☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: cyber risk management

Simple Steps to Cyber Security

Posted on by

Security concept: data security on digital backgroundRecent Internet bugs and vulnerabilities have had a widespread impact, compromising the security of computers as well as personal information you may enter online.

Although you can’t stop criminals from attempting a cyber attack, you can take several steps to reduce your risk of having your personal information stolen, misused or deleted. Start by using strong passwords, avoiding malware and viruses, and protecting yourself against scams and security breaches.

Password security

  • Do not use the same password for multiple accounts, especially important accounts such as online banking or an online store with your credit card on file.
  • Passwords should not be a word found in the dictionary or a combination easily guessed by a friend; be creative and mix up letters, numbers and symbols to make a strong password.
  • Passwords should be periodically changed, especially in the wake of the Heartbleed bug that left much encrypted information vulnerable to exploitation.

Malware

  • Don’t click on links or download attachments in unsolicited emails.
  • Don’t download anything from sites you don’t trust.
  • Don’t enter personal information on a website if you clicked on a link; instead, type the URL into the address bar to make sure you go to the site you want.
  • Scan all external devices, such as USB flash drives, for viruses and malicious software (malware) before using.
  • Install antivirus security software.

Scams and other security breaches

  • Never email personal information on an unsecured Wi-Fi network; the network can be hacked and the information accessed by unauthorized users.
  • Don’t disclose private information unless necessary, and always verify the source if asked to input sensitive information into a website or email.
  • Before entering credit card numbers or other payment information when shopping online, double-check that you’re on the website you think you are and check the URL for “https,” which is a general indication that the page is encrypted for your security. Some browsers also display a “lock” icon to indicate that a website is secure.

 

© 2014 Zywave, Inc. All rights reserved.

 

Policies to Manage Cyber Risk

Posted on by

Security concept:: Protection key on keyboardAll companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputations and discouraging inappropriate behaviour by employees. Many companies already have these types of policies in place, but they may need to be tailored to reflect the increasing impact of cyber risk on everyday transactions, both professional and personal. As with any other business document, cyber security policies should follow good design and governance practices—not so long that they become unusable, not so vague that they become meaningless, and reviewed regularly to ensure that they stay pertinent as your business’ needs change.

Establish security roles and responsibilities. One of the most effective and least expensive means of preventing serious cyber security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong role-based access control (RBAC), but this tool is of little use without well-defined procedures and policies to govern the assignment of roles and their associated constraints. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges, including:

  • Necessary roles, and the privileges and constraints accorded to those roles
  • The types of employees who should be allowed to assume the various roles
  • How long an employee may hold a role before access rights must be reviewed
  • If employees may hold multiple roles, the conditions defining when to adopt one role over another

Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personal information from its customers may benefit from identifying a chief steward for customers’ privacy information. The steward could serve not only as a subject matter expert on all matters of privacy, but also as the champion for process and technical improvements to handling of personally identifiable information (PII).

Develop a privacy policy. Privacy is important for your business and your customers. Continued trust in your business practices, products and secure handling of your clients’ unique information impacts your profitability. Your privacy policy is a pledge to your customers that you will use and protect their information in ways that they expect and that adhere to your legal obligations. Your policy should start with a simple, clear statement describing the information you collect about your customers (physical addresses, email addresses, browsing history, etc.) and what you do with it. It’s important to create your privacy policy with care and post it clearly on your website. It’s also important to share your privacy policies, rules and expectations with all employees and partners who may come into contact with that information. Your employees need to be familiar with your privacy policy and what it means for their daily work routines.

Establish an employee Internet usage policy. The limits on employee Internet usage in the workplace vary widely from business to business. Your guidelines should allow employees the maximum degree of freedom they require to be productive (for example, short breaks to surf the Web or perform personal tasks online have been shown to increase productivity). At the same time, rules for behaviour are necessary to ensure that all employees are aware of boundaries, both to keep themselves safe and to keep your company successful. Some guidelines to consider:

  • Personal breaks to surf the Web should be limited to a reasonable amount of time and to certain types of activities.
  • If you use a Web filtering system, employees should have clear knowledge of how and why their Web activities will be monitored, and what types of sites are deemed unacceptable by your policy.
  • Workplace rules for behaviour should be clear, concise and easy to follow. Employees should feel comfortable performing both personal and professional tasks online without making judgment calls as to what may or may not be deemed appropriate. Businesses may want to include a splash warning upon network sign-on that advises employees about the company’s Internet usage policy so that all employees are on notice.

Establish a social media policy. Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include the following:

  • Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum
  • Additional rules of behaviour for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company
  • Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites
  • Guidance on selecting long, strong passwords for social networking accounts, since very few social media sites enforce strong authentication policies for users

All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use, especially sites with geo-location services, may be the most beneficial social networking security practice of all.

Identify potential reputation risks. All organizations should take the time to identify potential risks to their reputations and develop a strategy to mitigate those risks with policies or other measures as available. Specific types of reputation risks include:

  • Being impersonated online by a criminal organization (e.g., an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other methods)
  • Having sensitive company or customer information leaked to the public via the Web
  • Having sensitive or inappropriate employee actions made public via the Web or social media sites

All businesses should set a policy for managing these types of risks and plan to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company’s reputation in cyber space, practical measures to prevent those risks from materializing and plans to respond and recover from incidents as soon as they occur. Precept Insurance & Risk Management has numerous sample cyber security policies available to our clients upon request. These policies are a great starting point for your policy-creation efforts and can be modified to fit the unique needs of your business.

 

© 2014 Zywave, Inc. All rights reserved.

Cyber Extortion Requires its Own Insurance Solution

Posted on by

Cyber CriminalCyber extortion is an increasingly popular form of cyber attack that requires its own insurance solution.

The digital world we live in and ever-increasing number of companies that rely on the Internet for their business have created a highly fertile ground for cyber crime. According to Norton’s Cybercrime 2012 report, 70% of online adults in Canada have been the victim of cybercrime at some point in their life. Cybercrime costs Canadians $1.4 billion per year and the average cost per crime victim is over $160.

What is Cyber Extortion?

Businesses are increasingly being attacked by cyber criminals, and new forms of cyber crime emerge rapidly, leaving us often one step behind. One example of cyber attacks becoming increasingly popular involves cyber threats and extortion. Cyber threats and extortion is a type of online crime involving an attack or threat of attack against a company to damage, expose, or shut down information belonging to the company unless a ransom is paid to avoid or stop the attack.

How does it work?

In these types of attacks cyber extortionists steal information from businesses and encrypt it so that it can’t be read. The latest backup of data can also be snatched and the original data deleted from the owner’s servers. Cyber extortionists thus take the company data hostage and demand ransom in exchange for the decryption key that would allow the victims to access their own information. However, the criminals won’t necessarily decrypt the files even after the ransom had been paid. Further attacks are possible, either by the same group or another. The type of malware used in these cyber attacks is called ransomware and it is easily spread through spam, phishing emails and malvertising. The ease of spreading the malware, combined with little or no repercussions for criminals, who are hard to track down or prosecute, makes cyber extortion a very lucrative undertaking. Often, cyber extortionists’ worst case scenario is not getting a payment from the victim. In many cases, amount of money asked for ransom is significantly lower than the potential financial loss for the company, so that it is easier for the company to pay the ransom and move on. These types of attacks, unless they happened at a large public company or a government entity, often don’t get reported to authorities and never reach the public. The victims often don’t want to risk their reputation or destroy consumer confidence.

How can businesses protect themselves?

To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training. There are many different cyber insurance policies out there providing various coverages. Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.

Heartbleed bug: What’s affected and what passwords you need to change

Posted on by

Source: globalnews.ca Published: 04/11/14

password screenAn encryption flaw now known as the Heartbleed bug has made a major impact on online security. The flaw has affected many online services and websites that Canadians access every day.

Security experts have gone as far to call it one of the biggest security threats the Internet has ever faced.

The flaw affects OpenSSL – a widely used open-source set of libraries for encrypting online services.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed, leaving users’ information vulnerable.

For now, the best  you can do to protect yourself is change the password to any accounts associated with websites affected by the bug once the website confirms it’s deployed a fix.

Global News has created a list of some of the most popular services to let you know what’s affected and what passwords you need to change:

ONLINE BANKING

Were Canadian banks affected? No. Do you need to change your password? No – but this is a good reminder that yourInternet banking password should be very secure.

“The online banking applications of Canadian banks have not been affected by the Heartbleed bug,” the Canadian Bankers Association said in statement issued Wednesday afternoon. “Canadians can continue to bank [online] with confidence.”

CANADA REVENUE AGENCY

Was it affected? Yes Do you need to change your password? Yes

As of Friday the CRA’s online services were still offline due to the security concern. But according to a statement issued Friday, the websites will be back online by the weekend. Those with accounts should update their passwords once the site comes back online to be safe.

SOCIAL MEDIA

Facebook

Was it affected? Unclear Do you need to change your password? Yes

“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to […] set up a unique password,” Facebook said in a statement.

LinkedIn

Was it affected? No Do you need to change your password? No

Instagram

Was it affected? Yes Do you need to change your password? Yes

“Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed,” the company said.

Twitter

Was it affected? No Do you need to change your password? No

“We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation,” Twitter said on its website Wednesday.

Tumblr

Was it affected? Yes Do you need to change your password? Yes

“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. This might be a good day to call in sick and take some time to change your passwords everywhere,” Tumblr said in a statement on Tuesday.

Pinterest

Was it affected? Yes Do you need to change your password? Yes

TECH COMPANIES

Google

Was it affected? Yes Do you need to change your password? Probably.

According to a statement from Google, the company proactively looks for vulnerabilities in order to fix them before they are exploited and therefore fixed this bug “early.” Google said users do not need to change their passwords because of this – but better safe than sorry in this case.

“We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.  Google Chrome and Chrome OS are not affected,” a post on Google’s security blog published Wednesday said.

Microsoft

Was it affected? No Do you need to change your password? No

Apple

Was it affected? No Do you need to change your password? No

Yahoo

Was it affected? Yes Do you need to change your password? Yes

“Our team has fixed the Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now,” the company tweeted Tuesday.

Yahoo is also the email provider for Rogers customers.

According to a statement issued to Global News, “Rogers. com doesn’t use the impacted versions of the SSL software, so was not impacted by the bug.” But a spokesperson added that the company recommends customers update their passwords frequently as best practice.

ONLINE SHOPPING

Amazon

Was it affected? No* Do you need to change your password? No

*Amazon said with the exception of some services – Elastic Load Balancing, Amazon EC2, Amazon CloudFront, AWS OpsWorks and AWS Elastic Beanstalk – its services were unaffected. If you use these, you should probably change your password.

eBay

Was it affected? No Do you need to change your password? No

Etsy

Was it affected? Yes Do you need to change your password? Yes

“As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution,” read a security update on Etsy’s website Tuesday.

Paypal

Was it affected? No Do you need to change your password? No

OTHER ONLINE SERVICES

Dropbox

Was it affected? Yes Do you need to change your password? Yes

“We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe,” the company tweeted Tuesday.

OKCupid

Was it affected? Yes Do you need to change your password? Yes

Evernote

Was it affected? No Do you need to change your password? No

“Evernote does not use, and has not used, OpenSSL, so we were not vulnerable to this bug. As an Evernote user, you don’t need to take any action,” read the company’s blog.

CCIRC Handles 58 Cyber Incidents in 2 Weeks

Posted on by

Network security crashDuring a two week reporting period (Feb 16 – Mar 1, 2014) Canadian Cyber Incident Response Centre (CCIRC) handled 58 incidents including malware targeting Canadian financial institutions, spread of ransomware, malware attacks and more.

Three Canadian energy and utilities sector organizations were attacked using watering hole techniques.  Users were being redirected to a compromised website that was serving the Lightsout Exploit kit and Havex remote access Trojan (RAT).

Canadian Internet protocol addresses were used in distributed denial of service attacks.

Please click on the link below to access the full report of incidents reported and sectors affected.  Also, read about latest news reports and some best practices for protection:

CCIRC Operational Summary – Feb 16 – Mar 1, 2014

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN