Unlocking Electronic Signature Legitimacy for Non-Profit Organizations in Canada

How to eSign a document: electronic signature legitimacy for non-profit organizations in Canada

hello everyone my name is Kelly Hagan I am a partner a BDO and I represent the not-for-profit industry today I'm going to talk to you a little bit about cybersecurity we're going to go through sort of the cyber landscape I'm going to share a few examples with you of cases that have happened we'll take a look at some of the priorities for the not-for-profits and see how you can prepare yourself or protect yourself against cyberattacks we'll look at some tactics on how to do that and if time permitting we'll talk about some of the new PI PD changes so as we as you might be aware there's been an increase in cyber crime within the NPO space and in general it's high enough these days that the federal government intends to spend over $500 pipe for security 98% of not-for-profits and charitable organizations use social media for marketing and fun fundraising associate social media followers and donor lists are valuable hacker resources they get to do phishing emails to your donors followers and alumni and they ask for money on your behalf impersonating your organization on social media is a commonplace tactic that they use cyber crimes big threat to not-for-profit organizations they take the theft of donor information theft of any kind of personally identifiable information and they take they take advantage of not-for-profits because they have a reputation of being an easy target that is typically known in terms of the amount of money that not-for-profits spend in their IT environments in short now for profits have what hackers want so what would your stolen data be worth I find this an interesting slide because it reference it references a lot of organized you may be familiar with you might wonder why why they would be stealing the data when we look at some of these accounts like your Spotify account those dollar amounts or our per account as you can imagine as these accounts are tapped into and you think of companies like Spotify that would have hundreds of thousands and maybe millions of accounts or Netflix they they hold a lot of data so an attacker can get in and get a large amount of data very quickly the dollar values escalate very quickly in these particular cases the reason there's so much stolen data available is simply put the hackers they don't have a difficult time stealing this kind of information it's important to understand also that the stolen data is being resold in the black market there's something out there called the dark web and a lot of the sort of underworld that we would call it have access to the dark web and they use that as a place to transact these accounts so let's take a at the cyber landscape to get a better understanding of how and why these attacks are happening and what types of scenarios you might see so there's some attacks that are more common than the others and the few that are most common are denial of services this is an attack that involves flooding your server with requests so that means that the attacker will come in and continually start to try and access your server until it basically overloads the server phishing these are emails aimed to trick recipients into clicking on links and divulge their credential information see if we've all heard of these type of emails where they'll log in pretending to be somebody they're not maybe like the CRA or your bank and ask you to verify information at which point then you actually divulged your credit card or username and password type information and that gives them immediate access to to that information very easily social engineering using psychological cognitive bias to trick people into divulging information this is one that'll say click here for more information it will impose something like a helpdesk number but it's it's very psychological in kind of tracking what you're doing and what type of information you're interested in it's a little bit like when you go on to an Amazon and you'll search for a particular item that you want to buy and then in the next week following you'll see emails or advertisements about the products that your you are looking at so that's the same type of thing it's just used for a more deviant reason a malicious insider so these are people that work within your own organization they could be disgruntled employees selling or leaking information they can be very dangerous and so it's not always easy to identify those particular culprits and then of course there's ransomware which we've heard about more more in the last few years this is a malicious attack on data where the the attacker will encrypt your data right on your hard drive and then typically demand something like Bitcoin or cryptocurrency payment to unlock the files of course there's all kinds of other attacks that we need to be aware of you know and some of these are hard for us to identify especially when they're new and emerging technologies certain type of web attacks and then just general lead security breaches and insider risks so let's talk a little bit about the phishing emails I think we've all probably seen them and maybe even you know had them pop up in our own organizations quite often they appear to be quite legitimate right so in this particular example it's an iTunes account and is you know asking you to click on a link they typically ask for some sort of action for you to take and they'll be seeking information whether it's names and addresses usernames and passwords or accounts and credit card information the interesting part about this is that despite repeated warnings about phishing campaigns emails remain the overwhelming method of fraud fraudsters to rely on delivering malware so that means that we are still as a society very susceptible to clicking or or addressing these types of emails and allowing the fraudster into our environments there's something also called spear phishing which is kind of funny because we think about phishing in terms of the sport but spear phishing is really the same as a phishing email but it's tied to that psychological of a targeting that we talked about in the slide before it means that they're they're actually thoughtfully going after certain demographic or geography or some sort of controlled group right so it could be things that you're specifically looking at at social media and it's usually done at the executive level so invoice messages are the number one type in fishing lure and the average click rate of a phishing email campaign is 20% that means that at least 20% of the modes of fishing are clicked on it only takes one person to open up the environment so this is kind of a crazy slide but I think it's worth talking about because I'm very interested in the timeline so if you sort of follow the the horizontal red line and from 2010 up until 2017 you will see the dramatic effect and impact of ransomware attacks on our infrastructures over the last you know say five or six years and how prevalent it is in the last two years the ransomware activity is dramatically increased across the world's not just in the NPO space but we tend to be typical targets cyber criminals realize it's relatively simple to use and it's virtually untraceable which is why they're dealing in Bitcoin in in crypto currencies so let's talk about mobile malware fraud temps or mobile channels is drastically increasing if you think about our phones we have them with us everywhere nowadays and we're using them for more more types of activities mobile platforms are one of the fastest growing targets for cyber criminals most of cyber crime crime is now mobile and it's over 60 percent of the online fraud activity that's happening if we start to look at some of the statistics around the cyber platform for 2018 we'll see the P IT security is a non-negotiable you need to have a strategy and you need to be aware of all the types of attack surfaces that you can be engaged with so when we look at some of these statistics 146 days is the average time an attacker is in a network before it's detection I find that a really scary statistic to think that somebody's in your environment for you know pretty much half a year before we even know they're there think of the amount of data they can have access to if we look at 63% that represents a network intrusion of compromised user passwords that means that if we don't have secure and passwords in place within our organization and actually enforce the changing of passwords within our resource pool we are highly susceptible to having someone be able to infiltrate our networks forty-one percent of people who are unable to identify a phishing email so we talked about that earlier being one of the number one ways that they gained access is through these phishing emails and we all like to think we're smart enough to do it er but it is still the number of people that don't identify them and end up clicking on them is quite high and then if we look at the the 522 dollars it's the average ransomware demand in 2018 this is the per per account type cost that they're looking at the number is dropped since 2017 which is really just a supply and demand it means that they're having access to more and more ransomware so the cost is actually dropping because it can get simply there's more people out there doing it you 60% of small businesses that go out of business after a cyber attack this one is particularly concerning to me especially in the NPO space because our businesses our organizations are there for a cause and causes and they're not necessarily to make money yet the risk that we that we would face if we were we have a severe attack would be that our mission would likely go out of business surely by the cost of trying to pay to recover so that's an alarming statistic and we want to make sure that that that we're not falling into those percentages so let's take a look at a couple of case studies just to give you an idea of some of the things that are going on so let's talk about the the city of Atlanta so they had a two point six million dollar ransomware cyberattack it basically crippled the critical municipal systems within the city of Atlanta they were hit with a ransomware message locking their respective files and demanding a profit approximately fifty thousand Bitcoin in order to basically unencrypted their files the ransomware was believed to have come from a group called Sam Sam which has been operating since 2015 now you may not have heard of Sam Sam but it's just an example that these are very organized and no one organizations that are actually creating this fraud they just you know the ability to shut them down it is been difficult the interesting part about this attack was that they weren't able to get the all-clear on their computers until five days after and many of the city systems were still not recovered even after that at least one-third of the 424 software programs at the city ran they remain offline today and are inoperable the cost of paying out the ransomware is only a portion of what happens if you're lucky they'll uh negate it in life we'll move on but more likely than not there are programs that are either out of date version wise that when you recover them they won't work in less environments are updated and the cost of that and the time of that is where you really get into trouble so it it was noted with the city of Atlanta that about nine point five million dollars would be needed to be added to the department's already thirty five million dollar operating budget for IT just to recover from the damages so it's one thing to have to deal with the ransomware it's another thing to have to recover afterwards and the updates that would be required it is one of the reasons that you should have an IT strategy in place and we'll talk about that in a little bit another one is simply financial they had ninety thousand clients and two of the biggest retail banks reportedly suffered a data breach receiving an email apparently from the hackers for demanding a million dollars in cryptocurrency or customer names and information would be released so in this case it was more that they were going to release private information to the public if they didn't get the ransomware email included unencrypted customer name Social Insurance numbers answers to security questions and passwords that they stole they believe in this case that the attack came from outside the country so another interesting thing that we'll talk about some tactics to protect yourself will have to do with geography so what are the top priorities for the NPOs how are we going to take care of this and how are we going to help ourselves so that we're not as vulnerable to the cyber attacks the number one thing you do is employee training the more that we train our employees about phishing emails and how to resolve and protect your organization the better off you are I'll give you an example I had a client of mine that was trying to be proactive in in knowing where their companies have in terms of phishing emails so they sent out just recently a Halloween evite card through their through their network and this was a controlled release they did it themselves and they wanted to get an idea of what the click through ratio would be within their own organization so we heard earlier it's a you know a fairly high number but when they took it down to their specific organization they were shocked to find that 40% of their employees clicked on there on the halloween card even though it had no recognizable send so it was and by somebody that they wouldn't recognize so that means they weren't expecting the email they didn't recognize it sender and felt compelled to open up the the halloween card what it told them was a couple things first of all their employees still required further training and second of all they were surprised to find that it was their senior most people in the organization that we're clicking through at a higher ratio than their their lower level staff so that was a pretty pretty compelling information so what we do find with training especially around cyber security is that we typically will do training of employees on their onboarding so when they don't join the organization we'll talk to them about you know password protection you know phishing emails insecurity of locking their laptops but we don't ever circle back around to it to make sure that they've been properly updated and reminded on an ongoing basis so huh a couple training talk topics that you can you can implement right away so leaving computers unlocked or intent unattended if we ensure that users appropriately lock their machines when they're not and use it it's a very easy and quick way to secure that that nobody's grabbing their laptop or data off their laptop when they're not looking teaching them about the phishing emails as we talked about so having them make sure that they're not opening unrecognized emails I think we've talked a couple times about statistics but 40% of them individuals surveyed could not identify a phishing email so that's different than not clicking on that they're not even recognizing when they shouldn't click on it so I know curiosity always gets the better of us in some cases but the idea that they are not recognizing and tells us that we need to provide them some training the next one is remote working as we've moved into a technology we're working from home were working from different locations is the norm we have to remind our resources about the types of locations and where they are safe so for example working in internet cafes or Broncs or libraries or public places there are people that sit in these locations and they will basically do packet sniffing allowing anyone to connect to the same hotspot and then looking at the data that's going across a traffic and this includes emails which some people will may not be aware of they should make sure always that they're using a secured protected URL when they're trying to do any remote work like that it's one of the reasons our mobile phones are susceptible is that we're carrying them with us all the time and we may be connecting to wireless public wireless networks on a regular basis so we should be careful about the type of data that we're transferring there just a few other training topics that may me are not not completely technology-driven but are still good reminders is we have to remember to shred paperwork if there's you know private information on them and it's no longer necessary just throwing them in the garbage isn't always the best way this used to be the way hackers I would provide or gather information on us was literally by going through the garbage so it is important to make sure it's shredded having good data encryption policies if somebody was to steal your laptop or phone or tablet you want to make sure that it's encrypted so you should have a company policy around that certainly backups unfortunately we still see today that there's organizations that are either not backing up their data or they're backing it up within the same domain or environment that they keep their production environment in the case of a cyber attack or a ransomware attack if the data was actually backed up properly in a separate location that was not accessible at the same time you have a much better chance of being to ward off the ransomware or fraudulent criminal by just simply restoring your data antivirus and firewalls are so very effective they need to be kept up to date so that they're you know as those new and emerging technologies are coming forward that they're being able to filter them out and then lastly being aware of SSL Certificates and this is just making sure you have a base level training that says that if a security warning pops up that we don't blindly just accept them but we may contact the vendor to say that their security certificate is out of out of date and it needs to be updated okay so let's look at a few tactics on how we can prevent fraudulent donations or other fraudulent transactions within our organization so creating a strong cybersecurity foundation grow your organization's understanding of the core cyber topics what type of cyber threats vulnerabilities and attacks you could be subject to make sure that you have your risk management structure so understand the risks that if you don't have some of your some of the security positions in place that you understand what the risks that you're facing in that case have intrusion prevention and detection so we talked about the number of days that a an attacker could be in your system there are ways to understand you know either prevent them from accessing or at a minimum detecting if they're there those are some things that you might want to consider and then incident response and business continuity I think we may all have time talking about how to prevent a cyber attack but we don't necessarily talk or have in place a plan should that happen to us and that includes you know communication either to the community or within our own organization how do we maintain our business while we're going through that these are all the things that we don't like to have to worry about but it is good that we have a plan should it happen undertake a risk assessment so you don't want to rely on compliance alone you want to make sure that you understand what your security gaps are and then understanding how you can prevent them some of the things that a risk assessment may involve is a prenta tration testing this is a controlled attempt to access your system by somebody who's educated in how cyber criminals do access and try to then close those gaps there's also a vulnerability assessment and this is just - again to look at different ways that they may gain access and to understand how vulnerable you are in those situations the phishing test is much like the Halloween II card that I talked about client of mine did can actually have yourself or or organizations that are out there to help with these risk assessments do a phishing test which means they'll put a control the email out to your organization and then measure the click-through or the opening of the email you can go so far as to have an ethical hacking this is really about somebody actually hacking your system that is actually doing it for for good and not for bad and their purpose there is to identify where the hacks could get in and then the encryption of the mobile devices plus tablets and phones review in-house development so one of the areas that can be at risk and it's not just to npos but it is something that we've known for is again the infrastructure side of things look at your software that's in place and if there's custom development or custom you know sort of access points then you want to make sure that they have the proper security in place to make sure that they're not accessible through through a backdoor developer or some other method like that make sure your vendors are providing information about their own cybersecurity practices so as we're dealing more with cloud type solutions we'll want to make sure that if we're using a cloud type vendor that they have good security practices in place make sure that the data that you have is protected this is following PCI compliant and it could be multi-factor authentication so dual fine in credit card and payment information securely encrypted or stored in a in a vendor environment so some of you may have worked with credit card companies that ize and you store the and not the credit card information and that's one way of protecting that particular vulnerable data and then of course your IP security trying to block certain types of IP addresses that are accessing your system one of the ways that you can do this if you know that your that you're not working outside of a specific geography so maybe your organization only deals in Canada then you can actually have your your IP security tuned to not allow access from an IP address outside of your country and that can limit down you know as in the example from simply their attack they believe came from outside of the country and had they had IP security did not allow access through an external geography they may have been able to shut that down and then lastly just on your website encrypting the traffic to and from the website using those SSL certificates so keeping your donor data secure there's a couple things here that you might want to consider clearly define what donor data can be released and under what circumstances this is educating your resources that they should not be releasing donor information whether that be a third party or a known vendor request there should be some kind of approval process within your organization before you release any data limit the number of staff that have access to donor data or any personal identifiable ssin this is really just about controlling access to the data so that you don't have either internal resources that could be leaking data and that that there's not a you know an inadvertent risk to having data released and then all donor data should be encrypted ized or using pseudonyms so this is really around donor financial information if you have recurring type donors that are using maybe credit card or EFT type transactions you'll want to make sure that data is really secure I think it's also really important to consider the social means as good as social media is and it we've certainly watched as the world's evolved into the expanse the expansion that we can get in the world through social media so it takes our advertising and our you know just general visibility of our cause to a higher level but we have to be careful with the the social media activity and we have to monitor this may mean checking our own Facebook pages and things like that to make sure nobody's impersonating them and make sure that we have proper password management in place we've identified and in seen organizations and in particular in a not-for-profit space where Facebook pages have been copied and made to look exactly like our Facebook pages and they actually then to redirect the donations to a new page where they're taking the money from you and if you're not checking you may not even know that excess so there's the paradigm shift cybersecurity by design you know we have to have a more proactive approach to cybersecurity we can't sit back and wait for it to happen and we can't not put our focus on this because it is something that can actually be crippling to two organizations so let's talk a little bit about the changes for pipe EDA and it's important to note the date is very relevant just recently in November 1st 2018 that we've released some new changes and they have to do with around breach notification this means that that you now have to report to the office of the Privacy Commissioner if there is a breach you have to directly notify affected individuals there could be indirect notification in special cases which I'll talk about in a moment and then record-keeping of all breaches so basically under the new Pepita provisions any kind of data breach or a breach of security needs to be known needs to be courted basically to the government under the office of the Privacy Commissioner they will at a level of harm and the real risk of significant heart to an individual the term significant harm includes among other things bodily harm humiliation damages to reputation or relationships financial loss identity theft and so on so it is important to know that it now becomes the responsibility of the organization that has the attack to to make these notifications so an indirect notification must be given by public communication or similar measure that could be reasonably be expected to reach the affected individuals so this is when you have a significant breach and there could be thousands of individuals affected than it needs to be a public announcement so again there's going to be levels of harm that are identified and and then the course of action will come after that it can even get to the point that the god and choose to have to monitor your systems on your behalf or put specific security compliance is in place to make sure it doesn't happen again so how do you prepare for this so preparing for November first we're already past November first so these are things it should be in front of mine for you now is have some policies to ensure that you have the systems in place for internal monitoring and tracking of any kind of data breaches ensure that you have a policy in place to address containment of of these notifications so if you are part of a security breach a cybersecurity attack then make sure that you have a level of communication setup and an ability to access the level of harm so that you can understand the communication strategy you need to follow sure that you do notify the OPC or the Privacy Commissioner and make sure that you understand what your safeguard what safeguards you do have in place for that communication like I said they may may come down to a form of regulatory investigations that they will will have have imposed on you to make sure that your systems are secure and then have a game plan for the communication and the continuity of business so that you know how to respond to a cyber attack and that you're not thrown into chaos unfortunately one of the side effects of not following the Pepita standards is that you could be fined and that's something that none of us want to have happen so the question is are you prepared are you prepared to in the case of a cyber attack are you prepared in terms of educating your staff and are you prepared in knowing that your systems are in a state of security where you can monitor and assess the risk of exposure the time is now and it is important for us as npos to pay attention to these significant technology advancements and understand that there is unfortunately a criminal activity hitting hard into the IT sector right now and at particular risk of the npos due to the reputation of not necessarily spending the money or having the money to spend on on tighter security practices so I hope this information has been valuable to you you know it's unfortunate that we have to think about these things in our world but it is better to have a proactive approach to cybersecurity than to be dealing with an attack and trying to recover from that I'd be happy to answer any questions for you I can email me at kay hagan at be dota I look forward to speaking to you again soon