The latest cybersecurity survey by the Canadian Internet Registration Authority (CIRA) sheds light on the ongoing challenges that organizations of all sizes across industries face in protecting their data and networks from hackers.

According to the report, 71 per cent of Canadian organizations surveyed were the victim of some form of cyberattack in 2018. Nearly all of the respondents said that while “cybersecurity awareness training was at least somewhat effective in reducing incidents, only 22 percent conducted the training monthly or better.” Fewer than half (41 per cent) have actually mandated that training across their organizations.

Direct costs incurred in addressing these cyberattacks, as well as a negative impact on the victim’s brand, were the most damaging aspects of the incidents for affected organizations. Importantly, an earlier CIRA survey found that only 19 per cent of Canadians “… would continue to do business with an organization if their personal data were exposed in a cyberattack.” Only 48 per cent of organizations that had their data breached even reported the incident to their clients. A meagre 21 per cent made their board of directors aware that such a breach had occurred.

Meagre investments in cybersecurity

Perhaps most worrisome, a lack of resources was one of the main reasons why 43 per cent of respondents didn’t have specific systems, processes and talent dedicated to addressing cybersecurity vulnerabilities across their organization.

As the report notes:

“Canadian banks, schools, governments and businesses are still being taken down by cyberattacks, exposing customer data, paying ransoms to hackers, and losing valuable time recovering from breaches.

According to the annual Accenture Cost of Cybercrime survey, the average cost of investigating and remediating an attack among Canadian organizations last year was $9.25 million.”

A series of costly ransomware attacks targeting Ontario municipalities over the past year—not to mention companies ranging from SMEs to enterprise—underscore cybercriminals’ growing sophistication. But not in ways you may expect. The reality is the nefarious software used to extort unwitting communities and businesses is becoming more commoditized by the day. Even a novice hacker with access to the dark web can get their hands on ransomware relatively cheaply and quickly.

Hackers are becoming more sophisticated

What’s changing is how hackers are targeting organizations. Increasingly that means tricking everyone from managers to employees to open suspect attachments or visit dubious websites. From there cybercriminals can plant malware in a computer (and/or network) and wait to pounce. That process can take several months, during which time the hacker will collect information, observe behavioural patterns and then develop an attack strategy that will likely involve some form of data theft or financial extortion.

As the CIRA survey notes, more organizations than ever are taking cybersecurity training seriously. Many are mandating courses for employees and introducing new data-protection protocols. Is it helping? Definitely. But massive vulnerabilities still exist across organizations. The reason is that many leadership teams—and the security consultants they employ—are using a one-size-fits-all approach to training and compliance.

One of the greatest complaints that people have with cybersecurity is that defensive protocols tend to be so stringent they impair employees’ ability to do their jobs effectively. In some cases, they could compromise new business opportunities and in extreme scenarios, even revenue growth. When cybersecurity tools and training become too onerous to use, they’ll soon fall by the wayside. That’s why customizing that training and tailoring it to the needs of departments (or even individual employees, whenever possible) is a far more effective risk-mitigation approach.

In short, cybersecurity systems need to be designed to align with the operational requirements and work habits of real people.

 Customization is key

That’s why it’s incumbent on cybersecurity service providers to ask a comprehensive list of questions before delivering training. What are your organization’s business objectives? How do your people work? Why are your workplace policies—in particular those that address the management of sensitive data and information—drafted as they are? Can they be updated or improved to address rapidly-increasing cybersecurity risk? How can we design and implement policies that keep your business secure, while ensuring that key processes in areas such as sales or operations aren’t unduly disrupted?

Of course, these are only a tiny handful of the queries your service provider should pose. In most cases, they’ll need to dig much deeper and work with individual managers or employees to design a pragmatic strategy that makes practical sense for your organization.

We should all glean lessons from the cyber malfeasants who are making the time to take a personalized approach to digital crime. Because if they can customize their approach to data theft, network vandalism or ransomware-driven extortion, we should be doing the same when it comes to developing and implementing plans to stop them in their tracks.

Winston Stewart, President and CEO

When news broke recently that the Swedish Data Protection Authority fined a local municipality more than USD $20,000 for privacy violations, it marked the emergence of a potential new front in the struggle to balance privacy rights and security requirements.

Under the European Union’s General Data Protection Regulation (GDPR)—sweeping legislation that governs everything from website tracking to data collection practices across the 28-member European Union and European Economic Area—the use of data gathered with the help of facial recognition and biometric software is restricted and tightly controlled. Apparently a school board in Sweden didn’t get the memo and used facial recognition software to track high school student attendance over a three-week trial period intended to test out new technology.

The school board saw the tracking software as a more efficient use of teacher’s classroom time. According to media reports, attendance-conscious educators had apparently been devoting about 17,000 hours a year to keeping tabs on their pupils. The SDPA saw the matter differently and issued the significant fine, a first for Sweden.

Tech as a security tool, but to what end? 

The European Union has taken the lead in legislating to secure privacy rights and protect citizens, just as authorities in other regions have turned to cutting-edge new technology designed to enhance protection measures for the general public. In the wake of recent shootings in Toronto, for example, the city’s community housing agency has announced plans to increase video surveillance in at-risk neighbourhoods, all to help deter crime and aid police enforcement efforts. In the United Kingdom, cities such as London have long relied on street-level surveillance to maintain safety. The U.S. government has been using biometric technology, including the fingerprinting of foreign visitors, at border crossings for years.

The challenge that arises, of course, is when governments abuse these tools. China has faced widespread criticism for its use of facial recognition and data collection programs in its western provinces to track the local Uyghur community. In other parts of the country, Beijing actively uses technology to help silence or monitor anti-government voices. Many liken the tactics to an Orwellian invasion of privacy, an effort to enforce government-sanctioned values on an unassuming populace.

If a school board in Sweden uses facial recognition technology to track students, some argue, it’s not far-fetched to expect a more widespread application of that software across society. In the hands of a trusted few there isn’t much concern. But what happens if those individuals can no longer be trusted?

Legal systems adapting to new technology 

The reality is the use of technology as a protective tool is hardly novel and, in most cases, isn’t nearly as sinister as some may contend. The big question, as with the example from Sweden, is to what degree governments will tolerate its use. Authorities in Canada are beginning to weigh in on the safety and security vs. privacy debate.

In Ontario, for example, a labour arbitrator recently ruled in Teamsters Local Union No. 230 v Innocon Inc., that a concrete delivery company (Innocon) had the right to install cameras in its trucks to help improve driver safety and highlight potential driver misconduct by recording a driver’s actions, but only in the event that the vehicle swerved unexpectedly or took some form of evasive action that could indicate erroneous or erratic driving. In the arbitrator’s view, some level of in-cab monitoring was justified because an employer’s business interests can supersede an employee’s right to privacy under specific circumstances.

Security strategies for business

Business owners should be aware that at any point, our legal landscape could shift and new laws could limit the use of biometric or facial technology when used in public spaces or workplaces. But I predict that governments will take a measured approach to balancing privacy and security concerns. It’s likely that we will see a tightening of privacy restrictions in Ontario and across Canada at some point. In the meantime, however, your focus should be on assessing your organization’s security vulnerabilities and taking an integrated approach to protecting your people and assets.

That means reviewing the plethora of tech tools available on the market and deciding which ones make sense for your organization based on its operational needs. Facial recognition technology may make sense for a retailer with several busy locations, for example, but could provide little benefit to a software development firm with much simpler security needs. Be prepared to customize your strategy and invest in security components that will make a decided impact in helping mitigate risk and advancing your organization’s strategic goals (e.g., not being robbed, having your data held hostage or seeing your commercial property or workplace invaded).

But first, take the time to understand your jurisdiction’s privacy laws. Make sure your security strategy doesn’t violate any rules when the time comes to implement cutting-edge—yet potentially controversial—security technology.

Winston Stewart, President and CEO

Wincon Security

You know a situation is bad when even local governments are calling in the IT cavalry for help. But that’s the reality for municipalities struggling to combat increasingly frequent ransomware attacks that are targeting towns and cities across North America.

The problem is so severe that the Association of Municipalities of Ontario—a body that represents 444 of the province’s towns and cities—is encouraging greater information collecting and sharing between members, and calling on senior levels of government to provide funding to help protect their data and fend off this growing threat.

“AMO has also been urging the provincial and federal governments to work closely with municipal governments to help protect governments from cyberattacks, and to help public services weather attacks with less disruption,” AMO president Jamie McGarvey, the mayor of Parry Sound, Ont., told the Toronto Star, as published in a recent article.

Ransomware—a type of cybercrime where a hacker seizes or encrypts data and demands some form of payment, often untrackable Bitcoin, for its release—isn’t just plaguing big cities such as Toronto. Smaller communities with less robust digital infrastructure are also prime targets. So far the victims include Wasaga Beach, Stratford and Midland, to name only a few. More are sure to follow.

A North America-wide problem 

If it offers any comfort to municipalities and business owners in Ontario, a recent New York Times piece reminds us that hackers using ransomware to hijack public or private data do not discriminate when it comes to nationality. This is far from a Canadian phenomenon:

“More than 40 municipalities have been the victims of cyberattacks this year, from major cities such as Baltimore, Albany and Laredo, Tex., to smaller towns including Lake City, Fla. Lake City is one of the few cities to have paid a ransom demand — about $460,000 in Bitcoin, a cryptocurrency — because it thought reconstructing its systems would be even more costly

In most ransomware cases, the identities and whereabouts of culprits are cloaked by clever digital diversions. Intelligence officials, using data collected by the National Security Agency and others in an effort to identify the sources of the hacking, say many have come from Eastern Europe, Iran and, in some cases, the United States. The majority have targeted small-town America, figuring that sleepy, cash-strapped local governments are the least likely to have updated their cyberdefenses or backed up their data.”

And therein lies the challenge. Many municipal governments have cut their IT budgets to such a degree (or never funded them properly in the first place) that their systems are virtually open to cyber criminals. In some cases, data is being held hostage for millions of dollars. While in many instances these crimes are being orchestrated by sophisticated organized crime syndicates, a skilled teenager with a laptop can manage the same feat with minimal effort.

It’s one thing to lock up the data of an SME, but what happens when entire hospitals or health care systems are shut down by a clever hacker with a grudge, or a desire to cash in? These attacks are becoming so sophisticated that civic agencies and businesses of all sizes and across industries are at risk.

A very human problem 

As I’ve noted in previous blogs, most cybersecurity vulnerabilities stem from human error or negligence. Case in point: the town of Allentown, Pa., was targeted in a malware attack last year that shut down some municipal computers for weeks. The hacker exploited a vulnerability in a single employee’s laptop while that worker was on the road. Not surprisingly, the laptop hadn’t been updated to the latest software and was an easy target for the malware-toting hacker. That attack cost about $1 million to fix.

Now imagine that same unexpected cost taking a nasty bite out of your balance sheet and annual financial projections. When figures such as those are bandied about, it brings home the scope and seriousness of the problem—and underscores the need to take action.

That requires policies that ensure regular software updates of all machines, especially if your employees work off-site. It requires sufficient spending on IT, security and employee training. If we all agree that this is a ‘people’ challenge, we can start taking steps to fix the problem.

Employees should be trained to recognize phishing emails. They need to be equipped with VPNs for off-site work, and an understanding that websites that look fake often are—and are potentially run by a hacker residing in the cyber netherworld, waiting to pounce on an unsuspecting victim. They must also never share passwords and should change theirs on a regular basis.

These are all seemingly rudimentary best practices—and this is by no means an exhaustive list of essential cybersecurity tactics—but when combined, they form the foundation of an effective cybersecurity net that can protect an organization from digital worst-case scenarios.

Because once you get a $1 million ransom note from a hacker to release your data, the costs of being proactive seem quite reasonable by comparison.

Winston Stewart, President and CEO

Wincon Security

With only specific industry exceptions, the days of your entire staff sitting in the same office—or in boardrooms taking meetings—at once, are largely gone. Nowadays, knowledge-economy workforces are becoming increasingly mobile, as employees continue to seek greater flexibility to work from home (or wherever they choose). The tacit agreement is that even though their hours may fluctuate, employees’ work will be done and delivered according to specifications. In many cases organizations are beginning to do away with formal hourly work expectations altogether.

Indeed, remote working—also known as telecommuting—has become commonplace across industries, save those where employees must be physically present in a work environment to do their jobs, such as manufacturing or retail. Many leading employers, in particular technology firms, have leveraged flex-time and remote work to attract, retain and engage top talent. They really had no choice. As the likes of Facebook, Google, Apple, WeWork and other Millennial-friendly employers changed the labour landscape over the past two decades, even small and medium-sized organizations found themselves needing to match benefits and perks to compete

Then they began to understand the security issues that emerge when employees are essentially given the reins to manage their own IT risk, but in most cases without the training and expertise needed to do it properly.

Security data tells a tale

An Ipsos poll for data security firm Shred-It released last year underscores the challenges facing organizations that seek to provide worker flexibility, while also trying to mitigate escalating security risk. Fully 82 per cent of the C-suite executives at enterprise-sized organizations and 63 per cent of small and medium-sized enterprise (SME) owners polled felt greater exposure to a data breach when employees work off-site. The majority of large organizations (89 per cent) and SMEs (50 per cent) report offering workplace mobility, and most executives and business owners feel that that offering the option to work remotely is becoming increasingly important.

Still, slightly more than half of SMEs say they have formalized data-management policies for off-site employees, while only 27 per cent train their employees on key data protection concerns such as public Wi-Fi usage. Just 38 per cent say they have protocols to govern the handling of confidential information. That compares to large organizations, 93 per cent of which report having formal security policies for off-site employees, while just fewer than half say they train employees on the use of public Wi-Fi—a major data-management vulnerability. Fifty-three per cent of off-site employees working for large companies say they allow friends and family to use company-issued electronic devices, and the same number say their devices could face interference at home or in public spaces. That’s shocking when you consider that some of these employees could be handling everything from sensitive industrial information to customer financial data. Regardless, it means many are exposed to hackers or other cyber malfeasants looking to cause trouble.

One of the greatest challenges that organizations face in allowing members of their team to work remotely is a lack of control. As the Shred-It survey underscores, when anyone in a household has wide open access to sensitive information when a laptop is simply left unattended, that’s a major problem. And that’s just one of many potentially troublesome scenarios.

Wi-Fi a major risk exposure

Far more likely are Wi-Fi-related security incidents stemming from the use of unsecured networks at coffee shops or in other public places. While many of us assume that no one would bother to attempt to peer into our devices while we sip a latte and surf the Net, the reality is that an open Wi-Fi network is essentially an open door to an unprotected device.

Let’s not forget that phishing scams or outright hacking are also major sources of risk that are too often ignored. In many cases, we find that some employees will be less vigilant while working off-site, often letting down their guard and engaging in risky online behaviour. Why? Because we’re all human, and when we don’t think we’re being watched by the boss, we’ll sometimes cut corners and ignore protocols.

That underscores the argument for providing employees with VPN (virtual private network) access when working off-site, and requiring them to use it when logging on to their device. The problem, of course, is that enforcement becomes a challenge when employees are out of sight. Many use their personal electronic devices to conduct work business, and don’t password protect them (or at least not adequately). That leaves both personal and business data at risk of exposure which, again, is amplified when using free Wi-Fi networks.

Why employee training and policies matter

Ultimately, the onus is on organizations to have policies in their workplace manuals that address data security and management, while providing (and enforcing) protocols that must be followed at all times. Rules should state clearly that any breach of these policies could be cause for discipline or termination. Employees also need to be properly trained to understand and identify potential security risks, and in using the security tools they’ve been provided. I’m not only referring to safeguarding phones and laptops. Many employees also use USBs or portable hard drives, or even travel with hard copies of sensitive data, that can just as easily be stolen.

Every employer wants to provide greater flexibility and work-life balance to their staff. But it has to be clear that remote working arrangements are a privilege, while company-wide security is a shared responsibility—not to mention an essential element of its long-term survival and success. It’s only when security becomes part of an organization’s culture that it can be consistently and effectively enforced.

Winston Stewart, President and CEO

Wincon Security

We not only live in a world addicted to data, but one that often ignores cyber wellness.

From our smartphones to the digital personal assistants (Siri, Alexa) that have been marketed as tools to free our time for leisurely pursuits—the jury’s still very much out on whether they’re helping most of us achieve that goal—an increasing number of interactions in our daily lives involve internet-connected digital devices that track human behaviour. Most of this data is benign and has little application outside of the marketing world. When I mention visiting a destination on a social media account, for example, I suddenly find ads for that destination in my news feed. It’s annoying, maybe, but not necessarily a major breach of privacy.

Now, what happens when smart devices start tracking and collecting information across a commercial property?

Connected commercial properties

No need to wonder because that’s likely already happening in a building you occupy, and perhaps the one you’re sitting in right now. Everything from your building’s door card readers and fire alarm panels to its HVAC system, surveillance cameras and thermostats could well be connected to the Internet. The potential for efficiencies, cost savings and property performance improvements are almost too numerous to summarize in a single article. But so, too, are the cybersecurity risks.

While security firms such as ours still guard against so-called traditional thieves—thieves who break into a facility intent on stealing merchandise or equipment, or engaging in vandalism, for example—Wincon Security has evolved into an integrated solutions provider in recent years precisely because an equal and fast-growing risk exists in the online realm. Sophisticated malfeasants, many of whom are connected to overseas organized crime rings, are looking for easy targets. That means organizations or commercial property owners reluctant or unwilling to invest in a holistic, digitally-focused security strategy to protect their assets are gravely exposed.

Why wait-and-see never works

Unfortunately, many organizations take a cross-your-fingers approach to security, betting that they’re too small or their data is too invaluable to draw the attention of cyber thieves. That is until they’re hit. Then most are left scrambling trying to restore systems, or pay ransoms to recover data, and rebuild their businesses after an online attack.

So great is the threat that BOMA Canada recently published a Cyber Wellness Guide for commercial property owners. In it, the organization notes:

The IIoT (Industrial Internet of Things) currently in the market are geared towards user value, and haven’t necessarily been looked at from a thorough cyber security perspective. That increases the onus on building managers to have a robust plan to prevent and deal with cyber issues.

In addition to the expanding network of smart devices, attackers are also becoming more persistent and patient, whether it is to gain ransom from you or to cause other damage. In addition to local hackers who may use phishing attacks or ransomware to cause potential damage, there are international threats too as proximity does not matter when dealing with cyber risks, and no sector is immune.

Indeed, it’s not alarmist to assume that a hacker could breach your building’s cyber defenses (assuming they’re in place, which isn’t always a given), steal data and even coordinate with thieves to break into your facility. If your organization happens to deal in high-value or sensitive materials, this is of particular concern. So, what’s a property owner or manager to do?

 Be proactive to bolster cyber wellness

As the BOMA report notes, it all starts with preparation. Having tools such as firewalls, anti-virus software or endpoint security on laptops and other vulnerable devices in place is crucial. Huge advancements are also being made with artificial intelligence technology to detect breaches long before they become obvious or increase risk. Of course, staff training is another important consideration—and that includes making sure that security personnel are as well trained in mitigating cyber threats as they are in monitoring traditional causes of building vulnerability or standing on guard to prevent incidents such as physical break-ins.

Having a significant security budget in place is another important consideration that many property owners overlook—particularly if they’re prone to trying to looking for ways to maximize profitability at the expense of all other considerations. That budget should include line items for both physical and cyber security measures. From there your team will need a cyber security plan that can be implemented at a moment’s notice if a data breach occurs. The plan should be customized to your specific needs and be comprehensive enough to address a range of possible scenarios.

Most importantly, be sure to work with a security provider who understands the risks involved as the IIoT becomes ubiquitous, cyber threats increase and the need for solutions integration becomes more important than ever. Because the last thing any busy commercial property owner should waste time fretting over is whether a hacker in some far-flung locale is preparing to compromise the security of their data or their facility.

Winston Stewart, President and CEO

Wincon Security

Ontario business owners who spent the last week celebrating the tabling of Bill 47, legislation that promises to repeal most of the controversial Bill 148 (with the implementation of the equally unpopular Pay Transparency Act also due to be delayed and revised, as well), could be forgiven for missing the enactment of another important new law. Only this one comes with significant cyber and physical security implications for organizations across industries.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is new federal legislation that “applies to the collection, use or disclosure of personal information in the course of a commercial activity.” Put simply, if yours is an organization that has clients to whom it sells products or services, it falls under the Act’s jurisdiction. Exemptions exist in provinces that have privacy legislation in line with PIPEDA, but in those cases provincial laws need to be almost identical to the federal counterpart, or else the latter applies. What does this all mean? According to the Office of the Privacy Commissioner of Canada:

“Organizations covered by PIPEDA must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Individuals should also be assured that their information will be protected by appropriate safeguards.”

New disclosure requirements

Perhaps most importantly, the legislation requires Canadian firms to brief customers in the event of a data breach that involves the hacking of personal information. At the same time, organizations must inform the Privacy Commission if they believe the breach carries with it “a real risk of significant harm to an individual.” The language in the new law is notably vague and unspecific. Organizations are required to have “appropriate” digital safeguards in place, even when sharing data between third-party vendors.

Penalties for non-compliance can top $100,000 per violation, so organizations are wise to be proactive and fall in line with the new rules.

PIPEDA a challenge for SMEs

Smaller businesses will likely have more difficulty complying with the law, particularly because they lack full-time IT teams or personnel to help track and protect data. Only now the financial stakes of ensuring adequate cybersecurity are significantly higher. As if the potential brand and bottom-line hit from an incident of data theft wasn’t bad enough, to add insult to injury cash-strapped companies also have to worry about Ottawa levying a steep fine when they’re at their most vulnerable.

While the new PIPEDA rules are obviously focused on the protection of data while promoting cybersecurity vigilance and protection for consumers, this is also about physical security. Why? It’s not uncommon for thieves to steal laptops or servers from an office or retail outlet, for example, then search those devices for everything from sellable business data to credit card information. Whether they actually find anything to peddle is beside the point. Because so many organizations still lack the necessary cloud- or hardware-based back up systems to protect data in case of a physical theft, losing that information to physical burglaries can be just as bad as being hacked by an online malfeasant.

An opportunity to think holistically about security

Here’s the good news: PIPEDA represents an important opportunity for organizations of all sizes and across industries to improve their security infrastructure. Without this legislative impetus, many companies would be happy to keep on carrying on, ignoring potential threats and crossing their fingers that a hacker or burglar won’t one day target their precious customer data.

It’s best to look at PIPEDA as a chance to develop a comprehensive security strategy that looks at both physical and digital security in a holistic way, analyzing potential vulnerabilities and outlining effective tools to help mitigate risk. This would also be the ideal time to consider upgrading security hardware such as monitoring and alarm systems, not to mention the crucial software that protects everything from your property’s entry points to devices such as laptops. These security components should all work in harmony and when one is insufficient, crafty criminals will be sure to take advantage to exploit weaknesses.

Is PIPEDA compliance potentially costly? Yes, but taking a proactive approach is always less expensive than trying to recover from a massive data breach. For that reason, the legislation could be just the nudge that your organization needed to stay safe and secure.

Winston Stewart, President and CEO

Wincon Security