☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Cyber Extortion Hits Close to Home

Posted on by

“It took me 26 hours of work… without sleep… to get the network back online. Not fun…” says Richard Mash of Network Partners.  In his most recent encounter with hackers Mr. Mash was helping his client, a local small business, after the hackers stole and encrypted the client’s information, demanding a ransom.

Mr. Mash continues “The client’s network became infected with a really nasty virus called CryptoLocker. The virus was sent to them in an email with an attachment that was supposedly a resume from a job applicant. Not surprisingly, someone in the HR department opened the attachment and within minutes the network was infected with a virus and all their critical data files were encrypted… The authors of the virus demanded a significant amount of money in return for decrypting the files, effectively holding the company to ransom. Luckily, we had good backups of all their data and we were able to recover everything without paying the ransom request. The important thing to note is this company had 3 different levels of anti-virus protection, all of which allowed the virus to penetrate the network.

I’m sure all of you are aware that computer viruses can be spread by email. Even though many of us maintain excellent anti-virus products on our networks to help protect our data from viruses, these programs are not 100% foolproof.  We also need help from our employees to keep important data safe.”

Mr. Mash shared some very helpful tips with ABEX to help us protect our network so we don’t encounter a similar problem.  We thought these tips would be worth sharing with you so that you can protect your network from viruses.  The most important thing is to be vigilant about emails that you receive:

  • NEVER open an attachment in an email that comes from someone you do not know or do not trust.
  • A simple rule of thumb: NEVER click on a link in an e-mail and avoid opening attachments if at all possible (Especially ZIP archives). And, if a link must be clicked on in an e-mail, hover the mouse cursor over the link to see where it leads to. If it looks suspicious please ask!
  • These emails may seem to come from companies that you trust, like Canada Post or UPS. If you are not expecting a “delivery notification” from a courier, then don’t open it.
  • Banks or Credit Unions will not send you unsolicited emails with attachments… ever. Just delete them.

How can businesses protect themselves?

To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training.

Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.

Please contact ABEX today for more information on our cyber risk management process.

Protecting Canadians From Online Crime Act Becomes Law, Impacts Employers

Posted on by

CQuick facts:

  • On March 9, 2015, the Protecting Canadians from Online Crime Act (Act) comes into force.
  • The Act updates Canada’s Criminal Code to make the distribution of intimate images on the Internet without consent a crime.
  • The Act expands the powers of law enforcement agencies investigating online activities and creates new compliance obligations for certain employers.

On Dec. 9, 2014, Bill C-13, the Protecting Canadians from Online Crime Act (Act) received royal assent. The Act, which has been labelled Canada’s cyber bullying law, will come into force on March 9, 2015.

True to its name, the Act introduces new provisions to Canada’s Criminal Code concerning cyber bullying, but it also increases the power of law enforcement agencies to obtain electronic information related to the investigations of crimes.

Going forward, employers that maintain electronic information on behalf of others must be aware of new compliance obligations created by the Act.

Cyber Bullying Provisions

Under the Act, it will now be an offence to knowingly publish, distribute, transmit, sell, make available or advertise intimate images of an individual without his or her consent in electronic mediums, where there is reasonable expectation of privacy.

To help prevent cyber bullying, the Act empowers courts to:

  • Order the removal of intimate images from the Internet;
  • Order the forfeiture of the computer, cell phone or other device used to commit cyber bullying;
  • Provide for reimbursement to victims for the costs incurred from removing the intimate image from the Internet; and
  • Issue orders to prevent an individual from distributing intimate images.

Amendment to Lawful Access Standard

Of greater concern to most employers are the changes to lawful access the Act introduces. “Lawful access” generally refers to an investigative technique used by law enforcement agencies and national security agencies that involves the interception of private communications and the seizing of information where authorized by law.

The Act changes the threshold necessary for obtaining lawful access related to the search and seizure of computer, transmission and tracking data. Prior to the passage of the Act, orders for the search and seizure of computer data were granted only if a judge determined that law enforcement officers had “reasonable grounds to believe” that an offence had been committed.

The Act lowers the legal threshold for lawful access by now requiring that only a “reasonable ground for suspicion” be demonstrated prior to a judge issuing an order. Under this new lower threshold, some legal experts predict that law enforcement agencies will have an easier time gaining access to employers’ electronic data.

Preservation of Computer Data

The Act provides law enforcement agencies with two new tools that they may utilize in investigating crimes, preservation demands and preservation orders.

Preservation demands and orders require employers to preserve computer data in their control or possession to ensure that it is not deleted before a production order or search warrant is obtained.

Preservation demands can be made by law enforcement officers directly to the person or employer without the authority of a judge.  Preservation demands expire after 21 or 90 days, depending on whether the offense is committed under Canadian or foreign laws.

A preservation order is an order issued by a judge requiring a person or employer to preserve the computer data sought by a law enforcement officer or public officer. Preservation orders expire 90 days after they are granted.

It should be noted that preservation demands and orders differ from general data retention requirements. General data retention requirements dictate that employers collect and store data for a particular period of time for all subscribers, regardless of whether they are subject to an investigation. In contrast, a preservation demand or order relates only to a particular telecommunication or person, in the context of an investigation.

New Types of Production Orders

The Act also creates new production orders related to transmission data and tracking data that employers must contend with.

For the purposes of the Act and production orders, “transmission data” is a specific set of metadata that indicates the origin, destination, date, time, duration, type and volume of a telecommunication, but does not include the actual content of the telecommunication. Examples of transmission data include IP addresses of websites visited or search terms used.

“Tracking data” is information that relates to the location of a thing or individual.

The new production orders created by the Act allow law enforcement agencies to obtain transmission or tracking data that is already in an employer’s possession at the time of the order. Employers that are issued a production order must produce the transmission or tracking data requested or face penalties.

Production of Financial Data

The Act also imposes additional obligations on financial institutions. Judges may now order financial institutions to prepare and produce documents with the following information in their possession or control:

  • The account number of the person or the name of the person attached to an account specified in an order;
  • Information related to the type of account the person named in the order holds;
  • The status of the individual’s account; and
  • The date on which the account was opened or closed.

Additionally, judges may order that financial institutions disclose the date of birth, current address and previous addresses or the person identified in order to confirm his or her identity.

Voluntary Disclosure

Employers should note that the Act provides immunity from criminal and civil liability to employers that voluntarily preserve or produce data to law enforcement officers, even if the officer does not have a preservation or production order.

Penalties

Penalties for failing to comply with the Act’s requirements are stiff. Individuals or employers that violate a preservation demand may be fined up to $5,000. Penalties for violating the terms of a preservation or production order are harsher. An individual, employer or financial institution that violates the terms of a preservation or production order may face fines up to $250,000 or six months of imprisonment.

Impact on Employers

In light of the new obligations created by the Act, employers should review and, if necessary, amend their privacy, information management and data retention policies to ensure compliance with potential preservation or production orders. Employers’ policies should outline the procedure for responding to preservation demands, preservation orders and production demands and make clear which staff members are responsible for responding to demands and orders.

 

 

© 2015 Zywave, Inc. All rights reserved.

Are Media Reports of Small Business Cyber Attacks Just the Tip of the Iceberg?

Posted on by

Tip of Iceberg

Source: www.watsec.com

Business Problem

According to PwC’s annual report The Global State of Information Security Survey 2015, there was an increase in security incidents of 48% over 2013.1The report concludes:

“…many organizations are unaware of attacks, while others do not report detected incidents for strategic reasons or because the attack is being investigated as a matter of national security. It seems certain, given the technical sophistication of today’s well-funded threat actors, that a substantial number of incidents are successful but not discovered.

So if incidents are rising, and yet many attacks are not being reported, what does this mean to small business? Are they being overlooked by the hackers? Are small businesses in general not really at risk?

The PwC report goes on to say:

“Small firms often consider themselves too insignificant to attract threat actors – a dangerous misconception. It’s also important to note that sophisticated adversaries often target small and medium-size companies as a means to gain a foothold on the interconnected business ecosystems of larger organizations with which they partner. This dangerous reality is compounded by the fact that big companies often make little effort to monitor the security of their partners, suppliers, and supply chains.”

PwC defines a small business as one with less than $100M annual revenue.

Lesson Learned

Small business executives and owners must understand that they are at greater risk of cyber attack than they realize. There are more than 3 billion users on the global Internet and a large number of them want what every small business has. By getting large quantities of personal and business information, they can sell it to the highest bidder on hacker e-commerce sites. The Internet underground is well organized and well funded and can easily monetize stolen small business information.

Key Message

Invest the time to better understand how cyber risk could be affecting your organization and how it should be managed. Even small businesses with a few employees are a target and need to take steps to protect the organization. Remember, cyber risk management involves examining not just technology but people and the entire business ecosystem (partners, suppliers, clients) they interact with. IT Security alone will never be able to adequately address the problem.

Source for more information

1 PwC’s The Global State of Information Security Survey, 2015.

Four Components of Cyber Risk Management

Posted on by

Security concept: data security on digital backgroundIf your company stores data and information digitally, you should have a cyber risk management program that addresses prevention, disclosure, crisis management and insurance coverage in the event of a data breach. Good cyber risk management requires the planning and execution of all four of these components.

Develop Strategies to Prevent a Data Breach

Your data breach prevention strategies may include encrypting all devices used by your employees, such as laptops, tablets and smartphones. Encrypting these devices will prevent unauthorized access if a device is lost or stolen. Unencrypted devices are often not covered by a cyber liability policy, so make sure you know whether you need to encrypt the devices or not.

Your strategies may also include educating employees about phishing and pharming scams. Remind them not to click on anything that looks suspicious or seems too good to be true.

Analyze your cyber risks from three different perspectives: technology, people and processes. This risk assessment will give you a clear picture of potential holes in your security. Revisit and revise your plan regularly, because new risks arise often.

Know Your Disclosure Responsibilities

If you experience a data breach, you may be legally required to notify certain people. If your company is publicly traded, guidelines issued by the Canadian Securities Administrators (CSA) make it clear that you must report cyber security incidents to stockholders—even when your company is only at risk of an incident.

The CSA advises timely, comprehensive and accurate disclosure about risks and events that would be important for an investor or client to know. It’s important to evaluate what information and how much detail should be released.

Notifying a broad base when it is not required could cause unnecessary concern for those who have not been affected by the breach.

Some extreme cases of a data breach may cause you to go further than just assessing and disclosing the information. You may have to destruct or alter data depending on its sensitivity.

Your Crisis Management and Response Plan

Preparedness is key when developing your cyber risk management program. When you experience a data breach, you need to be prepared to respond quickly and appropriately. This is where your crisis management and response plan come into play.

Determine when and how the breach occurred, what information was obtained and how many individuals were affected. Then assess the risks you face because of the data breach and how you will mitigate those risks.

While managing a crisis, let your clients know what actions you are taking, but also be sure you’re not disclosing too much information. It’s a delicate balance. Focus on improving future actions—this will restore trust in your stakeholders and clients.

Your in-house lawyers, risk managers and IT department should work together to create and refine your plan. Everyone should be on board and know their responsibilities when a breach happens.

Protect Your Data—and Your Business

Your cyber risk management program should include cyber liability insurance coverage that fits the needs of your business.

Cyber liability insurance is specifically designed to address the risks that come with using modern technology—risks that other types of business liability coverage simply won’t cover. The level of coverage your business needs is based on your individual operations and can vary depending on your range of exposure.

Your cyber liability insurance policy can be tailored to fit your unique situation and can be written to include the costs of disclosure after a data breach. Contact Precept Insurance & Risk Management to learn more about cyber liability insurance and how you can protect your business from a data breach.

 

 

© 2014 Zywave, Inc. All rights reserved.

5 Tips for Using Cloud Services to Keep Your Private Information Safe

Posted on by

Online PasswordStoring documents, photos and data in cloud storage can be very convenient. Some people feel it’s much easier to have everything in one place instead of carrying around flash drives or discs that contain your data. But recent events in the media may have you doubting whether the private information you keep in cloud storage is safe from hackers.

Here are five tips to help keep your cloud data safe from hackers:

  1. Use strong passwords and do not use the same password for multiple accounts.
  2. Don’t answer security questions honestly. Security questions can be hacked right along with passwords. Make up your own security question, if possible. The answer doesn’t have to be true-just something you can remember.
  3. Turn on two-step authorization to require more than a password, such as a security question and a password to successfully sign in to your account.
  4. Find out what you are automatically backing up in the cloud. If you don’t want your info to back up automatically, turn that setting off.
  5. Understand that you have limited control over the security of what you store on the Internet. To put it into perspective, think of it as storing data on someone else’s computer. You cannot control what he or she does with it or how it is secured.

 

 

© 2014 Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN