risk of fraud, particularly digital and online fraud. Words like “phishing” and “smishing” that did not exist a decade ago have entered our everyday lexicon.

“The reality is that cyber-crime has become an increasingly problematic issue, not only for the financial services sector, but for other industries in Canada and around the globe,” said Adam Evans, vice-president risk management at RBC. “It takes a combined effort between organizations and consumers to prevent fraudsters and cyber scammers from getting their hands on your private information.”

According to the Canadian Banking Association, 72 per cent of Canadians use online and mobile banking as their primary means of banking, up from 52 per cent in 2012. It’s clear that Canadians are accepting of new and convenient banking and payment technologies but it’s important they know how to stay safe when using these tools.

“Empowering our clients and the public to protect themselves is one of the best lines of defense,” added Evans. “As Canada’s largest bank we believe we have a responsibility to help educate the public on common cyber, fraud and privacy scams.”

Canadians can do their part to stay safe
Watch the RBC Be Cyber Smart video series; a collection of cyber awareness tips for individuals, families, youth and RBC clients:

  1. Choose powerful passwords. Use multiple passwords, change them frequently and use ones that include a mix of letters and numbers: all essential components of online safety.
  2. Don’t respond to unsolicited requests for confidential information. Be aware of schemes that ask for personal or financial information – they could be pretexting.
  3. Beware of the phishDo not click on a link in an email, call a phone number, wire money or take any requested action, unless you first verify that a request is legitimate.
  4. Be cautious when sharing on social media. Be careful about including personal information online, on social networking sites and in email.
  5. Be wary of public Wi-Fi. Avoid using public Wi-Fi to online bank, online shop or access any confidential information.
  6. Keep your personal information private. Laptop and phone screens can easily be seen and your side of a phone conversation can be heard by everyone around you.

RBC is a proud participant in Fraud Prevention and Cyber Awareness months and aims to build awareness among clients and employees year-round. Read more tips and watch the Be Cyber Smart video series anytime on RBC’s Privacy & Security website.

About RBC
Royal Bank of Canada is Canada’s largest bank, and one of the largest banks in the world, based on market capitalization. We are one of North America’s leading diversified financial services companies, and provide personal and commercial banking, wealth management, insurance, investor services and capital markets products and services on a global basis. We have over 80,000 full- and part-time employees who serve more than 16 million personal, business, public sector and institutional clients through offices in Canada, the U.S. and 35 other countries. For more information, please visit‎

RBC helps communities prosper, supporting a broad range of community initiatives through donations, community investments and employee volunteer activities. For more information please see:


Cybersecurity Trends to Watch in 2017

Cybersecurity Trends to Watch in 2017

Eric Basu | Business to Community

Today, North American households play host to an average of 13 internet connected devices. It’s at times like these when parties of all sizes should be relying on the expertise of IT professionals — however, a recent report showed that more than 80% of cybersecurity experts say there’s a deficit of skilled workers in the sector, and nearly as many said this has a serious impact on the compromising of devices and applications by cyberattacks. That’s the theme of the new year we’re in: no device nor individual is safe from the wrath of cyberattacks.

Take a look at the cybersecurity trends that started in 2016 and are expected to continue to make news throughout the new year.

Malicious Botnet Attacks

Cybersecurity issues have been, and will continue to be, dominated by the rise in botnets targeting Internet of Things (IoT) devices with Distributed Denial-of-Service (DDoS) attacks. In 2016, we saw hackers harnessing the power of smart devices to take down large domains and internet providers, affecting thousands of websites, including Twitter and Spotify. The most notable were two pieces of malware called Mirai and Bashlight which together have enslaved more than a million IoT devices.

There will be an estimated 28.4 billion internet-connected devices this year, up nearly 5.5 billion devices since the previous year. With the number of IoT devices expected to reach 50 billion by 2020, we’ll see a lot more government intervention this year in regards to regulating the security of these connected devices.

That could involve taking the steps proposed by the European Union and the Obama administration: creating independent bodies that will oversee the production and regulation of labels for smart devices. This proposal would give consumers the tools to make more educated cybersecurity choices and force manufacturers to include more stringent security measures.

Overall, Gartner projects that worldwide spending on IoT security will rise to $434 million this coming year.

Need for Proactive Approaches

Another trend we’ll see this year is companies taking a proactive approach to cybersecurity, rather than forming policies strictly as a reaction to a hack.

Proactively addressing cybersecurity involves taking into consideration the weaknesses that come with both IT and human staff. A large part of that involves limiting the number of devices employees use for professional purposes. These devices can create an issue since they bypass the security perimeters meant to protect workplace computers. It’s predicted that by 2018, a quarter of all corporate information will not pass through this security perimeter and will instead travel directly from mobile devices to the cloud.

Workplace security won’t be as straightforward as fitting an account with an employee username and password. Three Mobile, one of the largest mobile companies in the United Kingdom, put six million customers’ personal data at risk this past November when an employee login was used to hack into the system. A similar hack occurred at Talk Talk, another British mobile company, earlier in the year.

With devices becoming increasingly portable and less secure, we will see companies take more precautions with their employees and create defensive cybersecurity systems that address the agility of new devices and dangerous malware.

Vulnerability assessments should be done at all levels to determine the likeliness of an attack, and how to prevent it.

Application Security On the Rise

Organizations will continue to place more of an emphasis on application security throughout this year. That’s according to a recent report that surveyed 475 businesses and organizations in the U.S. More than one-fifth of those involved in the survey said applications were the source of breaches of secure information and cyberattacks.

Organizations are getting better at coordinating their security efforts, though. Forty percent of businesses have some sort of policy that third-party application providers must follow when providing a program or service. The responsibility of application security is being taken more seriously, too. More than one-third of organizations claimed that their application security programs are maturing.

Fake News & Social Media

Social media and fake news monitoring will become a part of company’s’ cybersecurity strategies.

As the dust settled on the 2016 American election, people wanted to know if fake news articles played a role in the outcome. The Pew Research Center found that 62% of all Americans rely on social media for their news, with 44% of them using Facebook as their number one source.

Fake news sites came in a number of forms, from aggregators that rewrote stories with inflammatory headlines to articles with fake statistics and false reports about the candidates.

While not a hack in the traditional sense, fake news sites and hyper-partisan social media accounts play a role in corroding trust and blurring the line between fact and fiction. In 2017, we will see companies start to protect themselves from this kind of attack by incorporating social security measures into their cybersecurity best practices and processes.

It will be up to programmers and engineers to rewrite algorithms and develop monitoring tools to detect spam-ridden content and false information. But until this picks up, users will have to navigate their social streams more critically than ever before to distinguish genuine engagement from false persuasion.

Increased Security Is the Big-Picture Trend

From hijacked IoT devices to published propaganda, both companies and individuals are on high alert in terms of cybersecurity this year. We can expect to see businesses adopt security measures that address some of these rising concerns which will mean greater security for consumers, too.

Is your company doing something different in the way of cybersecurity in 2017?

Author: Eric Basu



Off-Duty Conduct: What Can Happen When Employees Go Viral

By Michael Horvat | Mondaq

It seems that a week cannot go by without the news reporting on a seemingly private or embarrassing event that has gone public. With the abundance of cameras in our daily public lives and the instantaneous sharing of information, our actions and statements can be easily broadcast as they happen. Our new “public” life is ever more on display. Some recent examples include being caught on video engaging in public mischief (such as throwing a beer can onto a sports field on national television) or engaging in a post on Twitter or other social media sites with “friends” that is resent or retweeted for everyone to see. How employers and their employees cope and navigate the greying line between an individual’s private life and their connection to the workplace is likely to become of greater issue, especially among a new generation of employees who have grown up in a world of social media and use it as their primary vehicle of communication.

As employees become more aware that their employers are noticing what happens away from the office or shop floor, employers must equally understand that there are still limits as to what behaviour they can regulate when the work day has ended.

In the past, there used to be a clearer time and distance aspect with respect to off-duty conduct. If it happened away from the workplace and outside of work hours, it was presumed to be the employee’s own business and, strictly speaking, of no concern to the boss, unless it tied the company brand and employee together in a bad light.

The law regarding an employer’s response to off-duty employment conduct has evolved as the web of social connections between employer and employee ties them together outside of regular business hours. Bullying behaviour in the office has to be addressed, so why not address bullying that occurs on Facebook or Twitter. Human Resources departments now have no choice but to take notice and act, whether it is to address potential harm that may arise from bad publicity or to address concerns by co-workers due to comments or actions made by colleagues in “private” internet communications that have become public. (Anecdotal evidence counters the notion that anything on the internet or that is electronically distributed is or can remain private.)

Employees must understand that companies will act to address off-duty conduct when that conduct could detrimentally affect their image, brand or business, or otherwise impact the well-being of coworkers. In some cases, employers will have no choice but to engage in an investigation into such behaviour and discipline or terminate the employee if misconduct is found to have occurred. For example, under recent changes to the Occupational Health and Safety Act, Ontario companies are now mandated to have policies in place regarding the reporting and investigation of harassment and sexual harassment complaints. The application of such policies extends beyond the workplace. Off-duty comments made on Facebook towards a co-worker can create a hostile work environment as easily as comments made in the lunchroom.

Consequently, it is recommended that all employers have policies which provide direction to their employees about their use of social media (such as Facebook, Twitter, Instagram). These policies should caution their employees about the use of technology both at the workplace (when using company email and computers) and away from the workplace. The policies should also refer to the company’s harassment policies and code of conduct rules and advise employees that offduty conduct can also be subject to investigation and discipline (including discharge). Finally, employees must be trained in the application of these policies and the company must consistently review and enforce their application.

However, employers must be prepared to distinguish between actions which create a public relations issue (our employee has embarrassed the company) that require only a public relations response, with a human resources issue (our employee has breached policy and caused damage to the company’s goodwill or to another employee) which could require investigation and discipline.

Not every case where harm is caused to the company’s brand or reputation will require a human resources response and the harm or potential harm caused will only be one factor among many when determining if investigation and discipline will be appropriate in the circumstances. Other factors will include the degree of responsibility exercised or public position held by the employee, and whether the misconduct will hinder that employee’s ability to perform his/her job and/or  their ability to work with co-workers and their co-workers corresponding willingness to continue to work with them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Thinking of your target’s acquisition: is your cybersecurity risk assessment sufficient?

In 2015, we have seen several important cybersecurity breaches in the industry. Some of them have been extensively mediatized while others remained less known by the general public. Recently, the online dating website Ashley Madison was hacked and the identity of millions of users revealed all around the world. Even more recently, we learned that over 500 million users’ Yahoo accounts had been hacked in 2014 and this news came out shortly after the acquisition of Yahoo by telecom giant Verizon. Can these attacks jeopardize your upcoming transaction? They absolutely can. As a matter of fact, Verizon asked for a $1 billion discount off its initial offer of $4.8 billion to acquire Yahoo and just recently said that it has a reasonable basis to believe that the massive data breach of email accounts represents a material impact that could allow Verizon to withdraw from the deal. The burden seems to now be on Yahoo to demonstrate the full impact of the breach.

These attacks raise an important question: are companies aware of the importance of conducting thorough cybersecurity due diligence in their M&A transactions? Here are a few tips that could be helpful when it comes to assessing the cybersecurity risk of a targeted company:

  1. Do not wait until the end of your due diligence. Start assessing the risk at the earliest stage of the due diligence process. It is important to ask the target what its most important and useful IT systems are and the most common risk associated with them. Are they covered by complete and extensive IT policies? Are they regularly updated and evaluated by IT experts? Those are examples of questions that need to be asked while conducting your IT due diligence.
  2. Know exactly the most important systems that need to be considered. Since due diligence in cybersecurity can be very expensive for the buyer, it is important to identify what systems or technologies are most at risk of being subject to a cyber-attack. By tailoring your risk assessment, you are controlling the cost while making sure to investigate the proper systems with a higher risk of being hacked that will endanger the success of your transaction.
  3. Do not engage in any cybersecurity risk assessment if your company does not have internal IT experts or extensive knowledge in this area. It is no easy task when it comes to estimate the cost of a potential cybersecurity problem within the target’s systems. Not only is it important to discover such problems but it is also very important to be able to evaluate how such problem could negatively impact the transaction and what the best way to fix those problems is, before engaging in further discussions or negotiations. If your company does not have the internal team to proceed with the cybersecurity due diligence, you should consider retaining the services of external IT specialists.
  4. Consider the importance of obtaining cyber insurance. Since cyber-attacks can be highly expensive for a company, the importance of cyber insurance (not only in the specific context of an M&A transaction) is rising for many companies throughout the market. According to an IBM survey conducted in 2016, the average cost of a data breach reached $6.03 million this year, which represents a 12.5% increase compared to 2015. The software-maker McAfee estimated that the total cost of cybercrime in the global economy can reach up to US$575 billion per year. The costs are high and most of the time very difficult to estimate so that is why companies should consider having cyber insurance in order to protect themselves from such costs and uncertainty. Cyber insurance policies can cover a wide range of risks from network security liability to regulatory defense and penalties and network extortion.

For more, please see our previous posts on how to manage cyber security risks during the negotiation and due diligence stages of an M&A transaction and the ways regulatory bodies have begun managing these risks.


Norton Rose Fulbright’s lawyers in Canada cover the full range of areas involved in deal-making. Our Deal Law Wire blog is about sharing our insights with you. From corporate law to cross-border, antitrust/competition, intellectual property, employment and labour and pension matters and more, our lawyers offer a Canadian and truly global perspective that few practices in the world can rival.

10 Tips For Businesses: National Cyber Security Awareness Month

Now is a good time for businesses to review their cybersecurity practices. It is tempting to think that “it can’t happen to me”, but in the wake of Yahoo’s recent admission that personal data was hacked, it is clear that this can happen to anyone.

Of course, technological safeguards are critical to security, however operations and policy play a crucial role as well. The steps outlined below focus on tips  that involve measures that go beyond technology.

  1. Plan on a Prudent Response. In a 2015 study commissioned by the Office of the Privacy Commissioner of Canada, only 41% of surveyed companies stated that they had policies or procedures in place that dealt with data breaches where there was a compromise of customer personal information. If an Incident Response Plan is made ahead of time in order to deal with a cybersecurity breach, a company will be in a position to respond quickly in a manner that mitigates harm to the business and to third parties (such as customers). Companies who do not make such a Plan are often caught flat-footed and fumble through an incident, and increase the risk of complaints to regulators and class action or other lawsuits.
  2. Build an Effective and Safe Cybersecurity Workforce. Robust recruitment processes that properly vet candidates will help ensure that the hiring of problematic employees is avoided. Unfortunately, many attacks come from inside an organization. Background checks are an important tool in the screening process. Employees play a key role in helping to prevent cybersecurity incidents. Proper training is key, and will enable employees to spot suspicious activities and events, and report them to the appropriate personnel. Employees are the single most important group of people who can help to reduce unintentional errors and technological  vulnerabilities.
  3. Make Continuing Education a Practice. It was recently reported in the news that the World Anti-Doping Agency was hacked by a Russian cyber group known as “Fancy Bear”. The group accessed confidential medical data of athletes because a password was obtained through spear phishing (generally an e-mail that appears to be from someone the recipient knows and trusts – such as someone in a position of authority in the recipient’s company). News reports about incidents like this should be shared and discussed with employees as they provide an opportunity for companies to educate and share information with personnel about cyber risks.
  4. Create an Incident Response Team. If a cybersecurity breach occurs, a business must act quickly. The establishment of an Incident Response Team will make the business nimble and mitigate harm. Key stakeholders to be included on the Team may include executive leaders/decision makers, IT and security, marketing and business development  (media and other third-party notifications), legal (breach and notification obligations and protection from potential litigation), privacy and human resources.
  5. Have a Lead Person. The Incident Response Team needs a lead who is primarily responsible for dealing with an incident and whose duties include (i) conducting an initial immediate assessment of an incident, (ii) determining the extent to which the information, system or network is impaired, (iii) reaching out to the Incident Response Team (and other appropriate personnel) depending upon the initial assessment, and (iv) being the main point of contact.
  6. Create Relationships with Third Party Service Providers. It is best to retain third-party contacts for the purpose of a cyberbreach response before the incident occurs. Common sense dictates that it will be less expensive and more efficient if third-party engagements are considered by a company and finalized before (as opposed to after) a cyberbreach. Potential service providers include legal (assess and deal with breach notification obligations to third parties), public relations firms (deal with reputation management) and forensics.  In-house IT resources are useful to take the machines/system offline and preserve evidence – but third-party forensics may be required to investigate and remediate the incident to get the organization back in business.
  7. Consider Cyber Insurance. Traditional insurance coverage may help deal with risks and potential losses posed by cyber risks to a certain extent, but cyber insurance policies extend coverage. Cyber insurance may be purchased separately or may run parallel with existing insurance at an increased premium. Both first-party coverage and third-party coverage are available. First-party coverage insures the policyholder from a loss resulting from a cybersecurity incident and third-party coverage covers the policyholder regarding liabilities to outside entities as a result of an incident. Third-party coverage may help with crisis management including public relations expenses related to dealing with a response to the incident. First-party coverage may also extend to payments to cyber extortionists who threaten to disclose sensitive confidential information unless their demands are met.
  8. Be Careful About What You Say Today. Sometimes online privacy policies and other publications of a company make statements about security such as the company has “implemented reasonable and appropriate means to protect personal information against unauthorized access.” In a US case, a court held that the foregoing statement was deceptive in light of the company’s actual cybersecurity practices. A company risks liability if it makes statements to the public about cybersecurity that are not readily justified by the facts. Be wary about merely copying and pasting text into privacy policies and other publications.
  9. Be Prepared – Identify Disclosure Obligations. It is best to keep abreast of privacy breach notifications and obligations imposed by legislation in each jurisdiction where a company does business.  The rules are not uniform, and some preparation will help a company to respond to an incident efficiently. The legal landscape is changing. Canada’s Digital Privacy Act passed in June, 2015 will require an organization to notify the Privacy Commissioner and affected individuals of any “breach of security safeguards involving personal information under the organization’s control, if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual”. It is anticipated that these data breach disclosure obligations will come into force when final regulations are passed.
  10. Work on “Operational Security” (OPSEC). OPSEC is a term originating in the military. In the context of cybersecurity, it involves (i) identifying the information that is most critical to successful business operations (such as customer lists and other contact information), (ii) analysis of the likely cyber criminals who may attempt to obtain critical information, (iii) identification of the potential vulnerabilities regarding the protection of critical information (such as poorly secured mobile devices that have access to the critical information), (iv) investigation of measures to mitigate each vulnerability, and (v) implementation of measures based upon the cost of implementing each measure against the harmful effects of a cybersecurity breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

The Time to End Bullying is Now

Source: Huffington Post 


We’re not naïve; we realize that kids will be kids, and playground politics are a part of childhood. But bullying today goes far beyond what we may have experienced in our school days — our kids continue to be bullied even after they’ve left the playground, even when they are far from the bully’s physical reach.

Between texting, Facebook, chat rooms and social media apps, children today are constantly connecting with their peers. This gives bullies the opportunity to harass their targets in a myriad of new, creative ways. Complicating things further, the anonymous nature of many social media platforms renders it impossible to know who your tormenter even is.

“There are four different types of bullying,” says Joel Haber, PhD, a psychologist and bullying expert.

1) The most common type that we all know about is physical bullying. It´s the kind we all grew up with where kids push each other or kick or hurt each other…

2) But the new kinds of bullying are verbal bullying, which is using words to make someone feel bad — and it is actually more painful than physical bullying because it’s psychological.

3) And then there is a third kind of bullying which we call relational bullying, when we hurt each other’s relationships, with gossiping and exclusion. And there’s actually new data now to say that exclusion hurts kids as much as the lack of food or water would if you put them in a desert without anything… Exclusion hurts the worst.

4) But there is a fourth kind, which is cyber-bullying which is now on the rise. And that’s when kids bully each other through technology and that’s even more difficult to figure out because kids’ technology is changing all the time and the ways they bully can happen in ways that kids can’t even anticipate. And it’s hard to know how to stop it.

Adults have a rough time with online behavior, too. Facebook pages erupt in political arguments or battles over parenting styles, and cruel comments are left on personal blogs and articles. “How do you explain to your child the importance of being kind online when its hard to find even one YouTube video without a negative comment?” asks Leana Greene, founder and CEO of Kids in the House. “We have to teach our children that words can kill, both in person and online.”

We interviewed 16 children from the Los Angeles area that have experienced bullying in school and online. Their stories are heartbreaking, and there’s one common thread through all of them: the adults in their lives didn’t know listen. The more we know about bullying, the more we can help our kids when it happens.

There is no simple fix to end bullying, but we hope to play a role in keeping the conversation going, so that no child feels like Pamela, and thinks that no one cares or notices what is happening. Greene hopes we can start with our own behavior online and in our daily interactions. “We think everyone should take a close look at their words and actions. We hope that you will help us share the message… Empower to #endbullying..”

Visit our #EndBullying section on Kids in the House, and help us make things better for the kids in our own houses.


Canada – Work Place Bullying Course with ILScorp – Ontario, Manitoba, Québec and Saskatchewan have already introduced legislation against #bullying and B.C. recently enacted Bill 14 [Workers Compensation Amendment Act] to address the effects of bullying at work. 

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest