Moosomin Chamber of Commerce: O’Rourke impresses importance of cybersecurity

November 18, 2019, 7:30 am
Kevin Weedmark

Mark O’Rourke with MNP speaking at the Moosomin Chamber of Commerce meeting last week about the importance of cyber security and the growing risk of cyber attacks.

Mark O’Rourke of MNP made a presentation on cybersecurity at the November meeting of the Moosomin Chamber of Commerce.

“Cybersecurity is going to be one of the biggest trends we are going to see in business,” he said.

“Businesses buy trucks, buy computers, buy insurance. Most of the things businesses buy are things you can touch. They are physical assets, and are very important to your business.

“Cyber security is not a tangible asset, you can’t touch it. Business owners don’t like paying for things they can’t touch. We don’t like paying insurance, we don’t like paying legal fees, we don’t like paying accounting fees. We can’t touch those things.

“Cyber security is probably more important to your business than a truck is nowadays. You can get away doing business without a truck, but if you experience a cyber attack, you’re in trouble. Some businesses never rebound from cyber attacks.”

He said MNP merged with a cybersecurity firm in 2015, so there are more than 55 cyber professionals in the firm.

“If you ever have a cyber attack, call us first,” he said. “We can probably stop it, we have ability to hack certain ransomware, we can mitigate downtime.

“We can develop plans and do threat assessments and find the vulnerabilities before someone else does.”

He said the World Economic Forum has identified cybercrime as the number three threat to businesses after extreme weather events and natural disasters.

“In 2017, Canadian businesses spent $14 billion to prevent, protect and recover from cyber attacks”

“Two out of 10 Canadian businesses were impacted by cyber security incidents,” O’Rourke told Chamber members.

“Those were the reportable incidents, where there was a security data breach

“58 per cent of businesses impacted by cyber security incidents experience some down time. That downtime can range from a day to weeks, months, or permanently. Some businesses will never rebound from a cyberattack.”

O’Rourke said hackers can do something as simple as steal most of the data off of one of your devices when you log into an unsecured wifi network in a public place.

“As safe as we think networks are, and as easy as our world has become with smartphones and logging onto all of these networks anywhere so we have 100 per cent connectivity, these hackers are preying on that. It’s like leaving the bank vault door open at two in the morning with a sign saying ‘hey come take my money.’ That’s the whole cyber world now because we are not protecting ourselves.”

O’Rourke says hackers have managed to infiltrate some pretty large systems and cause some major data breaches. He gave a few examples, including locking two Ontario towns out of their servers, hacking into Canada Post, hacking the Ontario Disability Support Program with 45,000 recipients, BMO and CIBC, and attacking the U.S. Electrical grid.

He said hackers have also tried to target third party vendors, like the ones who use Amazon’s platform to sell things.

He said data breaches can leave companies liable.

“There have been privacy class action lawsuits against companies that have given up secure data, among other things,” he said. “And because the security breaches happened, people can sue those companies.

“In one of these court cases it came back that due to the fact that the company was prompt and effective in the response to the privacy breach, and they did all the right things to notify their affected customers and employees—they notified everybody, they talked, they made sure the breach was shut down, they shut down services. It actually mitigated their lawsuit liabilities significantly. By not acting on a breach immediately you are just costing yourself more money in the event that there is a lawsuit later on.

“You have to make sure you take the right steps, you have to make sure you shut those things down.”

O’Rouke says hackers are patient and know to wait and watch before taking advantage of a company.

“There are all sorts of hackers and really they are trying to exploit a vulnerability. Hackers are very patient,” he says. “They just sit in the background and watch. They will watch who is emailing who, and they will study your environment, who is doing payables, who is doing receivables, who is doing payroll, who has financial authority, who is in the chain of command, who is giving orders. They sit and watch this stuff in the background and they can replicate the data so they can see what’s going on.

“And when they are ready to attack, one of the most common attacks we see out there right now is they just take over somebody of authority’s email and they will reroute emails between people. They will replicate emails so that they go to them and then they will control the conversation.

“They will essentially produce false invoices with false vendors and will get them paid. This is one of the most common attacks out there and we see it all the time.

“Human error is another big issue. It typically stems from people being on the internet in the workplace looking at the wrong things. They click in the wrong spot. Clicking a button downloads malware and that affects your computer and it takes over and it will shut networks down, it will lock up the entire system. It takes only one computer. If you have 100 computers on your network, one individual shuts down an entire network.

“And they want money. And if you are lucky, they don’t know enough about your business. And if they don’t know what they’ve got they will make a request for some cryptocurrency and if you are lucky it will be $5,000.”

O’Rourke says sometimes it’s easier to pay the hackers off, but there is still the risk of not knowing if they are off your system or not, or what information they stole in the meantime.

“At the same time, you get a malware bug and they sometimes ask for millions. They know who they’ve got, they’ve done their research really quick and they go ‘ha, they have money!’ The value has now gone up.”

Why is hacking so easy? O’Rouke says it’s because we make it easy.

“Our systems in most cases aren’t set up to prevent a hack. We are so worried about the rest of the business . . . There are so many facets of our business that we don’t always think of this side of our business, but by not thinking about it we’ve increased our vulnerability.”

O’Rouke said it pays to pay attention to security updates to your systems because they are there for a reason. He says it also pays to change your passwords often and to test your system for any weaknesses.

O’Rouke said one of the issues with cyberattacks is that sometimes it takes companies months or even years to realize that an attack is even happening.

“It might take minutes for them to hack your system, but years for us to find it,” he said. “If they are sitting in the background doing their thing, they can sit there and watch. They can slowly just bleed off data and information.

“People don’t discover a breach quickly. 169 days is the average time to find it. That’s a long time, that’s half a year. We’re not looking for them. We don’t know it’s there.

“Businesses are not patching their systems on a regular basis, you are not identifying the loopholes or the weaknesses and it’s not being fixed.

“People aren’t testing their applications for vulnerabilities. How many of you have tried to cyber attack or steal information from your own system? Probably nobody.”

O’Rourke then went over some examples of different ways cyber attackers have been able to infiltrate systems or scam people into giving them information.

He shared some tips on how to identify attempted cyber attacks, or attempts to get at company information through emails, surveys, websites, unsecured networks, and other electronic means.

“The reason that this is happening more and more is security fatigue,” he says. “Changing your passwords every month, all the passwords you have, you have hundreds of them nowadays, it’s fatigue, you just don’t do it anymore. Well, they are betting on that. The less often we change our passwords, the more risky we’ve made it on ourselves. The more vulnerable we have made ourselves, both at home and at work.”

O’Rourke shared a number of important things that people need to consider as business owners or individuals.

“Have you completed an annual cyber security health check? In most cases the answer is no. How are you prioritizing that in your budget and resources? Most people aren’t budgeting anything for security,” he said.

“Have you developed and implemented cyber security safeguards? What are you using for threat detection?

“Are you testing for potential exposure or vulnerabilities?

“Have you developed cyber security educational training practices and procedures? Are you talking to your team about internet usage on a regular basis?

“Boards and executives should have adequate access to cyber security expertise.

“Do you have a clear understanding of your supply chain vendor’s contracts, things like that that can be impacted. There are lots of businesses that do their ordering online. It could impact your supply chain. They could take over the supply chain and you don’t get any product.

“Have you considered purchasing cyber security insurance? It’s important. We don’t like insurance because it costs us money, but we love it when we absolutely need it.

“Is your data reinforced? Do you have a continuity plan? What happens if it does get attacked? What is your recovery plan? Businesses are shut down because they don’t have a plan . . . The faster you get back up, the less impact to your business.

“Do you have an incident response plan for cyber security? Have you been testing things and patching critical assets?

“From a personal perspective, what can you do as an individual? Strong passwords, 12 characters, none of this 123456 or abcd. You should have capitals, characters, numbers, never use key words.

“Two step verification is common in a lot of businesses. You log in from outside your network, you have to get authentication, and it texts your number to your phone and you enter that number to get in.

“Keep your systems updated with the latest software. Run antivirus and malware.

“Back up your systems, whether it is local, cloud or offsite, but do a backup, not on the same server.

“Firewalls are good, they are not impenetrable, but they are good. Set your devices to auto lock out, especially if you have a public place and people are walking around your building. Retail is a good example if you have a till open and they get onto your system.

“Don’t add people to your profiles you don’t know. Look for social engineering attempts, don’t believe everything you see.

“Really just be smart. Be careful where you are browsing, careful where you are surfing, make sure your network is secure. If you have a problem or issue, call us, I can get someone on the phone pretty quick, we have a 24-hour response team that can deal with these issues.

“I’d like to tell you I’ve never used them before for clients, but I’ve been using them since I got them in 2015 and they are very helpful.”