If you feel like you’re just starting to catch onto the changing cyber risk landscape—and earnestly trying to catch up—you’re not alone. Nearly 90% of those who responded to EY’s 2017-2018 global information security survey said their company’s cyber security is insufficient to meet their needs.
But companies have legal and financial reasons to start paying attention to the changing cyber risk landscape. Cyber security needs to be integrated into business planning and digital strategy. All employees need to understand their role in making your company less vulnerable to cyber attack.
The cyber landscape is changing rapidly. Here are three things that will affect how you design or adjust your cyber risk management plan in 2018:
- Canada and the European Union are set to implement new laws around personal data protection
- Employees are both the first line of defence and a key point of vulnerability when it comes to cyber security
- Increased dependency on digital technology to run your business means your cyber risk assessments need to be part of every element of business planning.
You are legally responsible to keep people’s information safe. Failure to collect, protect, destroy and map data properly has the potential to cost you a lot of money.
Many organizations collect the personal data of Canadians and people from abroad as part of everyday business. If you hold personal information of individuals—credit card numbers, addresses, health information or anything confidential—you are responsible for keeping that data safe. It’s something that is becoming increasingly hard to guarantee.
Moreover, Canadian laws around personal data are set to change this year. Under the new laws, companies will be required to report data breaches to the Office of the Privacy Commissioner of Canada (OPC) and notify anyone whose data has been affected. There will be exemptions for certain business transactions. But if you are breached and fail to notify OPC, you could be fined up to $100,000 under the new legislation.
In the last 8 years more than 7.1 billion identities have been exposed in data breaches.
Provinces also have their own laws around personal data protection, health data in particular. Alberta’s is the most well-defined.
The new legal amendments on the horizon in Canada will also determine precisely how, when and to whom you report breaches. At the end of the day, the newly-defined Personal Information Protection and Electronic Documents Act (PIPEDA) is designed to protect consumers. Once the changes are made law, businesses will be responsible for doing everything in their power to ensure personal information is kept safe and not misused.
“Once the requirements are in force, we are expecting an increase in litigation, especially class action litigation,” says Molly Reynolds, Senior Associate at Torys LLP in Toronto.
Under the newly defined law, organizations will be legally required to indicate the steps they will follow when notifying individuals whose data has been breached. The notice to individuals, which can be oral or written, must include the following:
- The date of the breach
- Personal information affected
- Steps the organization has taken to reduce the risk of harm to individuals
- Steps the individual can take to further protect their information
- Contact information for the organization
- Information about how to file a complaint to the organization or the OPC
Reynolds notes that lawsuits are already a common reaction following a data breach, but with new laws in place, class action suits have a better chance of succeeding.
The Personal Information Protection and Electronic Documents Act [PIPEDA] applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity.
“Litigation claiming invasion of privacy or damages arising from a loss of data is extremely common following public disclosure of serious data breaches,” says Reynolds.
“These cases usually claim very high damages –in the tens of millions of dollars in many cases—but almost invariably settle out of court before trial. Despite the prospect of settling the claims, data breaches pose the risk of significant costs in legal fees to defend the claims at the early stages.”
The requirement to keep records of all breaches, even those that are not reported, will create additional risk for businesses under the proposed new law.
“The federal Privacy Commissioner can audit those records,” says Reynolds. “The regulatory and reputational consequences of not disclosing a data breach that is later found by the Privacy Commissioner to have been serious enough to warrant reporting could be more significant than the breach itself.”
“Companies may face fines and lost business if they are found to have violated their privacy law obligations.”
New laws will be implemented in the European Union (EU) in May, which will have a global impact.
The legislation, passed in 2016, will require companies—no matter where they are headquartered—to abide by EU laws if they use the personal information of an EU citizen in their business transactions. This legislation will override existing personal data protection laws in EU member countries.
The EU legislation, called the General Data Protection Regulation (GDPR), is expected to be the most stringent in the world and will have a significant impact on your business practices. The GDPR requires:
- 72-hour breach notification requirements
- Use of clear language when getting consent from people to use their personal data
- Making it easy and straightforward for people to withdraw their consent
- “The right-to-be-forgotten” clause, which will require companies to destroy data if asked by individuals
Companies that fail to comply could be fined 4% of their worldwide annual sales, up to 20 million euros.
“The traceability of data and to define where data is located can be challenging but you need to understand that in order to understand where a breach has occurred,” says Thomas Davies, Associate Partner for cyber security at EY Canada. “You also need to think about how you will resolve a customer complaint if they say, ‘we don’t want you to have our data anymore.’ How will you prove that all data in regard to that person has been removed?”
According to EY’s global survey, 77% of companies believe a careless employee is the most likely source of a cyber attack.
Cyber risk management can no longer be siloed or considered the concern of a handful of IT or security experts. Cyber security needs to come from the board level down then communicated and enforced broadly across the organization.
“You cannot leave cyber security to a select number of specialists within the organization,” says Davies. “You need to empower your employees so that every single one of them can be on your security team.”
One of the favoured tactics of hackers is phishing, or what’s called “social engineering” in risk management circles. This is when perpetrators create fraudulent emails that look like they are from a legitimate company, or even from someone within your own company. Done well, these emails incite employees to take some form of action that will reveal data—credit card information or passwords, for example—to gain access to a company’s system.
In other cases, such as the high-profile example at German firm ThyssenKrupp AG last year, competitors can gain access to proprietary information or technical trade secrets.
“Ultimately, the bad guys are always looking for data,” says Davies.
“Employees are the biggest targets. If you have 5,000 employees, that’s 5,000 people that are a target to have their corporate username and password credentials stolen. It only takes one individual to be fooled, and the odds are not in our favour.”
Davies notes that ransomware and malware have become extremely sophisticated.
“Whether you’re a seasoned veteran in IT security or you’ve never used technology, these attacks, these emails are getting more and more advanced,” says Davies.
The rise of ransomware
With ransomware, hackers often bar access or steal data to hold it for ransom, for extortion or money. Ransomware has become a lucrative business.
After a mysteriously quiet 2015, the last two years have seen a surge in ransomware activity. The number of incidents increased to 463,841 in 2016 from 340,665 in 2015, according to security analysts Cyence in Marsh and McLennan’s 2018 Cyber Security Handbook. Perhaps more alarming is the average ransom payout increased almost threefold between 2014 and 2016, from $373 to $1,077.
In recent cases, of course, that money has been in the form of digital currency, Bitcoin. Those who use Bitcoin are anonymous, which has made it easier for cyber criminals to steal money without getting caught. Bitcoin is based on blockchain technology, which allows for secure online transactions to take place.
On a brighter note, many analysts are now betting that improvements to how blockchain authenticates online transactions may be the next big thing in cyber security.
Managing employees should be part of your cyber risk plan
There is high potential for internal threats from past or disgruntled employees, notes Dr. Helen Ofosu, HR Consultant and Psychologist at I/O Advisory Services, who has been researching the convergence of cyber and human resources (HR). She argues that cyber risk management needs to meld with talent management and corporate culture in a big way.
“When people feel frustrated or angry or hard done by, it creates opportunities for people to do things that are counterproductive to the organization,” says Ofosu. “The cyber security aspect makes bad behavior like bullying and harassment quite timely and more consequential for organizations. There’s room for better use of employee surveys done without attribution to get a more realistic sense of what’s happening, to determine if people are unhappy, to take concrete actions to solve problems instead of letting them fester.”
“Generally speaking, when there are mergers and acquisitions or major restructuring, if these things are managed poorly, then three, six or 12 months later there can be hiccups or worse that involve these internal cyber threats,” she says.
The rapid adoption of new technology to make businesses more productive and efficient is a good thing. For small companies, in particular, automating processes can let computers or robots do routine work, allowing employees to spend more time engaging in complex and strategic tasks.
In many cases, however, whether in your own company, among your vendors or those in your supply chain, new technology is being adopted so rapidly that it’s hard for organizations to define “normal” levels of activity. In other words, the baseline, which provides the foundation for any risk management strategy, seems to be constantly shifting.
Here are a few things to consider when determining your cyber security baseline:
Are you considering how the technology you’re adopting fits with your overall business plan and how it will change your cyber risk environment?
“What is the criticality of this technology to your business?” asks Davies. “If someone is trying to do something malicious or nefarious, what happens if they get control of that device or that part of your network?”
Are you vetting your vendors? According to EY’s global survey, the majority of companies now use cloud platforms to store data. Last year’s attacks on Amazon Web Services (AWS) and the 2016 infiltration of Dyn’s servers demonstrate that all dependent businesses are vulnerable.
“You need to assess third-party risks the same way you assess your own organization,” says Davies. “Third-party services are a necessity whether you’re a small or a large business, but you need to take a more rigorous approach to understanding what you’re giving them access to.”
Third parties are an easy way for bad guys to get into your environment, says Davies, because they’re often connecting to your system through trusted networks.
Davies recommends first understanding how much access to critical and high value systems your third parties have. If they’re accessing part of your network, are they able to get into other parts of that network as well.
“You should be asking third parties for their minimum standards to make sure they meet your own,” says Davies.
Do you have redundancies built in to mitigate against business interruption?
Depending on how critical connected technology is to your operations, attacks can cause lengthy shutdowns. Business interruption can be costly. Are you using automated systems to pay employees, order supplies or for surveillance? Are you relying on external vendors to sell your goods and services, transact money, ship goods or conduct marketing campaigns? You need to have a back-up plan.
The good news is that getting on top of cyber security doesn’t have to be intimidating. “There are four things you can do right now to better position yourself from a cyber risk management perspective, if you make it a top priority,” says Davies.
1. Define your cyber risk policy as part of your business policy.
“You really need to understand how you’re going to move forward and if you don’t have a map, you’ll get lost,” says Thomas Davies, Associate Partner for cyber security at EY Canada. Is cyber risk management a corporate priority? It needs to be acknowledged at the highest level of the company.
2. Train your employees on cyber security.
“It’s important that you’ve actually ensured your team has the tools and understanding to carry out the plan you’ve put in place,” says Davies. “If you think about how data is collected, it’s often the front line staff. Do they know how to collect it, keep it confidential and destroy it after use, if that’s required?”
3. Align cyber security to the digital strategy of your operations.
As you’re acquiring new tools to improve efficiencies, identify how those tools affect your core operations from a cyber perspective. “Is the tool moving your overall policy and program forward, meeting a skill gap or a time gap? Ultimately, there has to be a compelling reason to buy this,” says Davies. “People often buy things but they haven’t necessarily identified the value that product brings and how it impacts their programs, including from a cyber risk perspective.”
4. Understand your data.
How important is the data you’re collecting and what does it mean to your customers? Who has access to that data? “Have you got it controlled? Can you understand who has access and why,” says Davies. “A lot of times people have access to data, but it’s not necessary to do their jobs.” Davies adds that this is where ensuring your vendors, or third parties, have minimum standards in place that align with your own cyber risk management policies.