CRSP Part 5: The Canadian Centre for Cyber Risk Management’s (C3RM) Growing Presence within Canada’s Cybersecurity Ecosystem

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, Cyber Risk, Security & Privacy (CRSP)  – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.

“We all have a role to play when it comes to cyber security.”
Steven Blaney, Minister of Public Safety and Emergency Preparedness[I]

The true extent of the cyber-privacy and cyber-security problems in Canada is not yet fully appreciated by the vast majority of Canadians and Canadian organizations. Take for example cyber ransom. Many have heard of it, but few think it will happen to them. The CBC’s David Common recently wrote: Ransomware victims pay cybercriminals to save family photos[ii]. He said:

“Theresa and Billy Niedermayer paid an $800 ransom to get precious family photos of their three young boys back from cybercriminals. Their home computer had been seized by one of the more malicious malware programs spreading fast around the world.” 

What is reported in the media is just the tip of the iceberg. The vast majority of breaches are not reported. This is especially true of small businesses with fewer than 100 employees. People and companies generally do not want to publicize the fact that they were victimized by cybercrime. This is why C3RM was established in the Fall of 2013.

C3RM Founding Members and Mission

The original ten C3RM founding members include: ABEX Affiliated Brokers Exchange Inc., ATS Automation Tooling Systems, Crawford & Company (Canada) Inc., CDMN Canadian Digital Media Network, Ernst & Young, eSentire, Miller Thomson, Root Cellar Technologies, University of Waterloo, and Watsec Cyber Risk Management. Two recent additions are TrustPoint Innovation Technologies Ltd. and Galt Resources.[iii]

Looking deeper, C3RM’s web site says it is:

“… an association comprised of businesses, educational institutions, industry associations, and other stakeholders dedicated to improving cyber risk awareness, developing and strengthening cyber risk management technologies, programs and practices. C3RM is more than an IT Security organization; rather, it is a Cyber Risk Management organization which includes both IT Security and Risk Management practices, including addressing the human factors in managing risk. This includes all things related to managing the inherent risk of using electronic data storage, communication systems, the Internet, and interconnected infrastructure and computerized control systems.”.[iv]

The CRSP cluster in Waterloo Region includes many organizations which focus, at least in part, on building and delivering outstanding cyber-privacy and cyber-security products and services for local, national, and international consumption. C3RM is an important part of that cluster, with a mission to increase awareness of the problems all organizations in the CRSP cluster are tackling.

Next time we’ll look deeper into how C3RM and its member organizations are helping address cyber-privacy and cyber-security both locally and abroad.

[i] Steven Blaney, “Minister Blaney launches Cyber Security Awareness Month at cyber conference”, October 3, 2014, Minister Blaney launches Cyber Security Awareness Month at cyber conference.
[ii] David Common, “Ransomware victims pay cybercriminals to save family photos”, The CBC, March 11, 2015, Ransomware victims pay cybercriminals to save family photos.
[iii] Canadian Centre for Cyber Risk Management.
[iv] About C3RM.

Protect Your Business from Spear Phishing

“Phishing,” a type of cyber attack in which a hacker disguises him or herself as a trusted source online in order to acquire sensitive information, is a common and technologically simple scam that can put your employees and business at risk. However, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses.

A spear phishing attack is often disguised as a message from a close friend or business partner and is more convincing than a normal phishing attempt; when messages contain personal information, they are much more difficult to identify as malicious.

For businesses, the potential risk of spear phishing is monumental. The 2015 Internet Security Threat Report released by Symantec Corporation, a United States-based company that specializes in security software, states that, globally, 5 out of every 6 large companies (with 2,500 or more employees) were targeted in spear phishing attacks in 2014 and that there was an average of 73 spear phishing email attacks per day.

The Basics of Spear Phishing

Any personal information that is posted online can potentially be used as bait in a spear phishing attack. The more a criminal learns about a potential victim, the more trustworthy he or she will seem during an attack. Once the apparent source gains the victim’s trust, and there is information within the message that supports the message’s validity, the hacker will usually make a reasonable request, such as following a URL link, supplying usernames and/or passwords, or opening an attachment.

Even if spear phishing perpetrators target just one of your employees, it can put your entire business at risk.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. And, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

How to Protect Your Business

Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well. It may be possible for a third party to intercept this information, especially if the recipient is later subject to a spear phishing attack.
  • Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone. When in a Web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https” of a URL. The “s” stands for “secure” at the end of the normal “http”.
  • Some spear-phishing schemes use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
  • Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
  • Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
  • Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.
  • Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.

What to Do If You Suspect a Spear Phishing Attack

If you believe that your business has been the target of a spear phishing attack, it is important to act quickly to limit your potential losses. The first step should be to immediately change the passwords of any accounts connected to the personal or financial information of your business or clients, and to obtain a list of recent and pending transactions. It may also be necessary to contact law enforcement.

Next, an internal or third-party IT expert should be consulted to pinpoint any vulnerabilities that remain in your business’s network, and he or she can advise you on how to avoid future attacks.


. © 2015 Zywave, Inc. All rights reserved.