Nikki Johnson No Comments

Cyber Crime: SMISHING Explained

Most businesses and individuals are familiar with phishing, a cyberattack technique that entails cybercriminals leveraging fraudulent emails to manipulate recipients into sharing sensitive information, clicking malicious links or opening harmful attachments. While these email-based scams remain a pressing concern, a new form of phishing—known as smishing—has emerged over the years, creating additional cyber exposures for organizations and individuals alike.

Smishing relies on the same tactics as phishing. The sole difference between these two cyberattack techniques is that smishing targets victims through text messages rather than emails. As a growing number of individuals utilize their smartphones for both personal and work-related purposes (e.g., interacting with colleagues and clients on mobile applications), smishing has become a rising threat. In fact, in 2021, the Canadian Anti-Fraud Centre totaled 4,451 reports of phishing and 1,323 reports of spear phishing, both of which can involve texting platforms.

With these numbers in mind, it’s evident that organizations need to address smishing exposures within their operations. The following article provides an overview of smishing and offers best practices for organizations to protect against this emerging cyberattack technique.

What Is Smishing?

Smishing follows the same format as phishing, using deceiving messages to manipulate recipients. These messages are generally sent via text but can also be delivered through mobile instant messaging applications (e.g., WhatsApp). In these messages, cybercriminals may implement a wide range of strategies to get their targets to share information or infect their devices with malware. Specifically, they will likely impersonate a trusted or reputable source and urge the recipient to respond with confidential details, download a harmful application or click a malicious link. Here are some examples of common smishing messages:

  • A message claiming to be from a financial institution, saying the recipient’s bank account is locked or experiencing suspicious activity and asking them to click a harmful link to remedy the issue
  • A message impersonating a well-known retailer (e.g., Amazon, Costco or Walmart), encouraging the recipient to download a malware-ridden application to receive a gift card or similar prize
  • A message claiming to be from an attorney or law enforcement, saying the recipient is facing legal trouble or criminal charges and urging them to call an unknown number for more information
  • A message impersonating the government, asking the recipient to click a suspicious link for details on their taxes or participation in a federal loan program
  • A message claiming to be a research organization, requesting the recipient download a malicious application to complete an informational survey
  • A message impersonating a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link for tracking the item

If a recipient is tricked into doing what a smishing message asks, they could end up unknowingly downloading malware or exposing sensitive information, such as login credentials, debit and credit card numbers or Social Insurance Numbers. From there, cybercriminals may use the information they obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Since individuals may use their smartphones for work-related tasks, smishing has the potential to impact businesses as well. For example, an individual who falls for a smishing scam could inadvertently give a cybercriminal access to their workplace credentials, allowing the criminal to collect confidential data from the victim’s employer and even steal business funds.

The nature of smishing has made this cyberattack technique a significant threat. This is because individuals are typically not as careful when communicating on their smartphones compared to their computers, often engaging in multiple text conversations at a time (sometimes while distracted or in a rush). Due to the large number of texts sent and received daily, individuals may be less wary or observant of a message from an unknown number than an email, making them more likely to interact with a malicious text message.

Furthermore, many individuals falsely assume that their smartphones possess more advanced security features than computers, thus protecting them from harmful messages. However, smartphone security has its limits. Currently, these devices are unable to directly safeguard individuals from smishing attempts, leaving all smartphone users vulnerable. That’s why it’s important for businesses to take steps to protect against smishing.

How to Protect Against Smishing

To effectively minimize smishing exposures and prevent related cyberattacks, businesses should:

  • Conduct employee training. First, businesses should educate employees on what smishing is and how it could affect them. Additionally, employees should be required to participate in routine training regarding smishing detection and prevention. This training should instruct employees to:
  • Watch for signs of smishing within their text messages (e.g., lack of personalization, generic phrasing and urgent requests)
  • Refrain from interacting with or responding to messages from unknown numbers or suspicious senders
  • Avoid clicking links or downloading applications provided within messages
  • Never share sensitive information via text
  • Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any request sent over text
  • Report any suspicious messages to the appropriate parties, such as a supervisor or the IT department
  • Ensure adequate bring-your-own-device (BYOD) procedures. Apart from providing smishing training, businesses should establish solid BYOD procedures to ensure employees act accordingly when utilizing their personal smartphones for work-related purposes. Such procedures may include using a private Wi-Fi network, implementing multifactor authentication capabilities, conducting routine device updates and logging out of work accounts after each use. These procedures can help deter smishing attempts and decrease the damages that may ensue from smishing incidents.
  • Implement access controls. Another method for limiting smishing exposures is the use of access controls. By only allowing employees access to information they need to complete their job duties, businesses can reduce the risk of cybercriminals compromising excess data or securing unsolicited funds amid smishing incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
  • Utilize proper security software. Businesses should also make sure company-owned smartphones are equipped with adequate security software. In some cases, this software can halt cybercriminals in their tracks, stopping smishing messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, smartphones should possess antivirus programs, spam-detection systems and message-blocking tools. Security software should be updated as needed to ensure effectiveness.
  • Purchase sufficient coverage. Finally, it’s vital for businesses to secure proper cyber insurance to protect against potential losses stemming from smishing incidents. Businesses should reach out to their trusted insurance professionals to discuss specific coverage needs.

Conclusion

In summary, smishing is a serious cyber threat that both individuals and businesses can’t afford to ignore. By staying aware of smishing tactics and implementing solid mitigation measures, businesses can successfully protect against this rising cyberattack technique, deterring cybercriminals and minimizing associated losses.

For more risk management guidance, contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

Penetration Testing & Minimizing Cyber Attacks

Penetration Testing & Minimizing Cyber Attacks

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach. It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?

Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others.

Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.

Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

For more risk management guidance and insurance solutions, contact us today.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com
Dan Reith BA(Hons) CAIB

Nikki Johnson No Comments

DATA BREACH: A Concern for Director’s & Officers of ANY Entity

DATA BREACH:  A Concern for Director’s & Officers of ANY Entity

A data breach can be a devastating event, affecting a company or not-for-profit financially and damaging its reputation. As a director or officer, you face litigation risks based on the decisions made following a breach and on how you influenced cyber security policies, as these are often considered board-level issues. This is true for directors and officers of small/medium incorporated enterprise (the directors, officers and owners/shareholders are typically the same) and volunteer directors and officers of not-for-profit groups as well. 

If a suit is filed against you after a data breach occurs, based on your position as a board member, you will not be protected by your commercial general liability policy or your cyber liability policy. Your best source of protection is from your directors and officers (D&O) policy, as long as your policy is tailored to include protection after a data breach. Sadly, the majority of privately owned small/medium businesses in Canada do NOT make D&O cover part of their insurance program.  Either due to naïve skepticism or concern over additional cost.

DATA BREACH THREATS

The biggest threat from a data breach is loss of information, whether it is information regarding your company’s finances or the personal identification information of your employees and customers, such as Social Insurance numbers, banking and/or credit card information.

Losing sensitive information belonging to your employees/customers or company can have a devastating effect on your reputation. If the credit card information of your customers is stolen, your customers would need to cancel their cards and get new ones—an inconvenient process and one that can damage your company’s image in the eyes of customers.

DATA BREACH RESPONSE

Following a data breach, you may be legally required to notify certain people about it. For example, if your company is publicly traded, guidelines say you must report cyber security incidents to stockholders. The cost of notification after a breach is generally covered by a cyber liability policy; and, depending on the number of people you need to notify, the cost can be quite high.

Notification should be taken very seriously, as the way a company responds to a data breach can lead to exposure and legal action beyond lawsuits from customers—the company could be subject to regulatory action.

DATA BREACHES AND D&O COVERAGE

Insufficient cyber security that leaves your company vulnerable to a data breach can be seen by your customers or shareholders as negligence or a breach of duty. Your customers and shareholders may seek to hold you responsible for the damage, as the board is responsible for making decisions on behalf of the company. Because of this, you need protection in the form of a D&O policy.

In past legal cases following a data breach, directors and officers have been accused of:

  • Failing to take reasonable steps to protect customers’ personal and financial information
  • Failing to implement controls to detect and prevent a data breach
  • Failing to report a breach in a timely manner

A cyber liability policy would not offer the legal protection needed by directors and officers after a data breach, whereas a D&O policy can.

A D&O policy provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, act of neglect or breach of duty.

CYBER SECURITY IS VITAL

A company’s directors and officers are expected to be involved in and knowledgeable about the company’s cyber security. It’s rapidly becoming a vital aspect of responsible business management and customer service.

The following are some techniques to improve the cyber security of your company:

  • Install a firewall—Companies with five or more computers should consider buying a network firewall to protect the network from being hacked.
  • Install security software—Anti-virus, anti-malware and anti-spyware should be installed on every computer in the network. All software should be up-to-date.
  • Encrypt data—All data, whether stored on a tablet, flash drive or laptop, should be encrypted.
  • Use a virtual private network (VPN)—A VPN allows employees to connect to the company’s network remotely without the need of a remote-access server. VPNs use advanced encryption and authentication protocols, providing a high level of security for your network.
  • Develop a data breach plan—Have a plan in place so when, not if, you experience a data breach, you can act quickly and minimize your loss.

DATA BREACH RISKS WITHOUT D&O INSURANCE

After a data breach, claims from shareholders and customers will most likely be made. Since you can be held personally responsible for the acts of the company as a board member, your plans and decisions need to be protected.

Without D&O coverage, your personal assets are at stake and could be forfeited to cover legal costs. You can protect yourself with a D&O insurance policy. Talk to your insurer about this type of coverage and be sure your policy is tailored to cover any gaps. Note, that not all D&O polices are the same.  It is important to look at the policy coverage and not the price when making a choice.  D&O is also a specialized form of insurance and not all insurance providers are well versed in the coverage and/or the nuance of policy wordings.  It is important that you select an insurance provider that is educated and knowledgeable about D&O and is able to provide choice and not just a one-size fits all policy.  Selecting the wrong provider and the wrong policy that fails to respond to the breach is also something regulators, shareholders, customers and employees could sue you for.

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith

Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/
https://www.linkedin.com/in/dan-reith-ba-hons-caib-b7a11b20/

Nikki Johnson No Comments

Social Engineering & Fraud Insurance Coverage

Social Engineering Fraud
Social Engineering Fraud

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow. To learn more about SEF, we have resources available for you. Ask about our “Risk Insights: The Fake President Fraud.”

To discuss your coverage options and learn what options are available to you, contact your insurance provider today!

Dan Reith, Principal Broker
Dan Reith, Principal Broker

Dan Reith
Principal Broker
Reith & Associates Insurance and Financial Services Limited
https://reithandassociates.com/

Nikki Johnson No Comments

Cyber Risks & Liabilities

By: Dan Reith
Principal Broker
Reith & Associates Insurance and Financial Services Limited

COVID-19’s Impact on Cyber Threat Activity

Cybersecurity crisis emerged as a result of the 2020 global health crisis as cybercriminals posed an increased threat to the safety of individuals and organizations. Experts are seeing an uptick in cyber threat activity as workforces continue to move to the digital landscape.

Increased Individual Attacks

In 2020, cybercriminals capitalized on fear surrounding the pandemic by producing COVID-19-related scams that trick victims into opening malicious links and attachments. Cybercriminals create fake COVID-19-related content, such as local and regional health updates, or knowledge of cures and treatments. The pandemic has created an opportunity for cybercriminals to exploit human curiosity and concern, which has led to an increase in cyberattack victims.

There’s also been an increase in phishing scam campaigns where cyber threat actors craft convincing copies of government websites and official correspondence. These attacks prey upon populations who are anxious and less likely to be skeptical of emails and other links regarding COVID-19.

Increased Organizational Attacks

As cybercriminals continue to exploit human vulnerability and individual fears surrounding COVID-19, the sudden increase in organizations with employees working from home has allowed cybercriminals to capitalize on cloud-based technologies that didn’t exist before. Research has found that companies became less secure in 2020 due to hastily deployed remote work solutions.

The Canadian Centre for Cyber Security predicts that ransomware will continue to target health care and medical research facilities as the global health sector continues to mitigate the COVID-19 pandemic. Cybercriminals taking advantage of the health crisis have the ability to jeopardize patient outcomes and public health efforts.

Another ransomware trend that emerged in 2020 is known as “double extortion,” where cybercriminals maximize their chance of a profit by threatening additional abuse of the compromised data, including auctioning or selling it.

It’s more important than ever that organizations take a proactive approach to their cybersecurity measures as well as educate employees on the risks of cyber threat activity.

Human Error as a Cybersecurity Threat

The IBM Cyber Security Intelligence Index Report found that human error is a major contributing cause in 95 per cent of cybersecurity breaches. Human errors are unintentional actions or a lack of actions by employees and users that cause or allow a security breach to happen.

Human error can typically be separated into two categories:

  1. Skill-based errors—These errors occur when a user makes a small mistake when performing familiar tasks and activities. While they know what the end result is supposed to be, they make an error due to memory lapse, mistake or negligence.
  2. Decision-based errors—This type of error occurs when a user makes a faulty decision as a result of not having the necessary level of knowledge, not having enough information about the specific circumstance or not realizing inaction is a type of decision.

These mistakes and lapses in judgment can lead to cybersecurity attacks that put organizations in jeopardy. Cybercriminals know that technical security measures are only effective when humans properly utilize them.

The following are examples of how human error can be exploited:

  • Misdelivery—Misdelivery is a common threat to corporate data security and happens when a user sends something to the wrong recipient. Employees should take care to double-check all fields of information before hitting send.
  • Password issues—According to the National Centre for Cyber Security, 123456 is the most popular password in the world, and 45 per cent of people have the same password for multiple online services. Strong, unique passwords should be encouraged among employees.
  • Patching—Software developers are constantly working to detect exploits in programs and send software updates when one is discovered. Users and employees should immediately implement the update to remain protected against threats.

Addressing human error is key to reducing an organization’s chance of being successfully targeted. Educating workforces on mitigating cybersecurity threats can empower them to actively look out for and report new threats they may encounter.

What Is a Deepfake and What Is at Risk?

A deepfake refers to a doctored video or audio recording that looks and sounds like the real thing. While manipulating video is nothing new, deepfake technology could give anyone the ability to distribute misleading and false information.

As technology advances, it’s becoming harder to discern what is real or fake on the internet, and machine learning models are beginning to have trouble detecting the forgery. While there are certain signs that make it easy for the naked eye to spot a deepfake, including a lack of eye blinking or shadows that look wrong, experts predict that deepfakes will continue to advance in sophistication. Soon, the utilization of digital forensics will be the only possibility for detection.

If deepfakes become unidentifiable, it could lead to inherent mistrust and jeopardize faith in a shared, objective reality. In addition, there is the threat of those who might seek to weaponize this technology for political or malicious purposes.

Nikki Johnson No Comments

Cyber Risks & Liabilities in 2021

By: Dan Reith BA(Hons) CAIB
Principal Broker
Reith & Associates Insurance and Financial Services Limited

Technology was forced to rapidly advance in 2020 due to the global health crisis, which found organizations scrambling to adapt to remote working. HR technology was no exception. With the implementation of virtual onboarding processes, the creation of fully-automated payroll systems and more, HR technology adjusted to the needs of organizations in 2020.

HR technology will continue to be vital for the advancement of companies in 2021 in the four areas mentioned below.

Digital Solutions for Remote Work

As organizations continue to navigate the virtual landscape, digital solutions are essential. Keeping an eye on productivity while still fostering collaboration is possible by managing workflows and streamlining processes. Integrating platforms that offer niche solutions for digital collaboration is key moving forward. Document sharing, online chats and video conferencing can help with keeping projects on track.

Software-as-a-Service and Cloud-based HR

Organizations with cloud-based systems already in place were able to seamlessly transition from the office to working from home. For those relying on outdated technology, the shift was a bit harder. In 2021, HR should include cloud-based and software-as-a-service (SaaS) solutions to stay on top of the evolving digital landscape. These solutions allow for comprehensive employee management online, including talent acquisition, virtual onboarding, performance management and payroll.

AI-powered Talent Management

Sage People found that 56 percent of organizations plan to adopt artificial intelligence (AI) into their recruitment process in the next 12 months, compared to just 24 percent who utilized the capability in 2020. AI-powered talent management can include resume assessments and candidate ranking. AI can also schedule and conduct video-based interviews that can predict how well a candidate will fit the role.

Digital Learning

Job seekers are prioritizing educational opportunities as they search for their next career move. Employers should attract talent by implementing online education platforms as an indication of investment in their employees’ careers. Digital learning solutions are overtaking classroom-based learning, and this trend will only continue into 2021.

What Is Internet of Behaviours and How Will It Be Prevalent Going Forward?

Internet of Behaviours (IoB) is the leveraging of data to influence behaviour. Organizations utilize available data to predict and influence human behaviour. Gartner predicts that by 2023, 40 percent of the global population will be tracked digitally in order to influence behaviour.

However, IoB is already here and prevalent in many areas of daily life, including:

  • Facial recognition
  • Location tracking
  • Big data

And while IoB offers several benefits (e.g., convenience of having synced digital devices), the collection of this behaviour-focused data leaves sensitive data at risk for cyberattacks. Property access codes, delivery routes, bank access codes and more are susceptible to cybercriminals.

Businesses should be vigilant and proactive in their cybersecurity efforts to ensure that data is secure and protected. Consider introducing cybersecurity training and awareness programs in your organization in order to stay ahead of cybercriminals.

TOP CYBER THREATS FOR 2021

As the world continues to rely more and more on technology, the need to address threats to cybersecurity becomes increasingly important. With 64 percent of organizations already having experienced web-based attacks, here are seven cybersecurity threats to be aware of in 2021:

  1. Phishing — Phishing occurs when a hacker tricks someone into providing sensitive information or accessing malware by using a false identity. This can happen through email, social media accounts and more.
  2. SMS-based phishing — This form of phishing, sometimes referred to as “smishing,” occurs through SMS text messages. The attack only happens after the link within the text message is opened. While emails are typically able to identify a phishing scam and filter it out, text messages with bad links can still come through.
  3. PDF scams — These scams occur when a PDF attachment in an email or messaging platform contains a link to malware or ransomware. Scammers know people are more likely to open a PDF attachment than a website link, especially if it’s been labelled as a statement balance or press release.
  4. Malware and ransomware — Malware and ransomware can lead to hijacked software, frozen systems, and lost and stolen data. Businesses often keep data on servers that are connected to the internet, and all it takes is one crack in a company’s cybersecurity for hackers to attack and access that data.
  5. Database exposure — Customer contact information, financial records and identity records are all susceptible to hacking and theft when servers aren’t properly protected.
  6. Credential stuffing — Credential stuffing aims to gain private access through the utilization of stolen login credentials. The most common occurrence of credential stuffing happens when the same login information is used for multiple websites and accounts.
  7. Accidental sharing — Accidents happen. But when accidents contain confidential and sensitive information, company cybersecurity can be at risk. This type of threat is usually the result of human error rather than a hacker or malware issue.

Experts predict that, by 2023, cybercriminals will be stealing nearly 33 billion records per year. Learn more about protecting your organization against these cybersecurity threats by contacting Reith & Associates Insurance and Financial Services Limited today.