11
DEC 2017/JAN 2018
CYBER ATTACKS A GROWING RISK FOR VIRTUALLY EVERY COMPANY Hackers Don’t Discriminate
I
t’s estimated that 55 per cent of orga n i zat ion s ex per ienced a cyber attack in the past year, many of which went undetected. Not on ly a re the th reats of cyber attacks rising, but so is the level of disruption and damage they cause. In addition to direct financial losses, the adverse impacts on an organization’s reputation and operations can be even more severe and long lasting. And it’s not just large corporations being targeted. “If you think it can’t happen to you r orga n i zation, th i n k twice,” cautions Ron Borsholm, B C L e a d e r, C y b e r S e c u r i t y Services for MNP. “Successful attacks have been made on small businesses, retail chains, post-secondary educational i n st itut ion s, not-for-prof it organizations and even minor hockey associations. Hackers don’t discriminate.” According to Borsholm, spear phishing and ransomware are two of the most common cyber threats. Spear phishing is an emailspoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. In one recent case, an organization lost significant money when the accounts payable clerk was targeted and asked by email to change a vendor’s banking i n fo r m a t i o n . T h e c r i m i nals then sent fake invoices to the organization, which were paid using the altered banking information. I n a not her c a se, t he ch ief financial officer at a not-forprofit received an email that looked like it was from a bank the organization used. It asked her to update her user ID and password and in the rush of a busy day she quickly complied. A few days later, it was discovered that hundreds of thousands of dollars had been stolen
Cyber Security
“If you think it can’t happen to your organization, think twice. Hackers don’t discriminate.” RON BORSHOLM BC LEADER, CYBER SECURITY SERVICES, MNP
Peter Guo, BC Leader, Enterprise Risk Services, MNP
and wired out of their account. Ransomware is a type of malware that prevents users from accessing their computer system unless a ransom is paid. In most cases, users either click a n attach ment i n a n ema i l or a link on a webpage which leads to their systems being compromised.
Borsholm recalls a small liquor store that recently fel l v icti m to such ra nsomwa re. While the company was only asked for a ransom of $500 in bitcoin (which they paid), it cost more than 10 times the ransom amount to fully restore their computers to a secure state. To add insult to injury, the perpetrator sent the business owner an unofficial receipt thanking them for thei r “i nvolu nta ry purchase.” “Many of these organizations did not have sufficient internal controls in place such as policies, procedures and training to prevent this from happening,” says Borsholm. “Other organizations put controls in place, but then fail to test them to ensure they are working correctly.” For example, in another ransomware attack in BC the company discovered their computer backups had not been working. “Without any backups, the company was essentially left crippled w ith a tota l loss of over six months of operational and financial information until the ransom was paid,” says Borsholm. Orga n i zat ions who accept c re d i t c a rd p a y m e n t s f a c e
Ron Borsholm leads MNP’s Cyber Security practice in BC
another concern. Under their merchant agreement, they are required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS). “The PCI-DSS is a standard which requires a basic level of security and a lot of organizations aren’t aware of it,” Borsholm explains. “As a result, they don’t follow common security practices, which leads to potential credit card breaches.” Peter Guo has been working in IT security and audit since 1999 and is MNP’s BC Leader for Enterprise Risk Services. He says the first step in protecting your organization is to fully understand your specific situation. “Do you k now what you r critica l data is a nd whether that type of data is being targeted? Do you understand the strengths and weaknesses of your technology? What are the threats and what internal controls do you currently have in place?” Guo recommends a Maturity and Threat Analysis as a good starting point. This analysis provides the information you need to prioritize your risks and appropriately protect your organization.
Education across the organization is also critical through a formal and recurring awareness campaign. “G ood cyber secu rity isn’t just a matter of putting protective technology in place,” Guo emphasizes. “Threats and technologies constantly shift a nd p eople need to b e constantly reminded to stay vigilant. As organizations change, people enter new roles and have access to d ifferent systems, i n for m at ion a nd d ata, t hey need to know what’s expected of them when it comes to cyber security.” M NP offers a wide range of cyb er secu r it y ser v ices i ncluding Maturity and Threat A na lysis, PCI Compl ia nce consulting and audit, network vulnerability and penetration testing, and internal control assessments. In our increasingly connected world, cyber attacks are happen i ng w ith i ncreasi ng frequency and present very real risk for businesses of all sizes. If you’re not sure about your organization’s ability to withstand one, take action today to avoid a crisis and protect your company’s assets.
are you FUTURE READY? In our increasingly connected world, security has become an urgent issue for virtually every company. How prepared is your organization to handle a cyber attack or data breach? Find out what you need to do to protect your revenue – and reputation – with MNP’s Cyber Security Health Check. Contact your local MNP Business Advisor or Ron Borsholm, B.C. Leader, Cyber Security Services at 778.350.3562 or ron.borsholm@mnp.ca