(calm music)
Alan Mak
Hello, and welcome to our webinar series on cyber attack prevention and recovery. My name is Alan Mak.
I'm a partner and the national leader of Forensic Disputes and Investigations of BDO Canada. I'm pleased to kick off our series with a hot topic for today's business leaders, how to prevent and prepare for cyber attacks on your organization. In a following session, we'll discuss what to do after a breach.
Looking at today's landscape, every organization, regardless of size or industry, is under constant threat from cyber attacks.
It's not a matter of if, but when an attack will occur. This is the reality we live in, and it really underscores the importance of being proactive rather than reactive.
In this seminar, we're going to delve into the critical steps that you can take to prepare and protect your business from potential cyber threats, and best practices for mitigating risks, establishing robust security protocols, and ensuring that your organization is ready to face the inevitable challenges of the digital landscape.
Joining me for today's discussion are my colleagues, Chetan Sehgal, who is a partner in forensics, and Rocco Galletto, partner and national cybersecurity leader, as well as April Kosten, who is a partner and a lawyer who specializes in privacy and breaches.
Welcome, and thank you for joining me today.
Let's get rolling.
My first question is, notwithstanding what I just said about all of us facing such threats, I'm curious as to whether there are certain companies that are more susceptible to attacks.
Rocco, what do you have to say about that?
(calm music)
Rocco Galletto
Well, Alan, it used to be that organizations or the threat actors would attack those largest organizations or largest enterprise. And you know, we would hear about, if I rewind back 10, 15 years, we would hear about, you know, banks, top retail, insurance being impacted. Today that landscape has changed. And what's driven the change is threat actor groups who collaborate, work together. They have better access to tools and systems and also capabilities across their ecosystem. And what has resulted is much smaller organizations are also being targeted, so no one is immune these days. What we're seeing is a proliferation of ground floor type of talents, and they're impacting organizations across all industries, and of all sizes.
(calm music)
Alan Mak
Let's turn our minds to how to prepare or prevent such attacks. What are some of the common gaps that you've seen in your practice?
Perhaps this is a question for April, you provided coaching to organizations who have been attacked.
When you do the autopsy, what are some of the common gaps and issues that you come across?
(calm music)
April Kosten
Right, so first of all, as you mentioned right off the bat here, it's really a matter of when not if. So, the number one thing that my clients and organizations that I see are missing is just the expectation that a cybersecurity event may actually occur to them.
And what I always tell my clients is just like you have an emergency response plan for fires and fatalities and injuries, you need a cybersecurity response plan ready to go in the event you do experience a cybersecurity event.
I obviously focus a lot on the privacy side of things. And another thing that I think is really important to help mitigate the risk associated with a cybersecurity event is making sure you understand and follow privacy regulations, laws, rules. All too often I see companies who don't understand their obligations, don't have a privacy policy, and therefore are collecting way more personal information than they should be, which is exposing that much more information to risk a potential threat actor.
So a couple things that just always important to keep in mind is from a privacy law perspective, you should only be collecting that information which you reasonably need to achieve a certain purpose. Overcollecting happens all the time. Don't fall into that trap.
Another big thing is making sure you have very strong retention and destruction policies and you actually follow those policies.
So again, from a privacy law perspective, you should only hold personal information for as long as you reasonably need to do the purpose or for compliance purposes.
But again, all too often I see my clients, following a cybersecurity event, realizing they have employee personal information from employees that haven't been employed with them for 10 plus years and client information for people who haven't been clients for five plus years and they shouldn't have that information anymore.
And by having it, you are just exposing your organization to more risk as well as the individuals whose personal information you have.
So, you know, making sure you're following privacy rules, understanding it, having a privacy policy, having an appointed privacy officer, training all employees from top to bottom on privacy law will really go a long way in mitigating the potential liability and risk you have in the event of a cybersecurity attack.
(calm music)
Alan Mak
Those are some fantastic tips. I mean, of course they're all right. I can actually reflect on my experience and see the truth of all that advice you've given. I mean, when a breach happens, that's not the time to figure out who you need to call or what button you need to press.
I chuckled a bit when you mentioned data retention and overcollecting information because being an accountant and many of us are data junkies and we love having data, but it's very real risk when we overcollect and it's just basically taking on risk that we don't need to take.
So speaking of risk management, there's a product out there that we've been aware of, our clients ask us about it and it has to do with cyber insurance, cybersecurity insurance.
We have with us Chetan here who has experience and an insurance advisory and claims advisory. I'm hoping shed some light on your thoughts about the role of cyber insurance and how it can help mitigate cyber risks.
(calm music)
Chetan Sehgal
Absolutely.
Thanks Alan. Yeah, great discussion thus far.
And you know, cyber insurance is actually a great tool. It plays a vital role in protecting an organization's assets from cyber threats. In addition to it being a financial recovery tool, which we would generally think of it as, cyber insurance provides, the insurance companies provide actually a much needed structured response system when the inevitable cyber incident takes place, such as the emergency preparedness plan April alluded to.
This is part of the incident response services that the cyber insurance providers increasingly provide, which includes things such as providing access to relevant service providers such as cyber experts, technical experts, legal counsel, breach coaches, forensic accounting professionals, and so on, as a need may be for that particular business.
As a risk management strategy, going through the process of actually qualifying for cyber insurance is often a very useful exercise for businesses to understand their cyber insurance, or sorry, to understand their cyber exposure.
Just to sort of provide some context around that to qualify for cyber insurance, if you know our clients who may be listening who have not done this yet, to qualify for cyber insurance, it's not as easy as it used to be.
Our team often works with clients to ensure they meet the technical requirements to satisfy the insurer's needs that the client seeking insurance has strong cyber technical sort of environmental control environment, if you will, to prevent cyber incidents including doing tests like ethical hacking, which I'm sure if anybody wants to learn more about, Rocco would be happy to take a phone call and discuss.
Further, it is also very important to understand that the financial impact of potential loss, whether that's cost to recover from the incident, manage public image, loss of profits and so on, in addition to getting help get insured, we regularly help our clients understand their potential financial exposure should an event was to take place to ensure they obtain sufficient level of coverage from a dollar limits perspective, including professional fees coverage, which is an interesting concept.
You know, one of the things we always like to remind businesses is that when incidents like these happen and you hire experts, there is professional fees coverage built into your insurance policy. So you don't have to go at it alone.
Our cybersecurity and cyber insurance professionals can walk businesses through each step to help them qualify for insurance. And you know, the biggest thing to realize is if you don't qualify for insurance, that's a real red flag and risk that means that you're at high risk for a potential attack.
Alan Mak
Thank you.
I saw Rocco smile when you said the process for qualifying for insurance, the assessment, because again, from experience I know that to be true, there is definitely a value in that process alone. Having someone come in and assess your processes, identify gaps and room for improvement, there's a lesson to be learned in there for everyone as well.
So that's all great advice. Now let's give a chance for each of you to give your top tip. As we wrap up this session, I'd like to hear your thoughts on what is your best advice on how to prevent cyber attacks.
Rocco, would you like to go first?
Rocco Galletto
Sure, I'd love to go first. So in terms of prevention, quite often organizations don't focus enough time on understanding where their key data assets or information technology assets actually reside. So what is it that we need to protect, what's most critical to us, to our customers, to our employees, or just to our business as a whole?
So those critical assets, understanding where they are and how we protect them. What's also interesting is, and I heard it earlier around, it's not a matter of if, but when a cyber attack will happen. So having that preparedness plan and understanding that the controls are great, it's responsible to put them in place, making sure that, you know, configurations are just right. You've got the right policies, procedures to support those and the people to even manage them.
But it's also around making sure you're prepared for the future and the inevitable. So I would sum it up in that way, Alan.
Alan Mak
Thank you. I have a question for you. It occurred to me when you were speaking to that, is there an increased risk of being attacked again after it happens once? Is it a recurring risk? Once someone knows they can do it, they will do it.
So what's interesting in the patterns that we're seeing is for those organizations post-attack that don't recover in the right ways, there's a higher likelihood that they will get impacted. So what's interesting is you have those organizations who have a plan, they recover adequately, and they identify exactly what controls were lacking, and then they fix those so that going forward they avoid similar issues.
But quite often organizations rush through it and they end up getting attacked again shortly thereafter.
Lessons not learned, I suppose. Very good. April, what are your thoughts?
April Kosten
So I think one of the big things that organizations need to have on the ready is a list of your incident response team members. And that's including both the internal parties and the external parties, legal counsel and other folks.
When a security event happens, it happens fast, it's unexpected and you don't wanna be digging around for phone numbers and contact information. You already wanna have some of those individuals lined up, those trusted advisors lined up.
So I think that to me is one of the biggest things to be ready and to have your team lined up. And then just going back to what I spoke about earlier, it's really the education and training side of things. Making sure that your folks are ready and aware of what to look for, and be ready to take action from there.
Alan Mak
For sure, the ready and aware is so important because the weakest link is often the human factor. You know, it's hard to control what our people click on. And some of these emails, some of these invitations are very realistic. Some of them are just plainly silly, but others I've seen, they look like video emails. They looked like they would've come internally and it could be easily fooled if not paying attention.
So ongoing training awareness is absolutely critical.
Chetan, what's your best tip?
Chetan Sehgal
I was gonna say ongoing training, but I'll give you another one. No, I think it is, you know, having the internal control environment that Rocco talked about, it's very important. But I think really taking that broader look at who do you do work with, the third-party risk, if you will. I don't think we've talked about yet. Our working environment is getting so complex. There's, you know, multitude of stakeholders, whether it's customers, suppliers, service providers, that businesses rely on to carry on the day-to-day activity.
You have to really understand who you're dealing with and perhaps obtain third-party approvals or audits on those entities, IT controls and environments to get assurance that people who you're working with, your partners also are doing as much as you are with respect to a prevention of an attack.
I think that would just add that extra layer of protection because you can be as protected as much as possible, but if you know some of your partners are not as well protected, that could really hurt you.
Alan Mak
Thank you very much each of you, Rocco for your insights and practical experience, April, for your lawyerly guidance, and Chetan for your forensic accounting perspectives.
I hope our audience has learned something new or at a very least we've been reminded of some important lessons, I certainly have. Now it's important to keep in mind that frauds and fraudsters are always evolving. These schemes are always changing. So it's important for us to stay on top of what's happening around the world, and be alert.
I hope you'll join us for our next session where we'll explore what we can do once we do get hit with a cyber attack. Thank you for joining us.