Cybersecurity: How Safe Is Your Workforce?

Article by Davids Blackmore

In mid-May 2017 unprecedented global hacks brought organisations including the NHS, Telefónica and FedEx to a standstill.   Incidents such as this ensure that the public focus is firmly fixed on attacks by faceless criminal third parties.  However when it comes to the protection of vital corporate and client data organisations must also recognise the risks much closer to home, posed by their own personnel.  IBM’s “2016 Cyber Security Intelligence Index” found that 60% of all attacks were carried out by insiders.  Three quarters of these attacks were malicious, with the remainder involving reckless or inadvertent breaches by employees.  It may be necessary to think again about how we tackle cybercrime, given the potential business ramifications, financial, reputational and operational.

Employee risk

Cyber risk isn’t just a matter for an organisation’s IT department or about having the most-up-to-date software.  Employees need to be trained to understand cyber risk and given the tools to identify and deal with such risk appropriately.  This can only be done effectively if the whole organisation buys into the process.  This is fundamentally a governance issue: as with any other area of risk, it must be managed coherently with arrangements covering all of those who can access organisational information, including directors, employees and contractors.

Human error and malicious intent

Not all data breaches are deliberate or malicious: many are down to simple human error.  It may involve a lost memory stick, an email inadvertently sent to an incorrect email address or papers being left in a public place.  For example a mis-sent email sent from a London NHS Clinic in May 2016 attracted a £180,000 fine from the UK Information Commissioner after it revealed the email addresses of 700 users of an HIV clinic, the sender having typed the addresses into the “To” box rather than using the “Bcc” (blind copy) option.  Similarly, dating website Guardian Soulmates saw the email addresses of its subscribers made publicly available as a result of human error on the part of a third party contractor.

Breaches frequently involve individuals sending confidential data out of secure work systems to personal email addresses, including to “bank” information in the event of a future dispute or for the purposes of new employment.  For their “End-User Security Survey 2017” Dell commissioned a global survey of 2,608 professionals who handled confidential data at companies with 250+ employees in order “to find out how widespread the unsafe sharing of confidential data has become”.  Dell’s results showed that “72% of employees are willing to share sensitive, confidential or regulated company information”.

Data breaches can have a catastrophic impact.  A good example is the 2015 Panama Papers case involving the offshore law firm Mossack Fonseca.  An anonymous source leaked more than 11.5 million client files, going back four decades, to the German newspaper Süddeutsche Zeitungi.  When news of the leak broke, the firm vehemently denied that there was anything wrong with the integrity of its IT systems, stating that it had been the victim of a hack by an outside third party.  It ultimately transpired however, that the data had been disclosed by an employee of the firm, a disgruntled IT worker who systematically uploaded large amounts of client data over a prolonged period of time – purportedly because of moral concerns around worldwide income inequality.

According to the International Consortium of Investigative Journalists, an estimated $135 billion was wiped off the value of nearly 400 companies after the Panama Papers.  Like the hacks affecting the NHS and others, the case demonstrates the extraordinary power of modern technology to stop business dead in its tracks.

What can you do to minimise the risk to your organisation?

The Cyberedge Group’s “2017 Cyberthreat Defence Report” says that “once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defences, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year…”

So what can be done to address this problem?

There is no absolutely failsafe method of protecting your company data: an organisation is only as strong as its weakest link.  However businesses can be alert to the risks, put in place appropriate plans to minimise the likelihood of a breach and have a breach response plan in place.  This will ensure that if there is a breach the situation can be managed and damage minimised.  Insurance policies should be reviewed, as the right policy may provide specialist external support in the event of cybersecurity incidents.

Education, education, education.

Equipping employees with the skills to recognise and manage cyber and information security risks, raising awareness of cybersecurity issues and instilling a culture of good data management will help build an organisation that appreciates the importance and value of the data that it holds.  In particular a business should:

  1. Identify and understand the information held by the organisation, who it belongs to and why it is important.
  2. Identify the cyber risks that exist and the assets you are trying to protect.
  3. Put in place a robust (but workable and easy to understand) cybersecurity policy so your staff understand the risks faced by the organisation, how they must deal with information and what they must do if the integrity of the organisation’s systems is breached.
  4. Educate your workforce to recognise and respond to security issues which arise.

So are employees a risk to the integrity of your business?  Yes.  But they can also be your first line of defence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Ed Dubrovsky appointed Managing Director of Cyber Breach Response by Cytelligence Inc.

Ed Dubrovsky, a 24-year veteran of information security, has been appointed Managing Director, Cyber Breach Response, by Cytelligence CEO Daniel Tobok.

Mr. Dubrovsky will manage Cytelligence’s cyber security teams assigned to respond to client emergencies, to deal with the range of cyber threat actors from independent hackers, to industrial spies, to organized crime rings, and state-sponsored threat actors. Read Mr. Dubrovsky’s bio here.

“Cyber security is now one of the top risks for all organizations. I believe that cyber security must be strategic, resilient, scalable, and cost-effective for organizations to achieve their business goals,” said Mr. Dubrovsky.

His areas of expertise include: incident response; strategic information security planning; securing enterprise infrastructure; application security; penetration and vulnerability testing; and research and education.

Cytelligence, the elite force of global cyber security, now employs over 60 cyber security experts including investigators, security specialists, forensic specialists, and ransomware specialists. Cytelligence also has a number of “white hat” hackers with very advanced cyber skills that help companies to proactively test their security using so-called “penetration testing.”

“Cyber security has exploded as a critical service, both as an emergency service and a proactive service for companies to secure their information and web infrastructure, for one very simple reason: the number of cyber criminals has exploded, too,” said Mr. Tobok.

“Ransomware and phishing are the attack vector of choice for cyber criminals. Ransomware is the perfect crime. It is anonymous, decentralized, digital, scalable, and uses cryptocurrency which is heavily encrypted,” said Mr. Tobok. Read his bio here.

The range of Cytelligence clients in critical industries includes:  financial institutions, including banks, brokerage, and insurance firms; law firms; oil & gas facilities; refineries & petrochemical industry; power generation and transmission; research and development; software and technology companies; telecommunications; airports, seaports, trucking and transportation hubs; defense & homeland security; and water utilities.

Cytelligence is headquartered in Toronto and serves clients in Canada, the U.S., and Europe.

SOURCE Cytelligence Inc.

Saskatchewan to allow victims to sue if intimate images shared without consent

By Jennifer Graham

THE CANADIAN PRESS

REGINA _ People who have had intimate images shared without their permission will be able to sue for compensation in Saskatchewan.

The provincial government said Wednesday that it plans to change its Privacy Act so that those victims can seek redress through small claims court.

“We want to have some protection for people whose intimate images have been used for revenge porn or sexting without the consent of the person who was in those images,” said Justice Minister Don Morgan.

The government said it has proven difficult to rely on the Criminal Code to deter cyberbullying through unauthorized sharing of intimate images because the burden of proof is so high.

Morgan said the legislative changes will define what an intimate image is and include a prohibition on circulating the image without consent. The amendments will also put a reverse onus on the defendant to prove that they had consent from the person in the picture to release the images, he said.

Victims would not have to wait for charges to be laid, he said.

“It’s not a criminal proceeding, it’s a civil proceeding, so they do not have to wait for a criminal conviction,” Morgan explained.

“This is a remedy that’s made available to the victim. The Crown may well pursue a criminal charge, so you could have one, the other or both.”

The measure was in the throne speech delivered Wednesday which details the government’s plan for the new session of the legislature.

The outline includes new organ donation measures whereby all deaths or imminent deaths in hospital critical-care units are referred to an organ donation group.

The government also plans to introduce legislation so that Saskatchewan Government Insurance can offer coverage to ride-hailing companies such as Uber. Premier Brad Wall said he wants to encourage municipalities to allow ride-booking services to reduce impaired driving.

“I do think we just need more options for Saskatchewan people. Obviously almost every major North America city is comfortable with respect to the safety that’s provided by the various ride-sharing platforms,” Wall said.

Saskatchewan has one of the highest rates of impaired driving in Canada. Statistics Canada says there were 683 police-reported impaired driving cases per 100,000 population in Saskatchewan in 2011. The Canadian average was 262.

Ray Orb, president of the Saskatchewan Association of Rural Municipalities, said he thinks ride hailing services might help lower drunk driving rates, especially in rural communities where there may not be taxi service for people to use after going to the local bar.

“I think actually it would. I think it’s an interesting concept. We’d sure like to look at it,” said Orb.

The government also plans to introduce legislation so that non-Catholic parents can continue to send their children to separate schools by invoking the notwithstanding clause of the Canadian charter.

A court ruling in April found that public funding of non-Catholic students in the Catholic school system is unconstitutional.

It prompted concern from parents that their children might have to switch schools and be educated in different communities in rural Saskatchewan. Wall said at the time that there could be greatly overpopulated public schools and empty or near-empty separate schools.

The province is appealing the decision, but Wall said the government will move sooner.

“We are indicating pretty clearly that in a proactive way we’re going to protect school choice in the province notwithstanding what happens through the court process,” he said.

Interim NDP Leader Nicole Sarauer said it could take years for the appeal to be heard and, potentially, a Supreme Court challenge.

Sarauer questioned why the government was rushing the legislation.

“We need to let that process first work its way through first, before we consider using the notwithstanding clause,” she said.

The government is also backtracking on a tax cut that was made in July. It says it will raise the corporate tax rate back to 12 per cent from 11.5 per cent.

The tax was lowered so that Saskatchewan’s rate matched other western provinces, but Wall has said that’s no longer necessary because British Columbia has increased its corporate rate.

Legislation that allows up to 49 per cent of a Crown corporation to be sold without it being considered privatization will also be repealed.

The throne speech was the last for Wall, who is retiring when his successor is chosen in January.

Sarauer suggested that’s why the government is making some of the changes outlined in the speech.

“This is clearly a throne speech that’s more about serving the premier’s legacy and protecting the premier’s legacy than it is about serving Saskatchewan people,” she said.

October is Cyber Security Awareness month

Aviva Canada

Did you know?

In 2016, Canadians lost $40 million to online scams. With identify theft and other online security breaches on the rise, consumers need to be aware of how to protect themselves.

What is identify theft?

Identity theft is when someone uses your personal information – like your credit card, Social Insurance Number or name – without your knowledge or consent, to commit fraud. Some common ID theft scams include creating false lines of credit and making purchases using a stolen bank account or credit card.

According to the Ontario Securities Commission, your identity is at risk when:

  • you enter your credit card information online on a non-secure website
  • you click on an email link from what looks like a legitimate bank or online shopping service (eg. PayPal) and enter your account information
  • your personal information (Social Insurance Card, credit card or bank card) are stolen
  • you give out your credit card’s three-digit security code over the phone to a scammer who claims to be from your financial institution
  • any time your personal information is available to others

Aviva’s Identity Theft coverage is now even better

Aviva has introduced an enhanced ID Theft coverage – offering customers even more peace of mind as they tap, swipe and click their way through life. As one of the most comprehensive on the market, it features widespread financial protection if your identity is compromised, including:

  • an increased limit of $40,000 per policy term for all ID theft expense claims
  • a $5,000 limit per policy term to cover any financial loss due to ID theft
  • 24/7 credit bureau monitoring and two credit bureau reports for six months after an ID theft claim
  • access to your own ID theft case worker to help you identify and restore your finances and personal information after an ID theft claim

Don’t let thieves get the upper hand – learn more here or contact an insurance broker to add Identity Theft coverage to your home insurance policy.

Equifax takes down customer service web page after reports of new hack

By David Hodges

THE CANADIAN PRESS

TORONTO _ Equifax Canada says its U.S. parent company’s website has temporarily taken down one of its customer services pages amid reports that another part of its website had been hacked.

Company spokesman Tom Carroll did not respond to direct questions about any potential breach to Equifax Canada’s website or the number of Canadian or American Equifax customers that may have been affected.

Carroll said in an emailed statement that, “We are aware of the situation identified on the equifax.com website in the credit report assistance link.”

“Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline,” his statement added.

“When it becomes available or we have more information to share, we will.”

The news comes as Equifax Inc. continues to deal with the aftermath of a cyber breach earlier this year which allowed the personal information of 145.5 million Americans, and 8,000 Canadians, to be accessed or stolen.

In the latest cybersecurity incident, hackers reportedly altered Equifax’s credit report assistance page so that it would send users malicious software disguised as Adobe Flash.

Since news of Equifax’s massive data breach broke last month, the company is facing investigations in Canada and the U.S., as well as at least two proposed class actions filed in Canada.

The massive data breach has also led to a number of high-profile departures at the Atlanta-based consumer credit reporting agency, including its chief executive, chief information officer and chief security officer.

In early October, Equifax revised the number of consumers potentially impacted in the breach bumping up the total in the U.S. to 145.5 million and reducing the number in Canada from an estimated 100,000 to 8,000.

For these Canadian consumers, Equifax says the information that may have been accessed includes name, address, social insurance number and, in “limited cases” credit card numbers.

On its website, Equifax’s Canadian division says it has not yet mailed out any notices and made clear it would not be making any unsolicited calls or emails about the issue.

In September, Equifax reported that its investigation had shown that hackers had unauthorized access to its files from May 13 to July 30. Equifax Canada said at the time it was working closely with its parent company Equifax Inc. and an unnamed, independent cybersecurity firm conducting the ongoing investigation.

The cyberattack occurred through a vulnerability in an open-source application framework it uses called Apache Struts. The United States Computer Readiness team detected and disclosed the vulnerability in March, and Equifax “took efforts to identify and to patch any vulnerable systems in the company’s IT infrastructure.”

How the cyberattack on Equifax unfolded and the fall out that followed

Months after hackers gained access to the personal data of millions of American, Canadian and U.K consumers through Equifax’s website, the company disclosed the massive cyberattack to the public.

It now faces multiple investigations and lawsuits in Canada and south of the border, while its shares have fallen more than 30 per cent in less than two weeks.

Here is a look at how one of the largest cyber attacks in history unfolded and the fall out that followed:

_ _ _ _

Early March: The United States Computer Emergency Readiness Team detects and discloses a vulnerability in Apache Struts, a widely-used web-application software product.

_ _ _ _

May 13 to July 30: Hackers have unauthorized access to Equifax Inc.’s files.

The company later says the hackers gained access through the vulnerability in Apache Struts, which supports Equifax’s online dispute portal web application.

_ _ _ _

July 29: Equifax’s security team observes suspicious network traffic on a U.S. online dispute portal web application. The company’s security team blocks the identified suspicious traffic.

The company says in later communication that it “acted immediately to stop the intrusion.”

_ _ _ _

July 30: The same team observes more suspicious activity and the company takes the affected web application offline.

_ _ _ _

Aug. 2: Equifax contacts cybersecurity firm Mandiant, which spends several weeks conducting a forensic review.

_ _ _ _

Sept. 7: Equifax publicly discloses the cyberattack for the first time, saying it may have compromised the personal data of up to 143 million Americans. The company adds an unspecified number of U.K and Canadian consumers also may have been impacted.

On a website for affected U.S. consumers, Equifax explains that the complex and time-consuming investigation is behind the delay between its discovery of the breach and disclosing it.

“As soon as we had enough information to begin notification, we took appropriate steps to do so,” the company says.

_ _ _ _

Sept. 12: An Ontario resident files a proposed class action in the province, seeking $550 million in damages from Equifax, according to Toronto-based law firm Sotos LLP. It is one of at least two proposed class action lawsuits filed in Canada against the credit monitoring company.

_ _ _ _

Sept. 14: The Federal Trade Commission says it is opening an investigation into the hack.

The chairmen of two congressional committees say in a letter to Equifax CEO Richard Smith that they are investigating the breach and ask for a slew of documents and a company briefing by Sept. 28.

_ _ _ _

Sept. 15: The Office of the Privacy Commissioner of Canada launches investigation into the breach.

Equifax says fewer than 400,000 U.K. consumers had some of their personal information compromised, but it was more limited in scope and unlikely to lead to identity theft.

The company says its chief information officer and chief security officer are retiring. Both are replaced with internal employees on an interim basis effective immediately.

_ _ _ _

Sept. 19: Equifax says about 100,000 Canadian consumers may have had their personal information and credit card details compromised in the cyber attack. The breached data may have included names, addresses, social insurance numbers and, in limited cases, credit card numbers.

Later that day, Equifax revealed that it also had a security breach earlier this year that involved a different part of the company than the one accessed in the larger hack.

The breach involved TALX, which is Equifax’s human resources and payroll service. The company said there’s no evidence that the TALX breach, which happened between March and April this year, and the wider breach are related.

____

Oct. 2: Equifax provides an update saying a completed review determined that personal information of approximately 8,000 Canadian consumers was impacted, down from its original estimate of 100,000.

However, it said the review added about 2.5 million Americans to the list of those affected by the massive cyberattack, bringing the total number of people in the U.S. potentially impacted to 145.5 million.

Page 1 of 912345...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest