Nikki Johnson No Comments

Cyber Risks & Liabilities

By: Dan Reith
Principal Broker
Reith & Associates Insurance and Financial Services Limited

COVID-19’s Impact on Cyber Threat Activity

Cybersecurity crisis emerged as a result of the 2020 global health crisis as cybercriminals posed an increased threat to the safety of individuals and organizations. Experts are seeing an uptick in cyber threat activity as workforces continue to move to the digital landscape.

Increased Individual Attacks

In 2020, cybercriminals capitalized on fear surrounding the pandemic by producing COVID-19-related scams that trick victims into opening malicious links and attachments. Cybercriminals create fake COVID-19-related content, such as local and regional health updates, or knowledge of cures and treatments. The pandemic has created an opportunity for cybercriminals to exploit human curiosity and concern, which has led to an increase in cyberattack victims.

There’s also been an increase in phishing scam campaigns where cyber threat actors craft convincing copies of government websites and official correspondence. These attacks prey upon populations who are anxious and less likely to be skeptical of emails and other links regarding COVID-19.

Increased Organizational Attacks

As cybercriminals continue to exploit human vulnerability and individual fears surrounding COVID-19, the sudden increase in organizations with employees working from home has allowed cybercriminals to capitalize on cloud-based technologies that didn’t exist before. Research has found that companies became less secure in 2020 due to hastily deployed remote work solutions.

The Canadian Centre for Cyber Security predicts that ransomware will continue to target health care and medical research facilities as the global health sector continues to mitigate the COVID-19 pandemic. Cybercriminals taking advantage of the health crisis have the ability to jeopardize patient outcomes and public health efforts.

Another ransomware trend that emerged in 2020 is known as “double extortion,” where cybercriminals maximize their chance of a profit by threatening additional abuse of the compromised data, including auctioning or selling it.

It’s more important than ever that organizations take a proactive approach to their cybersecurity measures as well as educate employees on the risks of cyber threat activity.

Human Error as a Cybersecurity Threat

The IBM Cyber Security Intelligence Index Report found that human error is a major contributing cause in 95 per cent of cybersecurity breaches. Human errors are unintentional actions or a lack of actions by employees and users that cause or allow a security breach to happen.

Human error can typically be separated into two categories:

  1. Skill-based errors—These errors occur when a user makes a small mistake when performing familiar tasks and activities. While they know what the end result is supposed to be, they make an error due to memory lapse, mistake or negligence.
  2. Decision-based errors—This type of error occurs when a user makes a faulty decision as a result of not having the necessary level of knowledge, not having enough information about the specific circumstance or not realizing inaction is a type of decision.

These mistakes and lapses in judgment can lead to cybersecurity attacks that put organizations in jeopardy. Cybercriminals know that technical security measures are only effective when humans properly utilize them.

The following are examples of how human error can be exploited:

  • Misdelivery—Misdelivery is a common threat to corporate data security and happens when a user sends something to the wrong recipient. Employees should take care to double-check all fields of information before hitting send.
  • Password issues—According to the National Centre for Cyber Security, 123456 is the most popular password in the world, and 45 per cent of people have the same password for multiple online services. Strong, unique passwords should be encouraged among employees.
  • Patching—Software developers are constantly working to detect exploits in programs and send software updates when one is discovered. Users and employees should immediately implement the update to remain protected against threats.

Addressing human error is key to reducing an organization’s chance of being successfully targeted. Educating workforces on mitigating cybersecurity threats can empower them to actively look out for and report new threats they may encounter.

What Is a Deepfake and What Is at Risk?

A deepfake refers to a doctored video or audio recording that looks and sounds like the real thing. While manipulating video is nothing new, deepfake technology could give anyone the ability to distribute misleading and false information.

As technology advances, it’s becoming harder to discern what is real or fake on the internet, and machine learning models are beginning to have trouble detecting the forgery. While there are certain signs that make it easy for the naked eye to spot a deepfake, including a lack of eye blinking or shadows that look wrong, experts predict that deepfakes will continue to advance in sophistication. Soon, the utilization of digital forensics will be the only possibility for detection.

If deepfakes become unidentifiable, it could lead to inherent mistrust and jeopardize faith in a shared, objective reality. In addition, there is the threat of those who might seek to weaponize this technology for political or malicious purposes.

Nikki Johnson No Comments

Cyber Risks & Liabilities in 2021

By: Dan Reith BA(Hons) CAIB
Principal Broker
Reith & Associates Insurance and Financial Services Limited

Technology was forced to rapidly advance in 2020 due to the global health crisis, which found organizations scrambling to adapt to remote working. HR technology was no exception. With the implementation of virtual onboarding processes, the creation of fully-automated payroll systems and more, HR technology adjusted to the needs of organizations in 2020.

HR technology will continue to be vital for the advancement of companies in 2021 in the four areas mentioned below.

Digital Solutions for Remote Work

As organizations continue to navigate the virtual landscape, digital solutions are essential. Keeping an eye on productivity while still fostering collaboration is possible by managing workflows and streamlining processes. Integrating platforms that offer niche solutions for digital collaboration is key moving forward. Document sharing, online chats and video conferencing can help with keeping projects on track.

Software-as-a-Service and Cloud-based HR

Organizations with cloud-based systems already in place were able to seamlessly transition from the office to working from home. For those relying on outdated technology, the shift was a bit harder. In 2021, HR should include cloud-based and software-as-a-service (SaaS) solutions to stay on top of the evolving digital landscape. These solutions allow for comprehensive employee management online, including talent acquisition, virtual onboarding, performance management and payroll.

AI-powered Talent Management

Sage People found that 56 percent of organizations plan to adopt artificial intelligence (AI) into their recruitment process in the next 12 months, compared to just 24 percent who utilized the capability in 2020. AI-powered talent management can include resume assessments and candidate ranking. AI can also schedule and conduct video-based interviews that can predict how well a candidate will fit the role.

Digital Learning

Job seekers are prioritizing educational opportunities as they search for their next career move. Employers should attract talent by implementing online education platforms as an indication of investment in their employees’ careers. Digital learning solutions are overtaking classroom-based learning, and this trend will only continue into 2021.

What Is Internet of Behaviours and How Will It Be Prevalent Going Forward?

Internet of Behaviours (IoB) is the leveraging of data to influence behaviour. Organizations utilize available data to predict and influence human behaviour. Gartner predicts that by 2023, 40 percent of the global population will be tracked digitally in order to influence behaviour.

However, IoB is already here and prevalent in many areas of daily life, including:

  • Facial recognition
  • Location tracking
  • Big data

And while IoB offers several benefits (e.g., convenience of having synced digital devices), the collection of this behaviour-focused data leaves sensitive data at risk for cyberattacks. Property access codes, delivery routes, bank access codes and more are susceptible to cybercriminals.

Businesses should be vigilant and proactive in their cybersecurity efforts to ensure that data is secure and protected. Consider introducing cybersecurity training and awareness programs in your organization in order to stay ahead of cybercriminals.

TOP CYBER THREATS FOR 2021

As the world continues to rely more and more on technology, the need to address threats to cybersecurity becomes increasingly important. With 64 percent of organizations already having experienced web-based attacks, here are seven cybersecurity threats to be aware of in 2021:

  1. Phishing — Phishing occurs when a hacker tricks someone into providing sensitive information or accessing malware by using a false identity. This can happen through email, social media accounts and more.
  2. SMS-based phishing — This form of phishing, sometimes referred to as “smishing,” occurs through SMS text messages. The attack only happens after the link within the text message is opened. While emails are typically able to identify a phishing scam and filter it out, text messages with bad links can still come through.
  3. PDF scams — These scams occur when a PDF attachment in an email or messaging platform contains a link to malware or ransomware. Scammers know people are more likely to open a PDF attachment than a website link, especially if it’s been labelled as a statement balance or press release.
  4. Malware and ransomware — Malware and ransomware can lead to hijacked software, frozen systems, and lost and stolen data. Businesses often keep data on servers that are connected to the internet, and all it takes is one crack in a company’s cybersecurity for hackers to attack and access that data.
  5. Database exposure — Customer contact information, financial records and identity records are all susceptible to hacking and theft when servers aren’t properly protected.
  6. Credential stuffing — Credential stuffing aims to gain private access through the utilization of stolen login credentials. The most common occurrence of credential stuffing happens when the same login information is used for multiple websites and accounts.
  7. Accidental sharing — Accidents happen. But when accidents contain confidential and sensitive information, company cybersecurity can be at risk. This type of threat is usually the result of human error rather than a hacker or malware issue.

Experts predict that, by 2023, cybercriminals will be stealing nearly 33 billion records per year. Learn more about protecting your organization against these cybersecurity threats by contacting Reith & Associates Insurance and Financial Services Limited today.

Nikki Johnson No Comments

Social Media Security

By:  Dan Reith  BA(Hons) CAIB

        Principal Broker

        Reith & Associates Insurance and Financial Services Limited

While social media can help organizations engage with customers and expand their reach, using it comes with potential risks. These risks can range from minor damages to your brand image to major cyber attacks that target sensitive information, resulting in costly recovery and lawsuits. The following are some of the biggest risks associated with using social media as well as tips to avoid them.

EMPLOYEES

One of the biggest risks to any organization’s social media security is its employees themselves. User error, a lack of education and carelessness can all become incredibly costly when dealing with social media.

As such, it’s important to invest time in developing a social media policy that clearly outlines the purpose, procedures and expectations of appropriate social media use. Additionally, employees need to be educated on the importance of this policy, as well as the threats that social media poses and how to identify them. Regulate the number of people with access to official social media accounts to only those who are educated, trusted and absolutely necessary for daily operations.

SCAMS AND PHISHING ATTACKS

Like with any other form of internet use, scams and phishing attacks are a constant risk when dealing with social media. Malicious links disguised as news reports, videos or familiar social media accounts could be used to trick users into sharing secure information.

Be wary of any links that appear suspicious, and never disseminate secure information in a way other than it is intended to be shared by policy. Knowing how to identify suspicious links or web pages can be the difference between an incredibly costly mistake and a near miss. For example, shortened URLs found on Twitter may link to webpages built to look identical to familiar websites, and third-party applications may be designed to reveal the user’s private information to a third party.

UNSECURED MOBILE DEVICES

Most social network access is through mobile devices, and, while some organizations may issue company-owned devices for this purpose, the organization’s social media accounts are most often accessed by the employees’ devices themselves. The fact that these devices travel everywhere with the employees makes them especially vulnerable to potentially unwanted or inappropriate access.

All mobile devices with social media access should be locked with a password when not in use. Doing so can protect private information from falling into the wrong hands in the event that an employee with social media access loses their device.

INATTENTIVE USE

Not paying attention to an organization’s social media accounts may seem harmless at first, or even preferable compared to engaging in use that might seem risky. However, being inattentive to social media can bring its own risks. For example, a social media account that becomes hacked could start spreading harmful fraudulent messages or viruses, causing much more harm if it is not caught immediately.

Keep a close eye on all social media accounts—even if you only created them to reserve your brand’s handle and don’t intend to use them in the near future—and be ready to act if one of them becomes compromised.

MALWARE ATTACKS AND HACKING

Even when exercising proper social media security tactics, there is always the possibility that your accounts will become compromised through sophisticated malware attacks and hacking. After all, unlike your organization and employees, hackers are not limited to the five-day workweek to carry out their plans and could strike at any time.

Invest in security technology to watch your social media accounts 24 hours a day, and have a person in charge who will be able to receive alerts and respond to them as soon as a problem is detected.

Contact Reith & Associates Insurance and Financial Services Limited today at 519-631-3862 to learn more about social media security.

Nikki Johnson No Comments

Cyber Risks & Liabilities

By:  Dan Reith  BA(Hons) CAIB
       Principal Broker
       Reith & Associates Insurance and Financial Services Limited

Do You Have Adequate Cyber Insurance?

Given the number of variables, picking a cyber insurance policy can be a difficult task. Furthermore, while an organization may think it is protected by its current policy, new developments in cyber security and ventures by the organization itself may make those policies inadequate. Worst still, most, over 80% of Canadian small-medium enterprises fail to carry cyber insurance. Consider the following when creating or reviewing your existing cyber insurance plan.

Assess Your Unique Cyber Risks

Such as with any other liability policy, it’s important to understand the specifics of your cyber risks before picking a cyber liability policy. There is no one-size-fits-all, so asses your business needs to understand the best cyber insurance for you.

The following factors are some examples of what defines your organization’s distinct cyber risks:

  • The type of data your organization stores
  • How and what type of data is shared with business partners
  • Types of communication systems used and their level of security

Know What Policies Are Available and What They Cover

Cyber insurance policies may vary significantly due to the absence of market standardization. While most policies provide first-party and third-party coverage, the details of what is covered can vary across policies. First-party coverage typically includes data breach response costs and business interruption costs that result from network failures, data breaches or ransomware attacks. Third-party coverage typically includes coverage for the costs associated with responding to regulatory investigations and indemnification for regulatory fines or penalties. Take a close look at the terms and coverage offered in each policy for what most closely aligns with your unique cyber risks.

Know Your Responsibilities

Closely examine your selected plan to know your responsibilities, such as who to notify if there has been a breach. For example, a data breach that has been recently discovered might have, in fact, been compromised for years, requiring a retroactive cyber insurance plan. Understanding these requirements and what needs to be reported can be the difference between being covered and not being covered at all. Work these requirements into your organization’s incident response plan to ensure they are followed.

The Atypical Devices That May Be Vulnerable to Cyber Attacks

Increasingly more non-computing devices, such as equipment sensors, industrial control systems and teleconferencing equipment are being connected to global computer networks. Unfortunately, many of these devices are typically not held up to the same cyber security standards, therefore adding an additional vulnerability through which cyber criminals may be able to gain access to your organization’s valuable data or manipulate critical systems.

The Internet of Things

The internet of things (IoT) refers to the connection of web-enabled devices that are connected to each other in a network to exchange information. While this provides many benefits, such as reducing the need to input the same data into multiple systems and gathering data from different sources to be analyzed and used in a centralized location, there are risks associated with it.

For example, if a single device is compromised in a cyber attack, the data from all connected devices and even the devices themselves could be compromised. As such, all it takes for an outsider to gain access to sensitive information is to identify the device with the weakest cyber security that also has access to the network.

Securing IoT Devices

When looking to purchase and connect new devices to the IoT, ensure that there are plans and policies in place to minimize the chances of a cyber threat against those devices. Conduct a sweep of your organization to identify electronic devices and determine if each one is connected to a network that could be exposed to a cyber event, as well as what kind of data those devices are sending and receiving. Keep in mind that even seemingly mundane systems or devices such as heating, ventilation and air conditioning units could be running basic computer operating systems with the potential to connect to the internet. Track these devices by creating an asset map that lists the connected devices.

From here, you can start planning how to secure the devices that pose the largest threat of cyber exposure. Segment the network so that not every device provides access to the entire system, check for security updates or patches where possible and reach out to the device’s manufacturer for information if necessary. Restrict personal IoT devices to a separate network (like a guest Wi-Fi), update all default passwords on connected devices, use two-factor authentication and ensure that data generated by IoT devices is encrypted.

When looing for a provider of cyber insurance, don’t settle for just any provider.  Interview them, and ensure their knowledge of the product and of your unique exposure is sufficient to ensure you the protection your business requires.

Nikki Johnson No Comments

Cyber Risks & Liabilities

By:  Dan Reith  BA(Hons) CAIB
President/Principal

3 Ways to Protect Yourself From Credential Stuffing

Credential stuffing attacks occur when a malicious party takes a stolen username and password, and tries them on a variety of different websites. For example, a hacker may have purchased a Google username and password from the dark web. Assuming that you use the same password for multiple accounts, the hacker would test these credentials on other platforms (e.g., banking or social media websites) using botnets (groups of computers tasked with various commands).

Essentially, by using information from one account, criminals can potentially access data from a variety of platforms, draining bank accounts or gathering information they can sell to other malicious parties.

Credential stuffing can affect anyone, from individual users to the biggest companies. Thankfully, because credential stuffing relies on victims having the same password for multiple accounts, there are some simple ways to protect yourself:

  1. Avoid using the same password for multiple accounts—Credential stuffing only works because many people use the same password for multiple accounts. Change your passwords often and use a unique password for each account.
  2. Use two-factor authentication—Complex passwords can deter cyber criminals, they can still be cracked. To prevent access to your accounts, two-factor authentication is key. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate or personal applications, networks and servers. This additional login hurdle means that would-be cyber criminals won’t easily unlock an account.
  3. Create strong password policies—For employers, ongoing password management can help prevent attackers from compromising your organization’s password-protected information. Create a password policy that requires employees to change their password on a regular basis, avoid using the same password for multiple accounts and use special characters. Long passphrases are becoming increasingly popular.

Even the most robust and expensive data protection solutions can be compromised should an employee click a malicious link or download fraudulent software. As such, it’s critical for organizations to thoroughly train personnel on common cyber threats and how to respond.

Mobile Device Security

Gone are the days when the most sensitive information on an employee’s phone was the names and phone numbers of their contacts. Now, a smartphone or tablet can be used to gain access to anything, including emails, stored passwords and even proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a traditional computer system.

In order to protect your organization, there are a number of mobile device security measures to consider:

  • Establish a mobile device policy—Before issuing mobile phones or tablets to your employees, establish a device usage policy. Provide clear rules about what constitutes acceptable use as well as what actions will be taken if employees violate the policy. It is important that employees understand the security risks inherent to mobile device use and how they can mitigate those risks. Well-informed, responsible users are your first line of defence against cyber attacks.
  • Establish a bring your own device (BYOD) policy—If you allow employees to use their personal devices for company business, make sure you have a formal BYOD policy in place. Your BYOD security plan should also include the following practices:
    • Installing remote wiping software on any personal device used to store or access company data.
    • Educating and training employees on how to safeguard company data when they access it from their own devices.
    • Informing employees about the exact protocol they must follow if their device is lost or stolen.
  • Keep the devices updated with the most current software and anti-virus program—Software updates to mobile devices often include patches for various security holes, so it’s best practice to install the updates as soon as they’re available. There are many options to choose from when it comes to anti-virus software for mobile devices, so it comes down to preference. Some are free to use, while others charge a monthly or annual fee and often come with better support.
  • Back up device content regularly—Just like your computer data should be backed up regularly, so should the data on your company’s mobile devices. If a device is lost or stolen, you’ll have peace of mind knowing your valuable data is safe.

Because of their convenience, smartphones and tablet devices have become a universal presence in the modern business world. As usage soars, it becomes increasingly important to take steps to protect your company from mobile threats, both new and old.

Cyber Incidents Cost More Than You Might Think

As technology advances, companies are collecting, storing and transferring more personal information about their customers and employees than ever before. This not only opens organizations up to a cyber attack, but it also means that just one breach can affect thousands or even millions of individuals. Unfortunately, for organizations, cyber incidents cost more than just data:

  • Data breaches are becoming increasingly expensive. While cyber liability insurance can help offset the costs of a data breach and subsequent litigation, just one breach can be financially devastating. According to a survey conducted by the Ponemon Institute, the average cost of a data breach was $5.78 million, or $255 per lost or stolen record.
  • Regulatory costs can be significant. With the advent of Canada’s Digital Privacy Act (DPA), which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), failing to handle a data breach properly can result in major fines. As part of PIPEDA, companies must comply with mandatory data breach notification and reporting requirements. Failing to do so can result in fines of $100,000 per violation.
  • Cyber incidents can lead to serious reputational damage, significantly impacting directors and officers. Reputational damages can easily reach six figures. According to Kaspersky Lab, a global cyber security company, a single cyber incident recently caused brand damage of $8,000 for small and medium-sized businesses and $200,000 for larger organizations. When wide-scale breaches occur, a company’s reputation can be tarnished, sometimes permanently. In addition, the public holds organizations accountable for major losses of personal data, and directors and officers are often the ones who take the blame.

For me assistance in reducing your exposure to cyber crime, contact our office, our development team is the only local insurance provider able to assist with strategies, workplace policies and training program.

admin No Comments

Looking After Your Privacy | Cyber Risk & Liability – Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. It is the responsibility of business owners to protect their clients’ data. This can be done by buying appropriate insurance cover or assume responsibility on the own by understanding the risks involved with data security and investing in the appropriate technology, staff training and operating policy enforcement to prevent a privacy breach. 

Know the Risks

The first step in protecting your business is to recognize the types of risk:

  • Hackers, attackers and intruders.  People who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information). 
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. 
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization, and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems or the facilities where systems are stored, or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an Internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition,

the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that its services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Your clients expect you to take care of their sensitive information. We can help you plan for a potential issue. Contact Reith & Associates Insurance and Financial Services Limited today; we have the tools necessary to ensure you have the proper coverage to protect your company against a data breach.

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. It is the responsibility of business owners to protect their clients’ data. This can be done by buying appropriate insurance cover or assume responsibility on the own by understanding the risks involved with data security and investing in the appropriate technology, staff training and operating policy enforcement to prevent a privacy breach.