Thought leadership. threat analysis, news and alerts.
6 Barriers to Improving Cyber Security for Nonprofits and Charities
Charities and nonprofit organizations aren’t immune to cyber attacks.
In the NetDiligence 2016 Cyber Claims Study (PDF) – a study that provides comprehensive analysis of insurers’ claims on losses sustained from data breaches and other kinds of cyber events – showed that out of the 176 cyber claims submitted for the study, 11% of the claims were from the nonprofit sector.
“Breaches are not just for the Fortune 500 companies anymore," NetDiligence said. "The majority (87%) of claims submitted for this study are for organizations with revenues less than $2B."
The recent "Cyber security among charities" study commissioned by the UK Department for Digital, Culture, Media and Sport and carried out by Ipsos MORI revealed that charitable organizations aren’t considered as off-limits by cyber criminals. Charities interviewed in the study shared that they experienced a wide range of cyber breaches or attacks.
In one case, a charitable organization reported substantial financial loss after the CEO's email was hacked and the malicious hacker sent out a fraudulent message to the charity’s financial manager with the instruction of releasing funds to pay for new equipment.
Another case involved the taking down of the website of a mid-sized organization on numerous occasions. The first attempt to bring the site back took the hosting company 10 days.
In another case, one charity found that its website was injected with a malicious code. Although the organization eliminated the malicious code two years ago, the organization felt the incident had a negative impact on its online reputation as a warning about its website saying it could have been hacked shows up in the Google search results.
The Ipsos MORI study revealed that cyber breach isn’t enough to motivate some charities to enhance cyber security. When breaches such as websites being taken down or staff emails being hacked made no impact on their operations, charities continue “without any changes – highlighting that charities were not necessarily learning from these attacks,” according to the Ipsos MORI study.
Here are the 6 barriers to improving cyber security for nonprofits and charities:
1. Cyber Security Viewed as an Unaffordable Luxury
The study found that some charities consider cyber security as an unaffordable luxury. Some stated that if their budgets increased, they would rather spend the money on other areas such as core service provision and fundraising.
“We need to make sure we are taking the right precautions to safeguard our information … but we have other priorities – difficulties with cash coming in, and a restructure last month,” a £500,000+ annual income, international aid charity said.
2. Cost-Cutting Culture
Many of today’s charities, according to the study, have a strong cultural emphasis on cost-cutting, which makes it difficult or challenging to justify cyber security cost. This emphasis on cost-cutting led some charities to value cost than quality, for instance choosing the cheapest cyber security provider at the expense of sacrificing quality service.
This cost-cutting culture is also evident in charities’ reluctance to upgrade to the latest software or hardware. When the WannaCry ransomware was released to the wild by cyber criminals last May, many nonprofit and charitable organizations fell victims to this malicious software.
A number of UK’s National Health Service (NHS) Trusts – nonprofit organizations that are part of the NHS but have more freedom in how they run their hospital – were affected by WannaCry ransomware for using outdated or unsupported desktop operating systems.
3. Deprioritizing of Some Cyber Risks
The study showed that charities consider loss of funds and loss of personal data (for example donors’ list) to be a major risk as they’re viewed as an existential threat. On the other hand, loss of non-personal data files (for instance data lost to ransom attack especially when the data is backed up) and loss of business (for example a website take down) aren't considered as major cyber risks as they aren’t viewed as an existential threat.
4. Cyber Security Viewed as a Common Sense Issue
The study found that some charities view cyber security as a common sense issue and, therefore, shouldn’t need much thought or investment. Instead of taking pre-emptive action, these charities would simply ask their staff to be sensible and to take a common sense approach.
5. Lack of a Central Office
Some small and mid-sized charities have no central office. This is an offshoot of the cost-cutting culture of nonprofit and charitable organizations. Organizations with no central office allow their staff to use personal devices – opening up susceptibility to breaches via personal devices. These organizations also change their board of trustees every year, resulting in regular change of the base of the organization.
6. Lack of IT Awareness and Skills
The study found that most charities don’t have an internal specialist who has the technical skills to cover cyber security. Hiring an internal IT specialist is seen as unaffordable and unnecessary as the organization views itself not as a target of cyber attacks. Most of these organizations leave the cyber security responsibility to individuals who have existing duties and responsibilities in the organizations, such as fundraising, finances, communications or general operations.
Many of the smaller and long-time running charities are also often run by older trustees, who might lack IT awareness and knowledge. This may limit the organization’s engagement with cyber security professionals or to find people inside the organization who could advocate for the organization’s better cyber security.
In Canada, the implementation of the Digital Privacy Act may spur cyber security awareness among nonprofit and charitable organizations. The law requires “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.”
An organization that knowingly violates the breach notification requirements may face fines of up to $100,000 per violation. The implementation of the Digital Privacy Act – passed into law on June 18, 2015 – is seen as the country’s first step of bringing its data protection law in line with the rest of the world.
Top 5 Cloud Computing Security Concerns
A Birmingham, Alabama-based healthcare company publicly acknowledged that it was a victim of a recent security breach.
According to the healthcare company, its cloud hosting and server management provider suffered a security breach at its facility. Information which may have been accessed as a result of the security breach at the cloud provider’s facility includes patient's name, address, telephone number, email address, Social Security number, medical record number, patient ID, physician name and health plan/insurance number.
This recent security breach at a cloud provider’s facility shows the vulnerability of some cloud providers.
According to Gartner, Inc., the worldwide cloud services market is projected to grow by 18% in 2017 to total $246.8 billion, from $209.2 billion in 2016.
"While some organizations are still figuring out where cloud actually fits in their overall IT strategy, an effort to cost optimize and bring forth the path to transformation holds strong promise and results for IT outsourcing (ITO) buyers,” Sid Nag, research director at Gartner, said. Nag added that cloud adoption strategies will influence more than 50% of IT outsourcing deals through 2020.
The 2016 Global Cloud Data Security Study conducted by the Ponemon Institute found that 73% of IT professionals said cloud computing applications and platform solutions are important or very important to business operations today. The IT professionals surveyed by Ponemon Institute estimated that 36% of their organizations’ total IT and data processing needs are met by cloud resources.
According to Cloud Security Alliance (PDF), beyond the handful large cloud providers, the reality is that there are tens of thousands of unique cloud providers. Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for securing cloud computing.
A January 2016 CSA survey found that only 65% of the survey respondents were confident that the cloud had greater or equal security than internal IT systems. “Cloud provider security is uneven overall, with some providers having excellent security programs and others leaving much to be desired,” the CSA said in its 2016 state of cloud security report.
Here are the top 5 security concerns for cloud-based services:
1. Data Security Breach
The recent data breach at the cloud hosting and server management provider’s facility and the resulting unauthorized access of sensitive data of the Birmingham, Alabama-based healthcare company shows the security vulnerability of cloud providers.
Based on the Ponemon Institute study, the data that organizations move to the cloud is also the information that’s most at risk. Sixty percent of the Ponemon Institute’s 2016 global cloud data security study said it’s more difficult to protect confidential or sensitive information in the cloud.
2. Cloud Account Hijacking
Cloud hijacking refers to the breaking or taking over of a cloud account of an individual or organization. In 2010, Amazon encountered a cross-site scripting bug that allowed attackers to steal user login credentials. In 2014, the cloud hijacking threat called “Man in the Cloud” (PDF) enables an attacker to access synchronization services (such as GoogleDrive and Dropbox) account without compromising the victim’s user name or password.
3. Insider Threat
A malicious insider is defined by the CERT Insider Threat Center as a “current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems”.
In the study "Insider Threats to Cloud Computing: Directions for New Research Challenges", Carnegie Mellon University researchers named 3 types of cloud-related insider threats:
A. Cloud Insider as a Rogue Administrator
According to the Carnegie Mellon University researchers, the threat of rogue administrators is layered differently for a cloud platform compared to a standard enterprise environment, with at least four levels of administrators to consider in the cloud, including hosting company administrators, virtual image administrators, system administrators and application administrators.
B. Insider Who Exploits a Cloud-Related Vulnerability to Steal Information from a Cloud System
According to the Carnegie Mellon University researchers, this second type of cloud-related insider threat refers to an insider within the organization who exploits, whether malicious or accidental, vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems or data. An example of this second type of cloud-related insider threat is when an employee of the victim organization is tricked by a malicious outsider into opening a document infected with malicious software.
C. Insider Who Uses Cloud Systems to Carry Out an Attack on an Employer’s Local Resources
This third type of cloud-related insider, according to the Carnegie Mellon University researchers, is different from the previous type of insider as this “third type of insider uses the cloud as the tool to carry out the attack on systems or data targeted that are not necessarily associated with cloud-based systems”. An example of this third type of insider is when an insider who plans to leave the company leverages cloud storage to steal sensitive information to take to a new job with a competitor.
4. Denial of Service Attacks
Another attack path that has been used to adversely affect cloud services is the distributed denial of service (DDoS) attack. A DNS amplification attack is an example of DDoS tactic in which the attacker delivers traffic to a victim and reflects it off to a third party to conceal the origin of the attack.
According to Microsoft, even a small DDoS attack – the size of 30 Mbps – if left unchecked could affect the availability of the cloud service. “Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable,” Microsoft said.
5. Malware Injection
In the study “Security Threats on Cloud Computing Vulnerabilities”, East Carolina University researchers found that an attacker can create malicious software and inject it to target cloud service models. “Once the injection is completed, the malicious module is executed as one of the valid instances running in the cloud; then, the hacker can do whatever s/he desires such as eavesdropping, data manipulation, and data theft,” the East Carolina University researchers said.
How Bad Internet Bots Can Hurt Your Business
Over 50% of website visitors aren’t humans. According to Imperva Incapsula, 51.8% of the website traffic in 2016 came from bots, also known as web robots, internet bots or botnets.
What is a Bot
A bot is a computer program that performs automated and repetitive tasks over the internet. Using a bot over the internet enables one to do things fast and on a grand scale.
Imperva Incapsula’s “Bot Traffic Report 2016” examined over 16.7 billion visits to 100,000 randomly-selected websites on the Incapsula network. The report showed that 48.2% of the online traffic in 2016 came from humans, while the 51.8% came from bots. Of the 51.8% bots traffic, 22.9% came from good bots and 28.9% came from bad bots.
The Good Bots
Good bots are software programs that do positive things for your site. Four types of good bots dominate the internet today. These include feed fetchers, search engines, commercial crawlers and monitoring bots.
Feed fetchers are good bots that allow website content to be shown on mobile and web applications. They comprised 12.2% of the bots that crawl the internet today.
Search engine bots refer to good bots that regularly collect information from millions of websites and index the data collected into search result pages. Examples of these search engine bots are those bots from Google, Bing and Baidu. They comprised 6.6% of the bots that crawl the internet today.
Commercial crawlers are good bots that are used for authorized data extractions – typically meant as a digital marketing tool. They comprised 2.9% of the bots that crawl the internet today.
Monitoring bots refer to good bots that monitor the availability of the website and the proper functioning of the different website features. They comprised 1.2% of the bots that crawl the internet today.
The Bad Bots
Bad bots are malicious software programs that can do damage to your site. The four types of bad bots that dominate the internet today are the impersonators, scrapers, spammers and hacker tools.
Impersonators are bad bots that assume false identities to bypass security systems. They are frequently used for Distributed Denial of Service (DDoS) attacks. They comprised 24.3% of the bots that crawl the internet today.
DDoS assaults are carried out by a botnet, referring to a group of hijacked computers – in many cases, Internet of Things (IoT) like CCTV cameras. By taking advantage of the security vulnerabilities of these internet-connected devices, cyber attackers remotely control these hijacked devices (unknown to the owners) and send huge volume of data to a victim website. In September 2016, the website of security blogger Brian Krebs was targeted by a massive DDoS attack, exceeding 620 gigabits per second (Gbps).
If your website is a victim of a DDoS attack, your legitimate human visitors won’t be able to access your website. When your legitimate visitor types your website address into a browser, he or she sends a request to the website's server to view the site. Your site’s server can only process a certain number of requests at once. So, when the DDoS attackers overload your site’s server with huge volume of requests, it can't process the massive requests, resulting in “denial of service” of your legitimate visitors.
When no one can access your website as a result of a DDoS assault, this can result in the following:
1. Revenue Loss
The average cost of downtime is $5,600 per minute, this according to an industry survey.
2. Productivity Loss
If your company is highly dependent on your web presence, a few minutes, hours or days of downtime can mean work stoppage for some of your staff.
DDoS attackers are getting sophisticated. Some DDoS assaults are used as “smokescreen” to hide the real intention, which could be to steal funds, steal customer data or steal intellectual property.
4. Reputation Damage
If your customer can’t access your website or if the DDoS attack resulted to breach of data of your customers, this can hurt your company’s brand.
Hacker tools are malicious bots that look for vulnerable websites that can be exploited for data theft and malware injection. They comprised 2.6% of the bots that crawl the internet today. An example of these hacker tools is the SQL injection.
According to the Open Web Application Security Project, “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.”
Scrapers are malicious bots used for unauthorized data extraction. These bots collect the entire database of your website, including original content and prices of the products you’re selling. They comprised 1.7% of the bots that crawl the internet today. When attackers scrape your entire website, this can result in a drop of your site’s competitive edge.
Spammers are malicious bots that inject spam links into your website, specifically into forums and comment sections. They comprised 0.3% of the bots that crawl the internet today. This type of malicious bots can cause long-term SEO damage to your website. According to Google, “If a site has been affected by a spam action, it may no longer show up in results on Google.com or on any of Google's partner sites.”
Based on Imperva Incapsula’s Bot Traffic Report 2016, every third website visitor for the last five years was an attack or malicious bot.
“Often, these assaults are the result of cybercriminals casting a wide net with automated attacks targeting thousands of domains at a time,” Imperva Incapsula said. “While these indiscriminate assaults are not nearly as dangerous as targeted attacks, they still have the potential to compromise numerous unprotected websites. Ironically, the owners of these websites tend to ignore the danger of bots the most, wrongfully thinking that their website is too ‘small’ to be attacked.”
Is Cyber Insurance for Small and Medium Businesses Worth the Cost?
More than one-third or 36% of Canadian firms don’t have cyber security insurance, this according to a survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO.
This number, however, is relatively high compared to the global average (40%) and the percentage of firms in the U.S. that have no cyber security insurance (50%).
Reasons Why Some Organizations Hesitate to Get Cyber Security Insurance
Here are some of the reasons why some organizations hesitate to get cyber security insurance:
1. Organizations Often Don’t Understand Cyber Risks or Their Insurance Options
In the report "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market", researchers from the Deloitte Center for Financial Services found that many organizations – including large, medium and small businesses – often aren’t aware of the cyber risks confronting them, let alone the insurance coverage options available to them.
2. Lack of Understanding as to What Type of Cyber Risk Is and Isn’t Covered under Existing Insurance Policies
For the Canadian firms that have cyber security insurance in the FICO survey, only 18% said their cyber security insurance covers all likely risks.
In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Court of Queen’s Bench of Alberta decided on June 29, 2017 that Brick isn’t entitled to recover its loss from insurer Chubb. The case arises from a social engineering cyber fraud scheme. In 2010, the accounting department of Brick received bogus calls and emails from an individual claiming to be a representative of Toshiba, one of Brick’s suppliers. The imposter asked a Brick employee that payment to supposedly Toshiba should be changed to a new bank account. A total of $338,322.22 was transferred into the “new” account.
Brick filed a claim with its insurer Chubb asserting that under its cyber security insurance policy Chubb will pay for direct loss resulting from funds transfer fraud by a third party.
“Certainly, the emails with the fraudulent instructions were from a third party,” the Court of Queen’s Bench of Alberta said. “The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.”
According to the Deloitte report, cyber security insurance policy terms and conditions in Canada have yet to be battle-tested as case law isn’t clear. The Brick Warehouse LP v Chubb Insurance Company of Canada is the first case decided by a Canadian court with respect to cyber crime insurance coverage.
3. Concern about Cyber Security Insurance Value
The Deloitte report showed that many organizations still wonder whether the cyber security insurance coverage being offered by insurers is sufficient for the risks they face.
The Deloitte report revealed that current cyber insurance policies are often capped with relatively low limits for the risks being covered, which may be discouraging more organizations in getting cyber insurance. The report added that cyber insurance coverage for emerging cyber risks may not yet be widely available or affordable.
Twenty percent of the FICO survey respondents felt that the premiums calculated based on their business don’t accurately reflect their risk profile.
4. Lack of Standardization around Cyber Insurance Offerings
Given that the cyber insurance market is relatively new, insurance coverage terms, conditions and exclusions are still not standardized.
The 2016 SANS Institute and Advisen, Ltd. study (PDF) found that information security officers of organizations and insurance professionals don’t speak the same language when defining and quantifying cyber risks, resulting in different expectations, actions and justification for outcomes. The 2017 “Cyber Insurance Market Watch Survey” (PDF) by the Council of Insurance Agents & Brokers found that cyber insurance companies have their own policy language which makes it difficult to compare coverage and terms.
More than a quarter or 26% of the FICO survey respondents felt that the introduction of an established industry standard to benchmark cyber security risk would be beneficial.
Importance of Getting Cyber Security Insurance
"While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” Lloyd's and Cyence said in the report "Counting the cost Cyber exposure decoded".
“Without cyber-risk insurance, organizations are leaving themselves in a very vulnerable position,” said Kevin Deveau, vice president and managing director of FICO Canada. “It’s important for businesses to assess the strength of their cybersecurity defences and to make sure they are covered if they are faced with a data breach.”
Legislation is expected to drive demand for cyber insurance cover, particularly surrounding data and privacy.
In Europe, the implementation of the EU law General Data Protection Regulation (GDPR) in 2018 is expected to drive the demand for cyber insurance as the EU law introduces new fines for failing to adequately protect sensitive data and mandating companies to notify the authorities and the individuals affected by the data breach.
According to Lloyd's and Cyence, “Demand for cyber insurance is also anticipated to increase penetration in Europe as a result of the General Data Protection Regulation coming into force next year, with the threat of penalties for breaches driving coverage.”
In Canada, the upcoming implementation of the Digital Privacy Act is expected to drive the demand for cyber insurance. It amends Canada’s Personal Information Protection and Electronic Documents Act. The Digital Privacy Act became a law in June 2015. The law’s implementation is held in abeyance until the government issues the implementing regulations.
The 2015 law requires organizations to report any significant, potentially harmful security breach of personal information to Canada’s Privacy Commissioner and to immediately inform the affected individuals and organizations. Non-compliance of the notification requirements may lead to fines of up to $100,000 per violation.
“The ripple effect of a breach can be felt throughout the organization for a very long time, especially now that Canada’s Digital Privacy Act will require organizations to report any breaches to regulators and customers,” the vice president and managing director of FICO Canada said.
Counting the Cost of a Cyber Attack: Litigation Cost
In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.
Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.”
Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.
Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.”
Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada.
UK Organizations Could Face Huge Fines for Poor Cyber Security
Organizations offering essential services in the energy, transport, water, health and digital infrastructure sector play a vital role in our society. Loss of service as a result of an essential organization’s failure to implement effective cyber security measures affects not only the organization itself but the society as a whole.
For this reason, the UK Government proposes that an essential organization that fails to implement effective cyber security measures could be fined as much as £17 million or 4% of its annual global turnover, whichever is higher. The UK Government also proposes similar penalties for loss of data as a result of failure to implement effective cyber security measures.
Under the UK Government’s proposal, organizations are required to do the following:
UK Minister for Digital Matt Hancock said in a statement that the fines would be applied as a last resort. Hancock said that fines won’t apply to organizations that have taken appropriate cyber security measures but still suffered an attack.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” UK Minister for Digital said.
EU Cyber Laws
The proposal of the UK Government to subject organizations with huge fines for loss of service and loss of data is in line with 2 of EU’s cyber security laws: 1) Security of Network and Information Systems (NIS) Directive; and 2) General Data Protection Regulations (GDPR).
The NIS Directive was adopted by the European Parliament on 6 July 2016. EU’s member states have until 9 May 2018 to adopt the directive into domestic legislation. A few days after the directive was passed by the European Parliament – specifically on 23 June 2016 – the people in the UK voted to leave the European Union.
“Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force,” the UK Government said in the document called “NIS Directive: pre-consultation impact assessment” (PDF). “It is the UK Government’s intention that on exit from the European Union this legislation [NIS Directive] will continue to apply in the UK.”
The NIS Directive specifically requires operators of essential services (energy, transport, banking, financial market infrastructures, health, water and digital infrastructure), whether private or public entities, to take the following appropriate cyber security measures:
General Data Protection Regulations (GDPR)
The GDPR was adopted by the European Parliament a few months before the adoption of the NIS Directive in April 2016. Unlike the NIS Directive, the GDPR doesn’t need an enabling legislation from EU member states. This means that this particular EU law will take effect after a two-year transition period, specifically it’ll be in force in May 2018 in all of EU member states.
When the GDPR takes effect in May 2018, organizations in all of EU member states can be fined a maximum €20 million or 4% of annual global turnover, whichever is bigger, for data breach.
The difference between the NIS Directive and the GDPR, according to UK Minister for Digital Matt Hancock, is that the NIS Directive relates to loss of service, while loss of data falls under the GDPR.
According to the “NIS Directive: pre-consultation impact assessment” document, the UK Government said that the GDPR will replace UK’s existing Data Protection Act in May 2018. “It is expected that the GDPR will bring about an improvement to organisations security measures to protect personal data due to the significant fines that can be given for data breaches, and also because guidance will be provided on the level of security required to comply with the regulation,” the UK Government said.
Companies Penalized under UK’s Data Protection Act for Poor Cyber Security
On 5 October 2016, UK’s Information Commissioner’s Office (ICO) issued telecom company TalkTalk a £400,000 fine for cyber security failings that allowed a cyber attacker to access the company’s customer data “with ease”.
The data breach on TalkTalk, which happened between 15 and 21 October 2015 accessed the personal data of 156,959 customers including their names, dates of birth, addresses, phone numbers and email addresses. The TalkTalk attacker was also able to access 15,656 bank account details and sort codes.
The ICO – UK government body that has the power under the Data Protection Act to impose a monetary penalty of up to £500,000 on a UK company for data breach – found that the TalkTalk attacker used a common technique known as SQL injection to access the data. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO investigation found.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations,” ICO Commissioner Elizabeth Denham said. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
On 27 June 2017, Berkshire-based Boomerang Video Ltd was fined £60,000 by the ICO for failing to take basic steps to stop its website from being attacked. The video game rental firm’s website was attacked in 2014 in which 26,331 customer details could be accessed. Similar to the TalkTalk attack, the attacker used the SQL injection to access the data.
Learn more and let us help you become compliant using proven, practical approach.
5 Ways a Cyber Security Consultant Can Help Your Business
Businesses are constantly burdened with the risk of security breeches. Learn how working with a cyber security consultant can alleviate those headaches.
Think only large corporations get targeted? Think again.
In 43% of cyber security events, a small business was actually targeted.
In the event of a cyber attack, your small to medium sized business (SME) could experience multi-million dollar losses in financial, operational and data breaches, as well as, reputation damage. The average SME -- even one with insurance -- would take quite a blow from this type of attack.
A cyber security consultant can help you both prevent attacks and better manage attacks that occur to protect you and your customers.
Let's explore how.
Supplementing In-House Capabilities
The skill and scope of cyber attacks is ever-increasing. Even organized crime is getting in on the action.
As regulators work to keep pace with burgeoning events, even a dedicated department, team or individual may struggle to keep up. They may be bogged down with operations.
A cyber security consultant stays up-to-date. They can get a panoramic view of your organization and its vulnerabilities. They can help keep your business safer.
A cyber security consultant will go in depth to identify weaknesses in your systems and processes.
Have you safely integrated cloud storage into your systems? How strong are your encryptions? Can transferred data be intercepted?
And potentially the most elusive of all must be addressed. How are you protecting yourself in the event of inevitable human error?
Despite your best efforts to keep systems secure, could you see any of these scenarios happening in your organization? Someone:
A consultant can help you prevent attacks, including those that result from human error or ill-intent.
Data breaches happen. This may be the last thing you want to hear a consultant say. But we'd be dishonest if we said otherwise. And we're not telling you anything that you don't know already.
The difference between $10 thousand in losses and $200 million is largely based on how your organization has invested in the risk management of security breaches.
Through risk management you can put systems in place to spot an attack sooner and limit its scope. Without a consultant, you may not be doing all you should to mitigate damage.
Cyber security consultants help you protect your customers/clients. Without them, you don't have a business.
By taking the additional steps of bringing in cyber security consultants, you demonstrate that you care about protecting those who've helped you become what you are today.
That's good for business and your customers.
Cyber security consultants know how to handle the heat of an event. They're accessible and ready to help you execute your plan to mitigate damage, comply with regulation and keep your company safe.
Get the Right Cyber Security Consultant
A consultant will help you fill in the gaps in your own security plan and develop a plan to both prevent attacks and reduce damage. For more information on how our cyber security consultants can help your company, contact us today.
Small and Medium-Sized Businesses Not Investing in Cyber Security
The rise of global cyber attacks in recent years might have led many to believe that small and medium-sized businesses (SMBs) are investing in cyber security. But the reality is that majority of SMBs aren’t investing in cyber security.
In the study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology”, the Canadian Chamber of Commerce found that cyber security threats are underestimated by 64% of Canadian businesses, indicating they’ve no intention of investing in cyber security measures at this time. Eighty-one percent of the respondents of the Canadian Chamber of Commerce study classify themselves as small businesses and 7% classify themselves as medium. The study was conducted between December 2016 and January 2017.
In another paper “Cyber Security in Canada: Practical Solutions to a Growing Problem”, the Canadian Chamber of Commerce said that a “data breach costing $6 million would break many small businesses”.
In the UK, meanwhile, despite the recent global cyber attacks, insurance company Zurich revealed that close to half (49%) of SMEs in this part of the world only intend to spend less than £1,000 on cyber security in the next 12 months, while 22% of SMEs don’t know how much they will spend.
“While recent cyber-attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too,” said Paul Tombs, head of SME Proposition at Zurich. “The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses."
Extent of Cyber Attacks on Small and Medium-Sized Businesses
Symantec’s 2016 global internet security threat report (PDF) showed that cyber criminals are more and more turning their attention to hacking small businesses. The Symantec report showed that spear-phishing attackers gradually targeted small businesses – defined by Symantec as enterprises composed of 1 to 250 employees – from 18% in 2011 to 31% in 2012; 30% in 2013; 34% in 2014 and 43% in 2015.
In the UK, results from the latest Zurich SME Risk Index showed that 875,000 or nearly 16% of SMEs have fallen victim to a cyber attack, costing 21% of the victims over £10,000.
In Canada, 23% of Canadian small business owners were certain they were the victim of a cyber attack in 2016, while another 32% suspected that they might have been breached according to an Ipsos survey (PDF).
Canada’s Digital Privacy Act
"There are a significant number of breaches that never get reported because there's no obligation to report them," Imran Ahmad, a partner at the law firm Miller Thomson – a firm that specializes in cyber security, told CBC News.
This practice of sweeping cyber attacks under the rug will start to change with the upcoming implementation of the Digital Privacy Act (PDF), a Canadian law that was passed in June 2015. The Digital Privacy Act requires organizations “to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner”. Failure to report a data breach under this law could result in a fine of up to $100,000.
Matthew Braga of CBC News, in the article "Here's why reports of data breaches will skyrocket this year" wrote, "The hope is that more transparency will lead to better protections and fewer breaches in the long term.”
6 Reasons Why Cyber Criminals Attack Small and Medium-Sized Businesses
Here are 6 reasons why cyber criminals are attracted to small businesses:
1. Less Capable to Handle Cyber Attacks
SMBs are less equipped to manage a cyber attack due to lack of resources.
2. Less Likely to Guard Important Data
SMBs are less likely to protect their important data – intellectual property, personally identifiable information and credit card credentials.
3. Susceptible to Attack Due to Partnership with Large Businesses
The partnership between large businesses and SMBs provides hackers back-channel access to their true target: large businesses.
4. Less Likely to Have Key Security Defenses
According to Cisco, in its 2017 midyear cyber security report, as a result in lesser budget and expertise, SMBs have less key security defenses in place. For instance, only 34% of SMBs reported using email security compared with 45% of large businesses and only 40% use data loss prevention defenses compared with 52% of large businesses.
5. Less Likely to Have Written, Formal Cyber Security Strategies
Large businesses are more likely to have written, formal strategies in place compared to SMBs (66% versus 59%), Cisco reported.
6. Less Likely to Require Vendors to Have ISO Certifications
Large organizations, CISCO noted, are more likely than SMBs to require their vendors to have ISO 27018 certifications (36% versus 30%). ISO 27018 refers to the “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Ripple Effect of Cyber Attacks on SMBs to Canada’s Economy
In the 2016 Canadian Chamber of Commerce's "Top 10 Barriers to Competitiveness for 2016", the business organization ranked Canada’s vulnerability to cyber crime as the country’s number 2 barrier to global competitiveness. The country’s chamber of commerce said that digital security breaches and cyber theft hinder Canada’s global competitiveness.
Without taking into consideration the value of the data itself, the Canadian Chamber of Commerce said that the country’s internet economy accounted for 3.6% of its $1.83 trillion GDP.
Protecting small businesses, in particular, from cyber attacks is as important as protecting large enterprises, considering that the economy of Canada mostly comprised of small businesses. According to the Canadian Chamber of Commerce, out of the 1.2 million businesses in Canada, 98% have fewer than 100 employees, 55% have fewer than 4 and 75% have fewer than 10 employees. These over a million small enterprises in the country employ 60-80% of all jobs created in Canada and companies with fewer than 100 employees contribute about 51% to Canada’s GDP.
We invite you to connect with us to speak with one of our cyber security experts, and protect your small or medium business today.
4 Lessons Small Businesses Can Learn from WannaCry and NotPetya Cyber Attacks
WannaCry and NotPetya, also known as Petya, have been the most talked about cyber attacks in the past three months. WannaCry was released into the wild in May this year; NotPetya in June this year.
Their popularity is understandable given that the combined victims of these two cyber attacks reached hundreds of thousands worldwide, with WannaCry affecting over 300,000 computers in 150 countries; NotPetya affecting over 12,500 computers in 65 countries.
Most importantly, these two cyber attacks, labeled as ransomware – malicious software that encrypts computer data and asks for ransom money to unlock it – victimized big corporations and big government institutions worldwide.
WannaCry disrupted the operations of UK’s National Health Service, U.S. express delivery company FedEx and Renault's assembly plant in Slovenia. NotPetya, on the other hand, disrupted the operations of the Chernobyl nuclear plant, U.S.-based pharmaceutical company Merck and Danish shipping firm Maersk.
While big corporations affected by NotPetya such as Nuance, TNT Express, Saint-Gobain, Reckitt Benckiser Group and Mondelēz International publicly acknowledged that their operations have been disrupted, and they have suffered economic losses because of the attack, these big corporations have proven their resilience.
“If a public breach damages a brand and causes customers to switch to a competitor, a larger business can weather the impact better than a smaller business,” Cisco said in its 2017 midyear cyber security report. “When attackers breach networks and steal information, small and medium-sized businesses (SMBs) are less resilient in dealing with the impacts than larger organizations.”
Here are 4 lessons small businesses can learn from WannaCry and NotPetya cyber attacks:
1. Use the Latest Operating System
Users of old operating systems are vulnerable to cyber attacks.
Majority of NotPetya ransomware infections, according to Microsoft in a bulletin dated June 29, this year, were observed in computers using Windows 7. Windows 10, on the other hand, according to Microsoft is resilient against the NotPetya ransomware attack.
For WannaCry, users of old Microsoft operating systems – in particular, Windows XP, Windows 8 and Windows Server 2003 – fell victim to this malicious software. Microsoft ended its support for Windows XP on April 8, 2014; Windows Server 2003 on July 14, 2015; and Windows 8 on January 13, 2016.
For Windows XP, Microsoft issued this statement:
"After April 8, 2014, Microsoft will no longer provide security updates or technical support for Windows XP. Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, should not be considered to be protected, and it is important that you migrate to a current supported operating system – such as Windows 10 – so you can receive regular security updates to protect their computer from malicious attacks."
In the paper “The hackers holding hospitals to ransom” published in the British Medical Journal (BMJ) two days before the WannaCry attack, Krishna Chinthapalli, a doctor at the National Hospital for Neurology and Neurosurgery in London, found that a number of British hospitals were using Windows XP, an operating system introduced by Microsoft in 2001.
2. Install Security Update of the Latest Operating System
Even if you’re using the latest operating system and you fail to install the latest security update or patch, your computers are still vulnerable to cyber attacks.
Users of Windows 10 – the latest operating system from Microsoft – who failed to install the security update released by Microsoft on March 14, 2017 fell victim to WannaCry.
Microsoft said that its March 14, 2017 update resolves vulnerabilities in Microsoft Windows that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” WannaCry exactly exploited this specific security vulnerability mentioned in the March 14th update by Microsoft.
3. Paying Ransom Isn’t a Guarantee that You’ll Get Your Data Back
In a typical ransomware, computer data is encrypted, a ransom note is shown on the computer screen of the victim, the victim pays and the victim recovers data as the data is decrypted.
WannaCry victims paid close to $100,000 – paid in bitcoins; NotPetya victims paid close to $10,000. These earnings are stark contrast to the number one top grossing ransomware Locky which earned $7.8 million, and the second top grossing ransomware Cerber which earned $6.9 million based on the data provided in a Google-led study (PDF).
The reason why these two didn’t earn that much bitcoins is that many victims early on knew that these malicious programs couldn’t restore their data despite paying ransom. According to the Google-led study, WannaCry and NotPetya are "impostors” as they are in reality “wipeware” pretending to be ransomware.
Matt Suiche from Comae Technologies concluded that NotPetya is a wiper as it “does permanent and irreversible damages to the disk”. Suiche differentiates a wiper and a ransomware, this way: “The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”
Victims of NotPetya also can’t pay ransom as the payment email address isn’t accessible anymore. The email address specified in the NotPetya ransomware notice was immediately blocked by the email provider Posteo. The perpetrator or perpetrators of NotPetya also didn’t replace the blocked address with another one.
In the case of WannaCry, McAfee researchers found that while WannaCry can decrypt files, “WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.”
4. Backup Your Data
Make your organization resilient to cyber attacks by backing up your critical data. You can always get back your operating system or other software applications by reinstalling them. It may, however, be impossible to recreate your data lost to cyber criminals. It’s important then to always backup your critical data.
Backing up data on a regular basis isn’t just helpful in case cyber attackers corrupt your data, it’s also valuable in case your computers are stolen or destroyed as result of fire or other disasters.
Steve E. Driz