Key CASL Provisions Come Into Force July 1, 2017

Canada’s Anti-spam Legislation (CASL), which regulates the sending of commercial electronic messages (CEMs) and requires entities that distribute them to obtain prior consent, came into force on July 1, 2014. While many aspects of CASL have been in effect for years, key provisions—including the private right of action (PRA)—will be imposed beginning July 1, 2017.

Essentially, PRA allows individuals and enterprises to file a lawsuit in court if they feel they have been affected by a violation of CASL. PRA also opens the door for anti-spam class action lawsuits, with maximum damages capped at $1 million per day. PRA violations can be costly for organizations, and monetary penalties can occur if a business does any of the following:

  1. Sends CEMs that violate CASL ($200 per breach and up to a maximum of $1 million for each day noncompliant conduct occurred)
  2. Alters the transmission data of a CEM (a maximum of $1 million for each day noncompliant conduct occurred)
  3. Installs apps or other computer programs that violate CASL (a maximum of $1 million for each day noncompliant conduct occurred)
  4. Scraps, generates or accesses electronic addresses in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA) (a maximum of $1 million for each day noncompliant conduct occurred)
  5. Sends CEMs with false or misleading information ($200 per breach and up to a maximum of $1 million for each day noncompliant conduct occurred)

Moreover, beginning July 1, 2017, transitional implied consent expires, and organizations will need to obtain express or implied consent prior to sending CEMs. Failing to do so could leave businesses exposed to significant monetary penalties under PRA. In order to prepare for PRA and the end of transitional provisions, organizations are encouraged to review their compliance programs.

© Zywave, Inc. All rights reserved

IT Security Is a Top Challenge for Firms around the World

A recent survey conducted by Protiviti and the Information Systems Audit and Control Association (ISACA), found that cyber security, privacy issues, infrastructure management and emerging technologies rank as the top IT challenges facing organizations today.

The annual survey—A Global Look at IT Audit Best Practices—gathered responses from over 1,000 IT audit professionals and focused on emerging technology, IT implementation, audits, risk assessments and hiring practices. Respondents were asked to name their greatest technology or business challenges.

The following were the top 10 responses:

  1. IT security, privacy and cyber security
  2. Infrastructure management
  3. Emerging technology and infrastructure changes
  4. Resource, staffing and skills challenges
  5. Regulatory compliance
  6. Budgets and controlling costs
  7. Cloud computing and virtualization
  8. Bridging IT and the business
  9. Project management and change management
  10. Third-party and vendor managementIn order to protect themselves and stay current on emerging risks, experts recommend that organizations continually review the IT risk landscape and adjust IT audit plans accordingly.

The survey also found that, while 90 per cent of large organizations conducted an IT audit risk assessment, only a little more than half of them did so on an annual basis.

© Zywave, Inc. All rights reserved

88 Per cent of Employees Lack Knowledge to Prevent Cyber Incidents

According to a report, 88 per cent of employees lack the understanding necessary to prevent common cyber incidents.

That report was designed to test the level of knowledge and awareness of cyber security among employees by asking them to name proper behaviours in given circumstances. The survey covered eight risk domains and assigned three risk profiles—Risk, Novice and Hero—to indicate an employee’s privacy and security awareness IQ.

Key findings from the report include the following:

  • Only 12 per cent of respondents earned a “Hero” profile, while 72 per cent were given a “Novice” profile and 16 per cent were given a “Risk” profile.
  • Almost 40 per cent of respondents disposed of a password hint using unsecure means.
  • About 25 per cent of respondents failed to recognize a sample phishing email, even though it came from a questionable sender and included an attachment.

Educating Employees

This report highlights one of the key vulnerabilities of any organization—employees’ lack of basic cyber security knowledge. Regardless of other hardware or network protections, employees can and will allow cyber criminals into an organization, often without even realizing it.

Fortunately, employee cyber training can help reduce this risk to your organization.

© Zywave, Inc. All rights reserved.

Social Engineering Fraud Coverage

Background concept wordcloud illustration of social engineering

Social engineering fraud (SEF) is a type of fraud that’s become increasingly common over the last several years. However, even though many instances of this fraud transpire over email communications, it’s a company’s crime policy—not a cyber policy—that would often provide coverage in the event of an SEF loss.

That’s why it’s especially important to understand your crime policy, how it might cover SEF, why it might not, and what endorsements you might want to obtain to make sure SEF doesn’t leave your company exposed.

How Social Engineering Fraud Works

There are a number of variations on the theme, but most instances of SEF involve the following elements:

  • A targeted approach. Criminals will research their targets, purchase authentic-looking domains, manufacture email chains and even resort to making phone calls, all in an effort to make their requests seem authentic.
  • A request. The preparation is in service of obtaining something from the target, either money (usually in the form of a wire transfer) or information (such as a list of vendors, routing numbers, etc.).
  • The application of social pressure. In order to bypass in-house safeguards and redundancies, the criminals apply pressure by imposing a time constraint, demanding secrecy or simply flattering the ego of the target by including him or her “in” on an important business transaction.
  • The disappearance of the hacker. Once the criminals obtain what they want, they disappear with the information or money—things that the company won’t miss until it’s too late.

Cyber Policy vs. Crime Policy

It may seem counterintuitive, but SEF is usually not covered by a cyber policy. Even though this fraud often involves emails and wire transfers, cyber policies are not designed to cover them:

  • Cyber policies cover losses that result from unauthorized data breaches or system failures. SEF actually depends on these systems working correctly in order to communicate with an organization’s employees and transfer information or funds.
  • Crime policies cover losses that result from theft, fraud or deception. Because the underlying cause of a loss in SEF is fraud, a company would claim a loss under its crime policy rather than its cyber policy.

Areas of Cover

A standard crime or fidelity policy contains a few provisions under which an SEF claim might be filed:

  • Computer fraud. This refers to losses stemming from the unlawful theft of money due to a “computer violation”—that is, the unauthorized entry into or deletion of data from a computer system by a third party.
  • Funds transfer fraud. This refers to losses stemming from fraudulent instructions to transfer funds made without the insured’s knowledge or consent.

Potential Vulnerabilities

Depending upon the specific language and definitions laid out in the crime or fidelity policy, the insurer might argue that SEF is excluded from coverage for a number of reasons:

  • There was no “computer violation.” Often, SEF doesn’t involve compromising network security in order to steal data. Instead, criminals “hack” human vulnerabilities in order to gain access. Because the system functioned as it was supposed to, and the criminal gained access due to human failure, an insurer might try to deny the claim.
  • The insured knew about and consented to the transfer. Again, it depends on the specific language of the policy, but an insurer might argue that SEF isn’t covered under “funds transfer fraud.” That’s because, in most social engineering scenarios, some agent of the insured willingly and knowingly authorized the transfer of funds to the intended account. Again, in SEF, the systems in place to transfer funds worked as intended; it was human failure that resulted in the loss.
  • The voluntary parting exclusion. Most crime policies have a voluntary parting exclusion that excludes coverage for losses that result from anyone acting on the insured’s authority to part with title to or possession of property. In other words, because the employee knowingly and willingly authorized the transfer, it wouldn’t be covered.

Social Engineering Fraud Endorsements

Because of this potential gap in coverage, some carriers have started offering SEF endorsements to their crime and fidelity policies. The insurance agreements might go by different names, but they’re all intended to make limits and liabilities explicit for both the insured and the policy issuer.

These endorsements are only offered by a handful of carriers, but with the increasing prevalence of SEF, more are likely to follow.

©  Zywave, Inc. All rights reserved.

Government of Canada Endorsed G7 Guidelines

The government of Canada announced its endorsement of the Group of Seven’s (G7) Fundamental Elements of Cybersecurity for the Financial Sector guidelines late last year. These guidelines are designed to assist organizations, particularly in the financial sector, in designing and implementing a cyber security framework.

The non-binding guidelines identify eight basic building blocks for establishing a strong focus on cyber security:

  1. Implement a cyber security strategy
  2. Governance
  3. Risk assessments
  4. Monitoring
  5. Response
  6. Recovery
  7. Information sharing
  8. Continuous learning

While the G7 guidelines are aimed at business that operate in the financial sector, they are useful in summarizing basic cyber risk management practices. To learn more about these guidelines, click here.

© Zywave, Inc. All rights reserved.

How the Dyn Cyber Attack Worked Allowing Criminals to Hijack 100,000 Devices

Dynamic Network Services Inc. (Dyn)—a cloud-based internet performance management (IPM) company in the United States—had its server infrastructure compromised late last year following distributed denial-of-service (DDos) attacks. Dyn said that more than 100,000 devices may have been involved in the massive cyber attack that overwhelmed its servers and produced a ripple effect, temporarily shutting down access to sites like Twitter and Netflix for the east coast of Canada and much of the northeastern United States.

How the Attack Worked

A DDoS is a type of cyber attack that hijacks multiple devices—usually through installing and spreading malware—to “flood” a specific group of servers with a multitude of requests for information all at the same time. The tactic effectively “clogs” the servers so that they’re unable to handle normal web traffic and can ultimately force them to shut down temporarily.

In the past, attacks like these would typically utilize personal computers to carry out the attack. In this case, however, it appears that the attack co-opted a number of “smart” devices—things like digital video recorders (DVRs), printers and even cellphones. Government officials currently believe that a non-state actor is behind the attack, but as the investigation is still ongoing, they have yet to definitively rule anything out.

Key Takeaways

Regardless of the source, the attack highlights a pair of troubling trends. First, this DDoS attack was one of a growing number of more sophisticated attacks. And, while Dyn—a company with robust cyber security measures—was able to restore its regular operations fairly quickly, it only did so after defeating two separate waves of the attack.

Second, and perhaps more importantly, this attack shows the potential vulnerability posed by the increasing number of interconnected, internet-enabled devices commonly called the Internet of Things (IoT). The inter-connectivity of devices on the IoT is the source of a number of benefits; however, that very same inter-connectivity offers cyber criminals an often overlooked—and potentially less secure—avenue of attack.

© Zywave, Inc. All rights reserved.

Majority of Cyber Attacks Launched by Company Insiders

Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon cyber security on the virtual display.

According to figures released by IBM, nearly 60 per cent of all cyber attacks in 2015 were launched by “company insiders,” based upon data gathered from 8,000 of their clients’ devices. Though industry experts have warned for years that a company’s employees may inadvertently make systems vulnerable, IBM found that 44.5 per cent of attacks were, in fact, malicious.

It’s important to note that IBM defined an “insider” as anyone who had either physical or remote access to a company’s assets. While this would certainly include employees, it would also include business partners, contractors and vendors.

While insider threats can be difficult to detect, businesses can still work to prevent them. Above all, it’s important to have a cyber security plan in place—one that manages passwords in a mindful way and protects shared documents.

© Zywave, Inc. All rights reserved

4 Questions to Ask When Choosing a Cloud Computing Provider

cloud computingMoving an aspect of your business—like email, payment processing, data storage, etc.—to the cloud can help you save money and streamline processes. As an added bonus, cloud service vendors can handle administrative tasks like security, maintenance, backup and support, allowing you to focus on the day-to-day operations.

However, with so many cloud computing solutions and vendors to choose from, it’s hard to know what to look for.

To ensure the process goes smoothly and that you choose the right provider, it’s important to ask yourself the following questions:

  1. What’s the vendor’s track record? Before landing on a cloud solution, it’s important to consider the vendor’s reputation. In general, it’s best to find a company that has been in business for a fair amount of time and has a good history of service.
  2. What are the vendor’s capabilities? After understanding what you are looking for in a cloud computing solution, it’s critical that your vendor can meet your needs. Your provider should be able to implement your desired solution on day one and have the expertise to continually offer new ways to adapt to changing markets.
  3. What’s their pricing? A vendor may have everything you need, but could end up being out of budget. Determine a realistic amount you’re willing to pay for cloud services and compare that number to your options. It’s also important to only pay for what you use. Don’t be afraid to renegotiate if a company wants you to pay for extra bells and whistles you don’t need.
  4. Is my data safe? In an age where cyber crime is common and proprietary data can be lost with the click of the mouse, security is key. When researching vendors, ensure that you know the location of their data centres and what precautionary measures they have in place to prevent a hack. If possible, consult an expert to see if a prospective vendor is compliant with all applicable industry security standards.

Keeping in mind the above tips will ensure that, when the time is right to migrate your company’s data or processes to the cloud, you are prepared to choose a vendor that will help achieve your goals.

© Zywave, Inc. All rights reserved.

Global Spending on the Internet of Things May Reach $1.29 Trillion by 2020

Connect Planet Earth (Daylight)Today, there are more digitally connected devices than there are people on the planet. These immense networks are capable of supporting an array of applications—from the mundane to the sophisticated—and can help propel economic opportunities. This vast interconnected system of devices, vehicles and even buildings are all part of the Internet of Things (IoT)—and more and more businesses are investing in it.

According to the International Data Corporation (IDC), worldwide spending on the IoT will experience a growth rate of nearly 16 per cent, reaching $1.29 trillion by 2020.

According to the Worldwide Semiannual Internet of Things Spending Guide, spending is expected to be highest in the following three industries:

  1. Manufacturing ($178 billion)
  2. Transportation ($78 billion)
  3. Utilities ($69 billion)

The IDC reports that hardware, services and software will make up the majority of the investments. In general, modules and sensors that connect endpoints to networks will represent the bulk of hardware purchases. Things like telemetrics, health monitoring, smart home investments, and smart grids for oil and gas utilities are also major spending drivers.

While the IoT continues to change the way companies do business, each new device connected represents another potential point of access for criminals. In addition to the sheer number of connections available to hackers, the interconnectedness of IoT devices poses a new kind of threat. Accessing a single device could, in theory, give a criminal access to a person’s home, car, phone, work and many other smart systems.

To protect themselves, organizations must be proactive regarding their cyber security measures. And while cyber coverage is still in its infancy, the IoT will undoubtedly force the market to consider these new exposures as they develop.

© Zywave, Inc. All rights reserved.

Canada Ranks Poorly in Lost Revenue and Continuity After Ransomware Attacks

Skull and crossbones on binary code with message of infection. Eps10. RGB. Global colorsRansomware is a type of malicious software that is specifically designed to block systems or files until a victim—typically a company or high-ranking professional—has paid a sum of money to regain access. These types of attacks can be costly, sometimes averaging up to $50,000.

According to the recent report, the State of Ransomware, by malware remediation company Malwarebytes, Canadian businesses were among those most likely to pay ransomware demands. Additionally, the report, which examined 5,400 IT staff across Canada, the United States, the United Kingdom and Germany, showed that Canadian businesses ranked among the highest for lost revenue and business interruption following an attack.

In total, around 75 per cent of Canadian businesses admitted that they would pay an attacker to regain access to key systems and functionality. Other interesting findings from the report included the following:

  • Ransomware can impact more than the original infected system or file. In the report, Canada ranked the highest for ransomware penetration, as close to half of attacks affected 26 per cent or more of a company’s extended network.
  • Executives and senior-level staff are typically the targets of ransomware schemes.
  • On average, ransomware attacks in Canada were twice as expensive as those in the United States.
  • Business applications were found to be the most common vulnerability to ransomware in Canada. While email attacks are common in other countries, Canada’s strict anti-spam laws could be contributing to the lower number of email attacks.
  • Despite Canada ranking poorly in terms of business interruption and overall cost as it relates to the impact of ransomware attacks, 51 per cent of surveyed businesses claimed they were confident in their ability to stop an attack.
  • Health care and financial services were found to be the most common industry targets for ransomware attacks.

Ransomware attacks are a serious concern—one that continues to impact Canadian businesses. In the past year alone, more than one-third of security attacks in Canada were ransomware-related. To protect themselves from this ongoing threat, organizations should consider having a risk assessment done to determine and remediate potentially vulnerabilities.

© Zywave, Inc. All rights reserved