- Six Successful Strategies For Re-Opening Your Business After Covid19
- Cybersecurity Readiness in a Pandemic Era
- Cybersecurity In 2020 – A Roadmap To Keeping Your Business Safe
- What’s your reputation worth? The cost of not protecting your data.
- Ryuk Ransomware Hits Canadian Businesses
- Why Are Small Businesses A Hackers Playground?
- Phishing attacks targeting Office 365 users
- The new normal in cybersecurity
- Hackers targeting torrent sites
- The implications of PIPEDA for small business
- Cybersecurity Essentials
By Dom Chorafakis, P.Eng, CISSP – May 27, 2020
Reopening your business successfully requires more than a return to normal. The sudden widespread closures found many businesses scrambling to adapt and sadly some of them have not survived.
Organizations with Business Continuity Plans found themselves a step ahead of those who had little to no planning, and now as Canadians grapple with managing life during the covid19 pandemic, some things are coming to light about what we can do as individuals and as business to resume working and living within the new restrictions.
Resources like those from the Ontario Government provide details around workplace and worker safety, and although many practices are consistent among all provinces, business should explore their specific provincial website for what is required in each province.
So how do you begin?
- Put People First: Returning employees will have some fears and questions about their safety in the workplace. Ensure that your organization has clearly defined workplace safety procedures and protocol and communicate those procedures clearly and often with your staff. Creating a safe work environment for staff and clients is key to a successful re-opening.
- Check Health & Safety Equipment: Perform maintenance on health and safety equipment (e.g. smoke detectors, fire alarms, security and PA systems) that may have been missed during the shutdown and confirm they are working as expected.
- Complete Software Updates: Computers that have been powered off for some time have not been receiving Windows updates. You should:
- Make sure you back up important data before applying updates as they sometimes may cause problems
- Manually go through the update process to ensure the PC is fully up- to-date before using it to access email or the Internet
- Perform Laptop Checks: Computers that were being used at home in a less controlled environment may be infected and spread malware on the corporate network.
- Make sure all systems in the office are up-to-date with software and anti-virus updates
- Perform a full scan of any systems that were used outside of the office during the shutdown
- Inspect Battery Backups: UPS and backup batteries may not have been checked or maintained during office closures. Inspect battery backups to verify that charge levels and expected duration in the event of a power outage are in accordance with battery capacity and load.
- Re-Train Staff: Your employees are your best resource for identifying and resolving issues. Some things may have fallen through the cracks so be sure that staff are refreshed on critical business protocol, which should include cyber safety. 60% of all security breaches come from internal staff, so reminding your staff about cyber safe practices like password management and email threats is critical to the safe re-opening of your company.
Re-opening your business will take special care and planning, especially as it relates to cyber security requirements so we’ve created a list of free resources to help you build your plan. To receive the list and to learn more click here.
By Dom Chorafakis, P.Eng, CISSP - March 2, 2020
As the coronavirus (COVID-19) continues to spread around the globe, and with the first suspected instance of community spread in the U.S confirmed by the CDC, time is quickly running out for individuals and businesses to prepare for the inevitable disruptions of an outbreak. Business Continuity and Disaster Recovery planning are two critical components of a good cybersecurity strategy. These plans ensure that a business has the necessary systems and procedures in place to enable ongoing operations during a crisis, and allow them to quickly and efficiently resume normal operations once the crisis is over.
There is no doubt that a coronavirus outbreak will have a significant economic impact on businesses, especially those located in affected areas. The 2003 SARS outbreak in Toronto which saw 375 cases in the 110 days between February 23rd and June 12th 2003 is estimated to have cost Toronto businesses approximately $1 billion. With the worldwide number of COVID-19 cases already 10 times higher than the total number of SARS cases in 2003 and no end currently in sight, the economic impact is expected to be much more severe.
Many large corporations have Business Continuity and Disaster Recovery plans in place and regularly test those plans to make sure they are ready to respond when disaster strikes. Unfortunately, most small and medium businesses lack the expertise and resources and are unable to cope with a crisis. To help businesses prepare for the anticipated disruptions caused by a COVID-19 outbreak, organizations such as the U.S Centers for Disease Control (CDC) have provided guidance that businesses of all sizes can use to develop strategies specifically for a coronavirus outbreak and emergency planning in general.
Being proactive and having a plan in place is critical to a business’s ability to survive a crisis. There are lots of great resources out there that people can use to help them build robust Business Continuity and Disaster Recovery plans, although details can be a bit sketchy when it comes to cybersecurity. It’s also important to remember that this isn’t something that’s done once and put on a shelf, it needs to be an ongoing practice.
Ongoing cyber-awareness training is one such example. Cyber criminals often take advantage of major global events as a way to trick users and infect systems, the threat of a COVID-19 pandemic is no exception. Security researchers have already reported several scams involving email that claims to be from HR with updates on company staff affected by the virus or updates from the WHO or CDC with attachments that are used to install ransomware and other malware. In light of the fear and confusion surrounding the coronavirus outbreak, employees should be reminded to be vigilant and suspicious of email claiming to provide information or updates about the virus.
Businesses need to make sure their continuity plans cover a wide range of topics like ensuring employees have secure remote access to critical business systems, having a secure way for people to share files if they need to work remotely for extended periods of time, or being able to communicate with customers in the event a facility is quarantined. This can all be a bit daunting, so we’ve created list of free resources businesses can use to help them build their plan which is available here.
By Dominic Chorafakis, P.Eng, CISSP – January 31, 2020
A look back at 2019 tells us all we need to know about what we can expect in the world of cyber threats for 2020. The past year saw the return of the Ryuk virus hit the Canadian market targeting three Ontario hospitals and a Toronto dental clinic in which the attacker encrypted the clinic’s files and demanded $165,000 in ransom in order to restore access to the files.
The recent LifeLabs data breach is the largest yet in Canada in terms of personal record count, and the company may end up paying dearly for its security lapse. A civil lawsuit that was just introduced in Toronto is seeking a total of $1.14 billion dollars in damages.
We know that incidents of cybercrime are on the rise, and a StatsCan report found that one-fifth of Canadian businesses reported that they were impacted by a cyber security incident.
Cyber threats have become main stream and now regularly make the news. Statistics show us that companies large and small are not exempt from the threats of cyber criminals looking to access their company info and steal their data. In fact security sources predict that nearly half of the cyber-attacks for 2020 will be on small businesses.
So How Can We Use The Events From Last Year To Prepare For The Year Ahead?
The first step is to accept that cyber threats are here to stay. In today’s world all businesses small and large are connected to the web and a network of external sources and potential openings for threats to pass through. Many of these threats simply didn’t exist in past years but they are here now and they aren’t going anywhere. Business that choose to adopt an “it won’t happen to me” approach are at the greatest risk, and with the average cost of a hack for small and medium Canadian business being in the range of $46,000 to $100,00 dollars it’s a risk many business will find too hard to recover from. But it’s not too late. Here are three simple suggestions to get you started.
- Have a plan – Work with your IT support staff to create a plan that details the steps you should take to prevent an attack along with the steps to take in the event of an attack. This will not only reduce your risk, it will also reduce the impact of an attack so your business can be up and running in no time.
- Train your staff – Statistics show that 60% of all security breaches come from internal staff, so creating cyber awareness internally is a key safeguard for your company.
- Apply a multi-layer approach to security – make sure that you install anti-virus, anti-spyware and intrusion prevention tools and that you routinely update the software and operating programs that you use to run your business. Adopting a security monitoring solution is the final layer in a comprehensive package.
Staying ahead of the threats is an everyday challenge and not one that most business owners can, or should manage alone. The good news is that tools to fight cyber threats have also been growing and now more than ever business have the resources available to help them protect their data.
By Dominic Chorafakis, P.Eng, CISSP – November 12, 2019
Businesses spend a lot of money building and maintaining their reputation. Recent information from the Business Development Bank of Canada (BDC) indicates that Canadian small business marketing costs average just over $30,000 a year, while those with 20 to 49 employees spend twice that amount. Companies with 50 or more employees tend to have marketing budgets in excess of $100,000. Unfortunately, many businesses fail to protect this investment and make the costly mistake of damaging their reputation by not protecting their business and client data.
Clients view their information as extremely valuable and expect companies that have it to protect it. They not only expect it, but also have legal rights that allow them to push back on organizations that don’t follow the rules. As of November 1 2018, the government of Canada has made changes to its Personal Information Protection and Electronic Documents Act (PIPEDA) requiring all organizations that hold personal information to report any significant data breaches.
The value of your reputation
The immediate business costs and disruptions caused by a data breach can be painful, but what is often more impactful and long lasting is the loss of customer trust and erosion of the company reputation. According to the IBM Ponemon Institute, 36% of the cost of a data breach comes from the loss of business stemming from loss of customer trust after a cyber incident. The message is clear, if you don’t value a customer’s information enough to protect it then you don’t value their business. A recent Verizon survey on Customer Experience found that 29% of customers would never do business with a company again if they were personally affected by a data breach.
Think about the impact that data breaches have had on a larger corporation like Marriott Hotel which lowered the company’s revenue by three million dollars following its 2018 data breach announcement. While large corporations have extensive resources and deep pockets that allow them to ride out the storm and slowly build back their reputation, small-to-mid sized businesses (SMBs) are not often not equipped with the knowledge, resources, or budget to build back customer trust which can result in an unrecoverable loss to their reputation and revenue.
Reduce your company risk
To stop your company from experiencing these damages, it is essential that you have rigorous control over the personal and client data that you handle. Avoid the all too common mistake that SMBs make of thinking that they are too small for hackers to care about. At a recent Cybersecurity For Business Leaders event in Toronto, Robert Gordon, executive director of the Canadian Cyber Threat Exchange (CCTX) stated that “Attackers will often go after a small business as an entry point to a larger target.”
Educate yourself and your staff about the risks, prepare your business with the tools needed to protect your data and finally adopt a managed cyber security service that can help identify vulnerabilities and improve security to catch threats before they become an issue. Protecting your company and clients data from cyber threats is a business imperative, your company’s reputation and viability depends on it.
By Dominic Chorafakis, P.Eng, CISSP – October 22, 2019
The Ryuk ransomware virus is back and it’s targeting Canadian businesses and industries. The virus first appeared in the summer of 2018 and then again in January of this year, its victims largely in the UK and USA. Recently however hackers have set their sights on the Canadian markets hitting three Ontario hospitals and the most recent victim a Toronto dental clinic in which the attacker encrypted the clinic’s files and demanded $165,000 in ransom in order to restore access to the files.
Ryuk is not limited to targeting a specific industry and there is an increase in the number of Canadian businesses that are affected by such cyber attacks.
How Does It Work?
The initial Ryuk infection is most frequently caused by a spam email that contains a malicious attachment. Once the malware manages to install itself on a computer, it is able to bypass anti-virus detection and often remains hidden for months.
During that time, it collects information about the organization and uses Windows vulnerabilities and other tricks to spread to other computers. Once enough systems have been infected, a remote command is given which causes all files to be encrypted and a ransom note is posted. Ryuk then locks files, demanding the network owner pay a sum of money to make them accessible again.
What you need to know
Unlike other modern ransomware like Wannacry, Ryuk itself possesses functionality that goes beyond the ability to identify and encrypt network drives and includes the ability to delete shadow copies on the endpoint. By doing this, the attackers could disable the Windows System Restore option for users, and therefore make it impossible to recover from the attack without external backups.
For individual users or small businesses unaccustomed to backing up their data this time of information loss could be devastating.
Many unsuspecting victims assume that paying the ransom fee will resolve the situation unaware that there is no guarantee of getting back all, or any of the stolen data, often compounding the severity of the situation by adding a financial victimization to the data loss.
So how do you protect your data?
- Develop cyber smarts – Computer users should be aware of how to spot phishing email and receive cyber awareness training.
- Get the right tools – Although Ryuk can bypass anti-virus, it is possible to detect its activity on the network by monitored intrusion prevention systems like My Security Console. The right software combined with monitoring by cyber experts can prevent infection or cut it off before it spreads.
- Have a backup plan – You just learned how paying ransom doesn’t mean that you’re out of the woods, in many cases infected files are damaged and not recoverable. Safe backups are the only reliable way of recovering your data should you become infected – so be sure to routinely backup your data!
Want to learn more about how to stay cyber safe?
Discover how you and your team can develop the skills needed to avoid becoming victims of ransomware attacks like Ryuk – take our free phishing training here.
By Dominic Chorafakis, P.Eng, CISSP – September 11, 2019
Today’s small and medium businesses are increasingly a favourite target for cyber criminals. The government of Canada‘s most recent cybersecurity threat report states that business of all sizes are vulnerable. Hackers and cyber criminals don’t discriminate based on company size, location, or annual revenue; they simply look for the easiest way in, which is through an unprotected system most often found in a small business. “Businesses can no longer rely on anti-virus alone to protect their systems and applications,” said Bruno Macchiusi, founder of Toronto-based IT Service Provider Alpha Logics. “We’re seeing a large number of attacks that are able to bypass anti-virus these days”.
What are the top 3 biggest mistakes that small & medium businesses make?
- They think that they are too small to be of interest to hackers
- They lack knowledge of the simple steps that they can take to prevent becoming victims
- They assume that security solutions are too costly and only for large organizations
Recent updates to laws like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) makes organizations that hold personal staff, client, or member information accountable to report any significant data breaches; this includes breaches in small to medium businesses. The legislation means that companies can no longer hide if they’ve been victims of a cyber-attack. This type of disclosure can seriously damage a company’s reputation (remember Equifax?). Small and medium size businesses are often poorly informed and can be blinded-sided by their legal responsibilities making them more vulnerable to the fallout from an attack.
We know that incidents of cybercrime are on the rise, a recent StatsCan report found that one-fifth of Canadian businesses reported that they were impacted by a cyber security incident. Recovery costs are also on the rise and range from $113,000 for medium-sized businesses (50 to 249 employees) to $46,000 for small businesses (10 to 49 employees).
So how do businesses keep themselves protected from hackers?
Expect that you’ll become a victim and plan ahead. There are many security measures that can help keep you and your data safe, but nothing can guarantee you 100% protection. Being prepared can reduce the impact, cost and time of recovery. Here are our top 5 tips on how to be cyber safe.
- Back-Up Your Data – so if your company information has been stolen or is being held for ransom you can refer to your back-ups and be up and running again with minimal downtime.
- Install the right protection software – make sure that you install anti-virus, anti-spyware and internet firewall tools.
- Keep your operating system up-to-date – try to keep your systems updated with the newest version available. These updates have important security patches and fixes that will protect against the latest threats.
- Employ good email and internet habits – one the most popular tools that hackers will use to attack you is through phishing emails and visiting infected sites (malvertising). Clicking on suspicious links or downloading malicious files are common ways that you and your staff can let hackers into your business.
- Consider a monitored security solution – many businesses make the fatal mistake of thinking that these types of solutions are too costly or complex for them. Services like My Security Console allow businesses to enjoy enterprise-grade security features for small business prices.
Want to learn more? To receive important cybersecurity updates on the latest threats with tips on how to stay safe click on this button to follow us on LinkedIn or join our critical updates mailing list.
By Dominic Chorafakis, P.Eng, CISSP – March 20, 2019
Email continues to be the favorite tool for hackers to hijack computers and steal information. Recent phishing campaigns are proving to be particularly effective by combining different techniques to target Office 365 users. There are two key elements that make the attack effective:
By Dominic Chorafakis, P.Eng, CISSP, January 19, 2019
Not so long ago, computer viruses were mostly created by pranksters and computer geeks trying to see what they could get away with. There was still some risk for data loss and downtime, but for the most part viruses were just an annoyance and installing a decent anti-virus was enough to keep your systems safe.
By Dominic Chorafakis, P.Eng, CISSP – December 5, 2019
There has been a surge of hacks targeting torrent users by posting fake ads on popular peer-to-peer file sharing sites that direct victims to websites infected with exploit kits able to install information-stealing malware and ransomware on their computers.
Torrents are a common source of malware and viruses since the very nature of peer to peer file sharing means that the files you are downloading can come from anyone and anywhere. As a general rule you should not install torrent clients, and only download files from known, reputable sources.
If you insist on using torrents, you should assume that the computer you are using will be hacked and don’t use it for activities like banking or accessing your email. If possible keep it on a separate network by setting up a guest WiFi network that doesn’t have access to the rest of your network.
What you should do
Take the following measures to protect your systems from this attack:
- Inform your staff that hackers are targeting Torrent users and that accessing file sharing sites is prohibited
- Prohibit the use of peer-to-peer file sharing clients like uTorrent on computers connected to your network
- Ensure that all computers have the latest operating system and browser patches installed
- Consider using a reputable ad-blocker
To receive important cybersecurity updates on the latest threats with tips on how to stay safe click on this button to follow us on LinkedIn or join our critical updates mailing list at My Security Console.
By Dom Chorafakis, P.Eng, CISSP, November 27, 2018
Information contained in this post is intended as general information only. It is not, nor should be construed as legal advice and should not be relied upon as such. If you need legal advice, please contact an attorney directly.
Personal Information Protection and Electronic Documents Act (PIPEDA)
It has been almost a month since the new PIPEDA rules regarding mandatory breach reporting in Canada came into effect and many clients still have questions around what it means for their business. In this post we’ll explore some of the key highlights of the legislation and provide links back to the relevant sections of the Office of the Privacy Commissioner of Canada (OPC) website you can use to get more information.
Perhaps the most common question that comes up is whether the rules apply to a small business that only has one or two employees. The short answer is yes, they do. The rules do not provide for any exemptions based on number of employees or revenue. There are however certain types of organizations to which the rules may not apply as per the PIPEDA brief available at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ :
“Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:
- not-for-profit and charity groups
- political parties and associations” 
So if you own a business that is not a charity, political party or association, then the rules definitely apply to you. Note however that even those organizations may need to comply with the rules if “they are engaging in commercial activities that are not central to their mandate” . For example, if an association sells its member list data for marketing purposes, PIPEDA would apply.
As mentioned in the brief, “PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.” 
The personal information that is protected under PIPEDA includes anything that is recorded about an identifiable individual. According the brief, “This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).” 
The Act defines 10 fair information principles that businesses must follow with regards to personal information:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
There are a number of clauses in the Act (which is available online at http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html ) that are relevant from a cybersecurity perspective. For example, the Act states that “Organizations shall implement policies and practices to give effect to the principles, including
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints and inquiries;
(c) training staff and communicating to staff information about the organization’s policies and practices; and
(d) developing information to explain the organization’s policies and procedures.” 
Furthermore, the Act states that “The methods of protection should include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.”
Not only does the act require businesses to use appropriate administrative and technological safeguards to protect personal information, it also stipulates that any breaches of these safeguards that expose this personal information must be reported to the OPC. Organizations who fail to report such a breach may be liable for a fine of up to $100,000. According to the Act, “An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
[…] significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” .
The OPC provides a privacy toolkit for business at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/ to help comply with the Act and its principles.
Ask an expert
If you have a question about one of our blog posts or cybersecurity in general, our experts are happy to help.
- Threat Source newsletter for Aug. 6, 2020
- Vulnerability Spotlight: Microsoft issues security update for Azure Sphere
- Threat Roundup for July 17 to July 24
- Threat Roundup for July 24 to July 31
- Vulnerability Spotlight: Two vulnerabilities in SoftPerfect RAM Disk
- Prometei botnet and its quest for Monero
- Beers with Talos Ep. #89: What to do when you're the pwnd one
- Threat Source newsletter for July 30, 2020
- Adversarial use of current events as lures
- Threat Source newsletter for July 23, 2020
- Dark Reading Video News Desk Returns to Black Hat
- Exploiting Google Cloud Platform With Ease
- Information Operations Spotlighted at Black Hat as Election Worries Rise
- Office 365's Vast Attack Surface & All the Ways You Don't Know You're Being Exploited Through It
- Using IoT Botnets to Manipulate the Energy Market
- Broadcom: Staying Safe with WastedLocker Ransomware Variant on the Prowl
- The Long Shadow of Stuxnet: New Microsoft Print Spooler Vulns Revealed
- Platform Security: Intel Pushes to Reduce Supply Chain Attacks
- 2019 Breach Leads to $80 Million Fine for Capital One
- Four Rules and Three Tools to Protect Against Fake SaaS Apps
- The CSO guide to top security conferences, 2020
- What is security's role in digital transformation?
- 15 signs you've been hacked -- and how to fight back
- What the use of open banking means for identity networks
- 8 steps to protecting login credentials
- What is a dictionary attack? And how you can easily stop them
- CIO Think Tank: Setting the multi-cloud agenda
- Bracing for the security data explosion
- 9 container security tools, and why you need them
- How drones affect your threat model
- Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims
- Porn Clip Disrupts Virtual Court Hearing for Alleged Twitter Hacker
- Robocall Legal Advocate Leaks Customer Data
- Three Charged in July 15 Twitter Compromise
- Is Your Chip Card Secure? Much Depends on Where You Bank
- Here’s Why Credit Card Fraud is Still a Thing
- Business ID Theft Soars Amid COVID Closures
- Thinking of a Cybersecurity Career? Read This
- NY Charges First American Financial for Massive Data Leak
- Twitter Hacking for Profit and the LoLs
- How COVID-19 Has Changed Business Cybersecurity Priorities Forever
- Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
- Zoom Bug Allowed Snoopers Crack Private Meeting Passwords in Minutes
- Researcher Demonstrates 4 New Variants of HTTP Request Smuggling Attack
- Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts
- Case Study: How Incident Response Companies Choose IR Tools
- US Government Warns of a New Strain of Chinese 'Taidoor' Virus
- 17-Year-Old 'Mastermind', 2 Others Behind the Biggest Twitter Hack Arrested
- EU sanctions hackers from China, Russia, North Korea who're wanted by the FBI
- New Attack Leverages HTTP/2 for Effective Remote Timing Side-Channel Leaks