Cyber Security Awareness for Boards

There's always been a market for personal information for those in the nefarious business of trying to obtain it. In the days long before people had even heard of the ominous Dark Web (a small part of the Internet that’s “only accessible with special tools, software or authorization that search engines don’t index”) gaining access to the basics, like names, addresses, and Social Insurance Numbers, was enough for someone to begin the process of systematically stealing an individual’s identity.[1]?They'd start small, obtaining progressively more valuable pieces of identification that gave the false identity more credibility, scaffolding on things like transit passes, library cards, or mail-order music – remember the 12 CDs for a penny offer that was fraught with fraud. Once a crook had amassed enough types of ID, they would move on to applying for credit, a cellphone, or even bank accounts. Their meticulousness and?patience in building a false version of you would allow them to divert mail and gain access to even more personal information over time. Upon making the horrifying discovery, the poor victim often had to jump through hoops to undo the mess and prove that someone had faked their identity, something that could genuinely take years and a massive effort to fix.

The digital data marketplace

When data shifted to become predominantly digital, determined data criminals upped the ante and haven’t stopped. You might be wondering how lucrative the personal information market is.??Let’s put it this way; it’s come a long way from the days of someone selling you a fake ID that looks somewhat like you so you can get into bars while you’re underage.

Today,?credit card information, Health Card information, Social Insurance Numbers and Log-in passwords are hot commodities. Unfortunately, with every hack or data breach, the pot of stolen information is refreshed.

Experian published the approximate value of these items on the Dark Web and it’s disturbing.?[2]??Data such as a Social Insurance/Social Security number or a non-financial login password is at the bottom of the scale for the bargain-bin price of?$1. The next tier – financial service login information for banking, secure payment services or credit cards – ranges anywhere from $5 to $200. Driver’s licenses and consumer loyalty cards go for $20. Diplomas, for between $100 and $400. And the most prestigious data? It's akin to most valuable jewelry kept behind the counter: passports and health records, valued at between $1000 and $2000. Prices tend to vary over time and are influenced by the completeness of the data as a package. For example, in most cases, an entire database is more valuable than a single record. Higher tickets also apply to high-balance accounts or situations where the ability to reuse the access is likely and where there’s more damage to be done.

Who’s buying and who’s selling

Just who are the people doing this? Of course, the usual criminal suspects and hackers are driving this veritable cyber-crime industry. Still, some nation-states and hacktivists create targeted cyber attacks that support their distinct political views or social causes. While these situations can feel abstract and at arm's length to us, they’re not necessarily. The ripple effect of this kind of activity is significant.

Organizations should be aware that there's evidence that increasing numbers of disgruntled employees are walking out of their workplaces with classified data and creating havoc for their current or former employers.

In addition, social engineering, where attacks look innocent and appear as legitimate requests for information, is on the rise. Companies' awareness and vigilance have done a lot to educate employees about cybers security within their organizations. Some even have annual training and certifications that all staff must participate in to reduce vulnerability to being compromised.?

?Tools of the trade

Computer viruses, spam and other suspicious files all have a common objective to infiltrate systems maliciously and cause damage, hence the name,?malware. Malware comes in many different forms and is often embedded in executable files, websites, macros, flash drives, and email. Hackers embed instructions within the invasive file to mutate and avoid being detected by antivirus software. Once infected, it may alter operating systems and steal data or even unknowingly become a slave, commandeered to contribute to a hacker's cryptocurrency mining activities.??

Hackers are also becoming experts at employing techniques that use social engineering to manipulate someone into feeling obligated to share some confidential information.?

• Ransomware?is malware that steals data and can block the rightful owner's access to those files. As the name suggests, a ransom is demanded to release file access files back to the owner. Sometimes, there are threats to publish the stolen data broadly in an attempt to extort payments.
• Phishing?is most observed in the large volumes of emails or phone calls that masquerade from reputable companies but are sent to get recipients to act and reveal personal information. They often use elaborate and exaggerated stories that are intended to incite a call to action. For instance, they often tell you that your account has been compromised or there has been an arrest warrant issued in your name: they're hoping you take the bait and panic, handing over data in the process.?Spear phishing?is an attempt to target an individual or specific type of information in the attack.

These actors are also beginning to leverage the diversification of connections within the Internet of Things (IoT) by harnessing the computing power of devices that connect to the web as part of their regular operation:?think modems, routers, smart speakers, appliances and more. A hacker may attack vulnerable connected devices that aren’t secured and take them hostage. Next, they infected these devices with code that turns their processing power into a bot. When given the order, the massive network of bots band together, allowing the hacker to create?a Distributed Denial of Service (DDoS)?attack on a specific target to interrupt normal operation within a network and get whatever they are trying to compromise.?

Cyber attacks are targeting specific industries to get personal information, financial data, health data, educational credentials, and intellectual property:?

• Power & Utilities
• ?Financial Services
• ?Healthcare
• Education
• Retail
• Manufacturing

What comes after a cyber attack??

Organizations of all sizes reel from the repercussions of cyber attacks. The response time, costs, vastness of focus area, and communications required to address them are often staggering. We often hear about how even the biggest players are vulnerable, which can be surprising because we expect they should be protected against them because of their scale.???For example, Yahoo discovered breaches between 2013 and 2016 that involved 3 billion compromised accounts.[3]?This still holds the record as the biggest cyber attack of all time. In Canada, Desjardins reported that hackers attacked 9.7 million personal data records between 2017 and 2019. Private sector organizations aren't the only ones targeted. There have been incidents at Canada Post, Revenue Canada, and other public, government-affiliated institutions at federal and provincial levels.?

For private companies, nonchalant attitudes cost market share and value against the bottom line.

Investigations need to happen to understand what’s transpired and orchestrating them is expensive. There are also internal and external disclosure obligations, including legislated actions to follow through with provincial and federal privacy offices. Remediation costs also extend to developing full public relations strategies, education, monitoring for affected parties, and legal settlements. One of the biggest challenges can be how rapidly misinformation can spread through social media, stirring up more problems. All of this creates a bit quagmire within ongoing efforts to regain consumer trust.??

Unfortunately, a common denominator for most companies, regardless of their size, is being ill-prepared with respect to investments in cyber security within their businesses. While small and medium-sized enterprises are particularly vulnerable, large corporations are not unscathed.

With reputation risk and valuation on the line, urgency needs to be placed on creating better levels of preparedness and a maturing of data handling practices.

Cloud storage was once thought to be a risky exposure. It may be time to reconsider that view and have organizations become more open to taking advantage of fortified levels of protection that they can capitalize on to help. However, you still need to be cautious and vigilant as ever because simply moving the application and sensitive data into the Cloud does not let you off the hook conduct your own detailed diligence on these companies and how they are looking after you and customers’ data.

Has COVID-19 helped bring this issue to the forefront??

It seems that it’s only complicated things. Remote work during the pandemic has made it more challenging to trace data breaches.

The importance of educating employees on proper data handling practices and how to secure company data will continue to be a priority as organizations start to carve out their return to the office/work from home/work from anywhere strategies.?

Health care information has also taken a hit in the race to solve the proof of vaccination problems. Vaccination receipts issued by provincial health ministries include varying degrees of personally identifiable information:??full names, dates of birth, partial health card numbers, and geographic locations where doses were administered. In the wrong hands, these details could be deadly.?

Only recently, the NHL's Calgary Flames organization had to back away from an app they had initially endorsed. They thought it would be a way for fans to register their immunization status and streamline the eventual return to having live spectators cheer the team on at the Saddledome. Unfortunately, first reported by CBC, the PORTpass app exposed some early registrant’s data.??Journalists were able to view images of driver's licences and even Nexus cards.[4]??The immediate response of the PORTpass organization illustrated that they were a bit taken by surprise and started down the path of investigating the problem with security audits. While the Flames have discontinued use of the app, it also reflects a lack of due diligence on their part and calls into question what their liability could be if any victims claim damages.?

What do organizations need to do??

Cyber security is a vast topic for an organization to deal with, and most need help to either re-evaluate their current state or start somewhere. Giving attention to immediate tasks should help reprioritize and develop better awareness, governance, and incident management responses.?

1. Audit

Identify data and systems within your network, plus the players who have access to it. Ensure there are credentialed and limited access controls in place so that only those who need to use the data to perform their job duties can get to it.??Companies doing a significant amount of Merger and Acquisition work should definitely update their checklists to reflect the importance of this topic.

2. Education and Expectations

You need to keep the entire organization vigilant and ensure they are prepared to respond swiftly and in a coordinated fashion to mitigate the damage caused by cyber attacks. Frequent and regular training with certifications is one way to ensure employees understand how you take data management seriously. Set expectations clearly and be transparent about the costs to the organization of mismanagement of data breaches to provide appropriate context. It’s not dissimilar to having a story Safety ethic. You should strive to have Cyber baked into your organization’s DNA.??It affects the company’s success, and they are critical contributors to it.?

3. Know the laws and legislation for private-sector companies

When there is greater awareness of the obligation to protect private information and the requirements for managing breaches, companies can feel more confident in their governance and their issue responses. Canada's privacy law for data handling, the Personal Information Protect and Electronic Documents Act (PIPEDA), came into effect in the spring of 2000. The legislation is reviewed every five years by parliament to ensure that it stays relevant. It details what companies need to do to collect and protect data, plus talks about mandatory disclosure of data handling practices for customers and obtaining their consent. Doing business outside of Canada, the laws are changing rapidly, so there is a lot to learn about the EU’s General Data Protection Regulations (GRPD), for example, and other privacy regulations. Having expertise in this area means that a company understands their liability for exposures and knows about obligations to uphold should a breach occur. Having a robust plan in place is essential. If you don't have someone assigned to keep up to date with expertise in this area, you are immediately vulnerable.?

Where does the Board fit into preparedness?

Good governance comes from the top.

Boards need to set the tone and ensure that it cascades through the organizations so that priority is given to data management, handling, security awareness and vigilance. They need to ensure that well-developed processes exist for regular security reviews, periodic certifications, and tabletop exercises. The Boards must also ensure that all roles in handling a data breach crisis are well defined and that specific people hold this accountability as part of their duties. They also have a definitive role in validating the due diligence of any third-party vendors entrusted with data by examining these prospective partners’ data security protocols, integrity, and handling practices.?

It’s time to increase everyone’s personal awareness. I am not saying lock the doors and huddle inside as we have recently gone through a bout of this! What I am encouraging is that it is well worth it to satisfy your curiosity and become better informed. For both company and personal protection of private information, you need to be aware of what you are clicking on and the kind of information that you are sharing to be sure it’s legitimate. In my next post, I’ll share some best practices to consider when developing a response to data breaches.?

[1]?DeNicola, Louis (2021 May 12). What is the Dark Web? https://www.experian.com/blogs/ask-experian/what-is-the-dark-web/

[2]?Stack, Brian. (2017 December 6). Here’s How Much Your Personal Information Is Selling for on the Dark Web. https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/

[3]?Sobers, Rob. (2021 April 16). 98 Must-Know Data Breach Statistics for 2021. https://www.varonis.com/blog/data-breach-statistics/

[4]?Rieger, Sara. (2021 September 28). Portpass app may have exposed hundreds of thousands of users’ personal data. https://www.cbc.ca/news/canada/calgary/portpass-privacy-breach-1.6191749