☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Employee Data Leaks a Major Cyber Risk

Posted on by
Bradley Manning-1297457129899_ORIGINAL

U.S. soldier Bradley Manning is escorted out of a courthouse during his court martial at Fort Meade in Maryland, August, 20, 2013. (REUTERS/Jose Luis Magana)

The case of Bradley Manning, the U.S. soldier convicted of the biggest breach of classified data in the US history by providing files to WikiLeaks, highlights how employees can pose a major vulnerability to the internet security. 

In 2010, Manning turned over more than 700,000 classified files, battlefield videos and diplomatic cables to WikiLeaks, the pro transparency website, in a case that has commanded international attention. Manning was sentenced to 35 years in prison on Wednesday and this sentence is unprecedented in its magnitude for providing secret material to the media. Please click on the link to read more in the Toronto Sun article:  Bradley Manning sentenced to 35 years in WikiLeaks case

This case shows how some of the most damaging cyber-attacks involving deliberate policy violations come from within the business, in ways that many employers overlook when it comes to their cyber security. It’s an employer’s worst nightmare—an employee is dissatisfied with his or her job and decides to defraud or steal from the company. Employees can cause enormous damage by committing these crimes.

According to a 2012 occupational fraud report by the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5 per cent of its annual revenue to fraud. It also reported that the median loss caused by fraud was $160,000. For a small company, this could mean the end of the business. Small businesses are more at risk because owners inherently treat their employees like family, leading to complacency and lax security measures. Small businesses also tend not to have anti-fraud measures in place as many lack the knowhow and enforcement capabilities of larger businesses. Nearly half of victim organizations do not recover any losses that they suffer due to fraud.*

ABEX has partnered with WatSec to provide employee security awareness training as part of our Cyber Risk Management Program.  The security awareness training prepares every staff member with the critical skills necessary to work productively while being vigilant for potential security threats. 

Please contact ABEX and WatSec for more information on how you can effectively manage your cyber risks.

 

*Source: ©2013 Zywave, Inc

Hackers Demand Ransom from Businesses after Stealing and Encrypting Their Information

Posted on by

hackerThank you to all who participated in ABEX / WatSec Cyber Webinar yesterday.  During the webinar, we touched on a few different examples of cyber attacks, one of the newest threats involving ransom attacks.

In ransom attacks, hackers steal information from businesses and encrypt it so that it can’t be read by anyone.  Data from backups can get encrypted as well.  Then hackers demand ransom from the victims in exchange for the encryption key that would allow the victims to access their own information. However, the hackers won’t necessarily decrypt the files even after the ransom had been paid.

There are many examples of ransom attacks happening, not only around the globe, but also here in Canada and more specifically in Southwestern Ontario and GTA.  These cases do not always reach the media, and thus do not get the deserved attention.  

One example includes some Dryden, Ontario residents who were struck by a combination of computer virus and Internet scam.  The virus would exhibit the logo of the RCMP, informing users they have violated copyright infringement or downloaded illegal pornography. It details the applicable money-wiring businesses users should use to pay their fine of $100 within 72 hours or risk being imprisoned from one to nine years or face a fine of up to $250,000.  Click here to read more.

Another example includes an Australian medical centre, Miami Family Medical Centre and The Surgeons of Lake County which all had a ransom demand after blackmailers broke into the organizations’ servers and encrypted their entire patient databases.  Click here to read more.

According to Norton’s Cybercrime 2012 report, 70% of online adults in Canada have been the victim of cybercrime at some point in their life. Cybercrime costs Canadians $1.4 billion per year. The average cost per crime victim is over $160, according to Norton’s report.

A security company, Trend Micro, has published an infographic: The Cybercriminal Underground: How Cybercriminals Are Getting Better At Stealing Your Money. The infographic explores what items are being traded in the cybercrime underground, how the underground is organized, and how users are affected. Click here to read more.

Please feel free to contact ABEX and WatSec for more information on how you can effectively manage your cyber risks.

Cyber Security for Small Businesses

Posted on by

Security concept: blue opened padlock on digital backgroundHigh-profile cyber attacks and data breaches at Sony, Honda Canada and HRSDC have raised awareness of the growing threat of cyber crime—but recent surveys conducted by Symantec suggest that many small business owners are still operating under a false sense of cyber security. 

Don’t Equate Small with Safe

The statistics are grim: The majority of Canadian small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Despite significant cyber security exposures, 50 per cent of small business owners believe their company is safe from hackers, viruses, malware or a data breach. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks. In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 40 per cent of attacks are against organizations with fewer than 500 employees.

Hackers and data thieves aren’t the only threats. Smaller companies often boast of an almost family-like work environment and have a tendency to put a lot of trust in their employees. This can lead to complacency when it comes to data security, which is exactly what a disgruntled or recently fired employee needs to execute an attack on the business.  Read more >>

Consider Your Email Exposure

Posted on by

Keyboard 2

Before sending, your employees should stop and think, “Would I like this email to be seen on the front page of my morning newspaper?”

Email is a standard for business communications. According to a study by the Radicati Group, the average corporate email user sends and receives about 112 email messages each day. Because email as a business tool is here to stay, companies need to take the time to recognize and manage the risks that electronic communications present.

Today, emails are some of the most important records recovered in discovery requests during litigation. With the false privacy email messages provide, people send and receive lots of information that they wouldn’t want others to know about. They don’t realize that information in emails is easily recovered as evidence during litigation, even if the email message was deleted, indicating who received what information and when.

To equip your organization with the right tools to prevent and protect against these risks, a group of employees should be assigned to develop guidelines and procedures regarding emails and other electronically stored information (ESI), such as instant message logs and electronic files. At least one member from the management, legal, information technology and human resources teams should be involved in this process to make sure that the best interests of the entire organization are met.  Click here to read more.

 

Considerations of Cloud Computing

Posted on by

abstract-globeThe ongoing discussion surrounding Bill C-28 has caused Canadians to consider exactly what “privacy” entails. One issue that has come to the forefront is determining the safety of cloud computing.

Cloud computing offers companies the ability to outsource applications, platforms and infrastructure. This can include (but is not limited to) services like email, accounting software, account management systems and even servers. When a company decides to use cloud computing, they contract with an IT firm. In turn, the IT firm may subcontract with other firms to store data. As a result, a company’s data may be housed in a variety of locations–not all of which are necessarily under Canadian jurisdiction.

Federal and provincial private sector privacy legislation allows personal information to be transferred to an organization in another jurisdiction for processing and storage, as long as the organization receiving the personal information does not use it for any purposes other than what was implied or previously consented to.

The organization that transferred the personal information is still responsible for protecting it, and the organization the personal information is transferred to must provide a level of security comparable to what would be required under Canadian law.

In addition, the transfer must be disclosed to individuals to whom the data pertains. Generally, this should include notifying them that:

  1. Their personal information will be processed and stored outside of Canada.
  2. Their personal information will be under foreign jurisdiction, which may be less protective than the laws that exist in Canada.

Concerns have recently been voiced about the impact of private sector firms that use cloud computing in the United States because once their data crosses the border, it is subject to section 215 of the US Patriot Act. This means US officials can get a judicial order for the turnover of information that is suspected of terrorism. This turnover can be “blind,” which means that for the security of the US investigation, no parties need to be informed about the seizure of the data.

Lawyers around the country argue that the level of data security that exists when cloud computing across the border is no different than the current level of security. The Treaty on Mutual Legal Assistance in Criminal Matters has been in place since 1990 and allows the United States and Canada to assist each other in any criminal investigation by sharing records and pertinent data. The Canadian Security and Intelligence Service Act allows for secret warrants to be decreed to obtain electronic data. Lawyers argue that these two pieces of legislation create situations where data can be blindly obtained and shared across the border.

Since this is such a new issue, many companies are still concerned. Organizations can consider obtaining meaningful contractual commitments for administrative, technological and physical security protections from the organization to which the personal information is being transferred. The transferring organization can also consider audit or other rights that would permit ongoing check-ups of those security protections as well as the use of the personal information.

Organizations should obtain legal advice to better understand how cloud transfers of personal information will affect existing legal commitments. It may be necessary to give special notice to individuals and to provide them with opt-out or termination opportunities.

© 2013 Zywave, Inc.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN