How do I protect my email data?

We all send generous amounts of information through email every day. These emails are sometimes harmless, but often they are essential to your concerns. So, have you ever asked yourself whether emails constitute a secure channel for sending all this data?

The risks associated with sending sensitive information through email

It is very easy to accidentally send an email to the wrong recipient. You also have no control over what happens to your emails once you send them. Your recipients may well transfer them to all their contacts. A malicious user could intercept your emails as they are sent over the web (ex. from your recipients’ Starbucks Wi-fi connection).

The impacts of divulging sensitive information through email

Loss of credibility

For example, you are an insurance broker and you accidentally send an email to one of your new clients (Frank) that was intended for another client (John). This email happens to contain a lot of information about John’s insurance policy, such as details about his health. Frank realizes that you are not conscientious about protecting your clients’ files and he loses confidence in you. After speaking to colleagues about this, Frank ultimately decides to not renew his contract for the following year.

Furthermore, questions remain: Should you notify John of the incident? What will he think of this?

Identity theft

You send the personal data of new employees to your group insurance provider and a malicious user intercepts the email. That user now has all the information required to fraudulently steal their identities. Ultimately, the fraudster obtains a credit card and makes online purchases on top of securing a loan from Desjardins, all in the name of your employees!

So, how do you now go about sending information by email?

When it comes to good cyber security practices, there is one very simple rule: Never transmit personal or confidential data in the body of an email. It is not a secure. Rather, include the sensitive data in a separate document and save it to a portal that only your client can access, or encrypt the document using a highly secure password.

In other words, you should always start by asking yourself before sending any email whether the unauthorized divulgation of the data contained therein could cause serious damage to your enterprise, clients or partners. If in doubt, apply the same rules as if you had answered yes to the question.

Though it is not always easy to know what to do, here is an incomplete list of information that should never be sent through an unencrypted email.

Personal data

  • A name associated to a birthdate, an address, a bank account number, or a driver’s licence number.
  • Information contained on a passport.
  • A social insurance number.

Confidential information

  • Information about a contract.
  • Detailed descriptions of manufacturing processes.
  • An enterprise’s development and commercial strategies

The importance of training employees about the risks of email

You are now aware of good cyber security practices and you should now be in a better position to protect your personal and confidential information! But what about your employees? Are you sure they are aware of all the risks? Your employees have access to much data that must be handled daily. It is essential that they be as aware as you about these risks. The CyberSwat Group launched a cyber security prevention program that helps SMBs from Quebec better protect against this type of risk. We are offering you both a cyber security awareness program and tools to assess the level of risk your employees represent.

Follow us on TwitterFacebook, or even LinkedIn.

A new trend: Your DNA for free participation in a contest?

A new trend: Your DNA for free participation in a contest?

What was meant to happen happened: more than ever, YOU are the product. The era of cookies and web traffic analysis thanks to Google Analytics has passed. New heights have been reached with a contest organised by Momondo, a travel search website. This enterprise, based in Denmark, has launched a contest that could permit you to travel to every country connected to your genetic heritage.

“Huh? How would they know where I come from?”, you ask? Nothing can be easier: they send you a genetic test kit to collect a sample of your DNA for testing. They then communicate to you the list of countries connected to your genetic heritage!

Moving videos, but…

The campaign is nonetheless well designed. The videos are moving, even inspiring, and they invite inclusion. After all, we are citizens of the world! However, we should ask ourselves how genetic heritage and the results of testing can be used by this third party. Moreover, do we know how this information is safeguarded?

Thankfully, the terms of use of the contest (warning – it is very difficult to read) states that Momondo shall not have direct access to your DNA. Rather, the enterprise mandates an American medical laboratory called Ancestry International DNA, LLC, which has its own terms of use and informs its users that DNA samples and test results could travel the United States and Ireland. Though we would have liked to learn more about the cybersecurity measures implemented to protect your data, these elements do not seem clearly defined by the terms of use of either enterprise.

Why be concerned by this?

DNA-ADN

In this particular case, there may be nothing to be worried about. All this data might be adequately handled and perhaps no data will be leaked. But do we really want to provide a third party with this information in return for a single chance of winning a contest? What would happen if, one day, you share your genetic heritage in another contest and a data leak occurs? Who knows what a malicious government, business or individual might do with such information?

In technology, we use the term “vulnerability” to name a weakness that malicious hackers have found in software. They quickly exploit this vulnerability and software providers must create a patch to repair the weakness and distribute it to clients. Does our genetic heritage contain vulnerabilities that could be exploited by someone else? How could we protect ourselves from these vulnerabilities? In technology, we can update systems, deny access and change passwords: it is not so simple with DNA!

So, do you wish to participate in this contest?

 

Please comment on this article on Twitter, Facebook or Linkedin.

A brand new series infiltrates the world of cyber hackers

The HACKERS series, hosted by Matthieu Dugal, infiltrates the world of cyber hackers

The French language CBC news station, Radio-Canada, recently announced that this fall’s line-up on ICI EXPLORA will include a new show hosted by Matthieu Dugal called HACKERS, a documentary series about cyber experts who work in the shadows. This is a great opportunity to learn as much about those who know as much about you!

Created by Les Productions Kinesis and Magasin Général, this series presents five 30-minute episodes that explore cyber hacking in all its forms: from criminal online harassment to cyberterrorism to identify theft and cyberbullying. Motivated by different reasons, these great digital experts also sometimes put their talents to use for the common good. Through interviews and stunning re-enactments, Matthieu Dugal demonstrates to what extent not only citizens, but also enterprises and governments are vulnerable on the Internet.

To learn more

If you wish to hear Matthieu Dugal speak about this show, you will find below an interesting interview from the show Le retour de Gilles Parent on radio station 93.3 FM: interview on the HACKERS series.

Canada: many firms have had to pay ransom to malicious hackers, but there are solutions

Canada: many firms have had to pay ransom to malicious hackers, but there are solutions

The La Presse newspaper reports the conclusions of a study conducted in Canada and three other countries: 44 of 125 surveyed Canadian businesses had been victimised by some form of online extortion over the twelve preceding months.

According to the study, 75% of Canadian businesses which were victimised by ransomware had to pay between $1,000 and $50,000 to malicious hackers. Nearly 10% among these experienced untimely disruption to operations before resolving their problem!

Raising the awareness of your employees is an effective way to avoid paying ransom

Increasing the awareness of your staff to online danger effectively diminishes the risk of being extorted ransom. Though some technologies may help (antivirus, antimalware, antispam, etc.), malicious hackers often find the means to bypass such solutions. Therefore, your employees must all be vigilant and abide by good security practices communicated by your enterprise.

Follow us on Twitter, Facebook or Linkedin.

Bring-your-own-device (BYOD) programs – introduction of new challenges and opportunities for organizations

Authors: Véronique Barry, Kateri-Anne Grenier, Norton Rose Fulbright

Article original 

As the line between work and home is becoming increasingly blurred, the federal, British Columbia and Alberta privacy commissioners recently issued joint guidelines to help organizations: (i) reduce the risks of privacy breaches with respect to employers’ data accessed from employee-owned devices (EODs); and (ii) secure employees’ right to privacy regarding any personal information stored on EODs.

These guidelines apply to all types of EODs – that is, all desktops and mobile devices, such as smartphones, tablets and laptops – used to access corporate data, emails, communications, applications and other processes and information, and intend to address issues pertaining to: (i) risk assessment; (ii) acceptable uses of EODs; (iii) corporate monitoring and app management; (iv) sharing EODs; (iv) connection to corporate servers; (v) responsibility for security features; (vi) software updates; and (vii) voice or data plans.

Also, the guidelines emphasize that organizations’ BYOD programs should provide restrictions on: (i) cloud services, (ii) devices and operating systems; and (iii) information that can (or cannot) be stored on EODs. Likewise, the guidelines stress that such BYOD programs should address a number of issues, including: (a) user responsibilities; (b) acceptable and unacceptable uses of EODs; (c) access and security requirements; and (d) sharing EODs with family and friends.

Finally, the guidelines indicate that although BYOD programs can be part of an organization’s cost-reduction strategy, using EODs to carry out both personal and business functions may introduce privacy and security risks that could affect both personal and corporate information.

Accordingly, in addition to the foregoing, the guidelines set out a series of measures to consider, such as: (i) implementing mobile device software to manage EODs that connect to the corporate network and effecting proper authentication measures; (ii) signing, with each EOD owner, an agreement providing for the administration activities that can performed on the EOD by the organization; (iii) partitioning EODs into two compartments; (iv) implementing encryption, storage and retention procedures; (iv) addressing vulnerabilities and malware protection; and (v) providing adequate training for all IT professionals and users

The CSX Cybersecurity Day – Presented by ISACA-Québec

The CSX Cybersecurity Day – Presented by ISACA-Québec

On Tuesday May 31, our president, Jean-Philippe Racine, offers a conference on cyber risk insurance during ISACA-Québec’s CSX Cybersecurity Day; the challenge at hand: captivating the audience as did the last speaker, Michel Juneau-Katsuya🙂

Université Laval, Pavillon Desjardins, Cercle, 4ième étage
2325, Rue de l’Université, Québec, (Québec) G1K 7P4

Description de l’événement

How do you manage cyber risk?

Cybersecurity is defined as the collection of laws, policies, tools, measures, security concepts and mechanisms, risk management methodologies, training, good practices and technologies which can be used to protect both people, as well as tangible and intangible IT assets.

In our everyday lives, as business security managers we must face omnipresent cyber risks.

On this day dedicated to cybersecurity, we will explore a few aspects of cyberspace risk management and attempt to better comprehend the risks at stake. We also will attempt to offer a few tools to help surf through the next year. Don’t miss it!

 

Jean-Philippe Racine’s Conference – Cybersecurity and Insurance
Jean-Philippe Racine

Throughout the conference, Mr. Racine discusses the emergence of cyber-risk insurance products and the benefits of acquiring such coverage. He also reveals the principal characteristics of this type of product and presents the main challenges encountered by insurers and IT specialists.

Biography:
Thanks to his 14 years experience in the IT sector, numerous certifications and vast training, Mr. Racine now has more than 10 years experience in cybersecurity. Beginning with server and firewall management, his career rapidly evolved to security tactics and strategies.

Jean-Phillippe Racine has been an entrepreneur for more than six years and founded the CyberSwat Group in 2015. The business specialises notably in cyber risk assessment adapted to the insurance sector, but also offers cybersecurity services to SMBs in the Province of Quebec.

Speak now or forever hold your peace!

Author: Christine A. Carron, Ad. E, Norton Rose Fulbright

Article original 

Consultations on breach reporting regulations under PIPEDA now underway

In June 2015, the Parliament of Canada adopted the Digital Privacy Act (the Act) that amends PIPEDA to provide for mandatory breach reporting to the privacy commissioner and the affected individuals in circumstances very similar to those under Alberta’s Personal Information Protection Act. However, the reporting requirements do not come into effect until the regulations regarding the particulars of the notice have been enacted.

So now is the time to help shape the regulations that will define your obligations moving forward.
It will be recalled that the Act requires breach reporting if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm. It provides for three criteria to be considered when determining the answer to that question.

Stakeholders are being asked some 26 questions on a range of issues, including whether the criteria to be used for breach reporting should be further defined, whether the content of the notice should be mandated as well as whether and for how long details of any breach – even those not meeting the mandatory notice threshold – should be retained.

Preserving reporting flexibility

Under the Act and the Alberta legislation, organizations now have considerable latitude in the means of communicating information about a breach (email, in person, by mail) and the contents of that communication to the individuals affected provided that the notice is sufficiently detailed to permit individuals to mitigate their damages. This flexibility has served organizations well in the context of breaches covered by Alberta’s legislation and if stakeholders feel it should be preserved they should speak up now.

Equally worthy of commentary are the proposals concerning notice of the breach to third parties who are in a position to attenuate the risk of prejudice.

Adjustments for specific industries are possible

The proposed regulations have the potential to affect all businesses in Canada. Because the government has shown an openness to consider tailoring some of their provisions to industries demonstrating a need, it is important to speak up now.

After this initial consultation period, which comes to a close at the end of May, the government will publish draft regulations and will allow further public comment. However, it is always better to shape the regulations before they are published than attempt to modify them once they have been drafted.

Contacts

  • Christine A. Carron, Ad. E., Montréal
  • Kateri-Anne Grenier, Québec
  • Steve J. Tenai, Toronto
  • Anthony (Tony) Morris, Calgary