What Small Business Can Do To Protect Themselves Now in Cybersecurity
7350_RiskWatch-Summer2015-Maligec
1. Risk Watch Summer 2015 The Conference Board of Canada 7
Perspectives From Those in the Business
T
his article is the second of three
in a series on cyber risk. In the
first article, we focused on how
to start the conversation on cyber risk
within an organization using SWIFT and
scenario analyses. We identified that the
conversation needed to engage cross-
functional professionals to get a better
sense of the enterprise-wide loss control
and mitigation needs.
For this article, we centre on the current
state of cyber risks from the perspective
of those who work in this sphere and,
as part of their responsibilities, have
intimate interactions with this threat.
We conducted interviews and captured
the responses in a question-and-answer
format. One company (which we called
TELCO) asked us to guard its identity.
We have also generalized the responses
to protect the participants from cyber
threats and possible negative attention
from stakeholders. Christine Maligec
was the interviewer, identified below
as CM.
About the Interviewees
TELCO
The first participating interviewee is a
telecommunications company, TELCO.
The company engaged several cross-
functional professionals internally to
contribute an overall perspective to
this article.
“Data breach … loss of integrity in your
systems … recovery plans do not suc-
ceed. The Home Depot and Sony hacking
incidents are good examples of what
keeps us up at night.”
Tim McCreight
Our second contributor is Tim McCreight,
Director of Enterprise Information
Security at SUNCOR Energy Services Inc.
Tim has extensive experience in devel-
oping and utilizing business continuity
and disaster recovery plans throughout
his career as a physical and IT security
professional.
“We continue to ask ‘what if’ questions
of our organizations and lead scenario
discussions to try to stay ahead of evolv-
ing threats and systems vulnerabilities.
I think all security professionals want
to make sure that as a professional, we
are less reactive and are working toward
prevention and detection to reduce the
effects of a threat.
In a previous role, we used to have
analysts who would track and trend
specific events, which we provided as a
dashboard for leadership. However, the
greatest value seen from this data was
when synthesized to become intelligence
to learn more about a latent, advanced,
persistent threat. The way I have always
approached it is to try to focus on
maintaining services and to keep the
entrusted information safe and secure.”
Scott Pidduck
As Senior Underwriter for QBE Canada,
Scott Pidduck assesses cyber risk and
knows its value from the claims he pays
on behalf of clients. His Canadian and
global view of cyber risk allows him a
front-row advantage to the evolution of
this threat.
“Recently the CRA performed a “phish-
ing” exercise with over 16,000 employees.
Seventy-eight per cent did not click on the
link, but 22 per cent did—even though
they were advised of the exercise in
advance. This could be very detrimental to
any company’s systems should an outside
source get access via the same methods.”
THE INTERVIEWS: EIGHT
QUESTIONS AND RESPONSES
1. CM: Do you think senior leaders,
in general, have an understanding
of what cyber risk means? What is
holding leaders and the board back
from understanding cyber risk:
understanding uncertainty of the risk,
technical knowledge, or both?
TELCO: “Technology executives”
have a good or better understanding;
more so than business executives
in their peer group in our organiza-
tion. There are a number of factors
affecting leaders from understanding
this risk—including data quality,
trending, benchmarking, and lack
of relevant risk models.
TIM: Five years ago, most lead-
ers might not have had the same
By Christine Maligec
The Current State of Cyber Risk
2. Risk Watch Summer 2015 The Conference Board of Canada8
awareness as they do now. Today,
senior leaders have become more
aware of this risk and we are seeing
a greater profile for chief informa-
tion security officers (CISOs) within
organizations, including regular
updates to their board of directors.
A combination of factors, such as a
lack of knowledge about the types
of threats, user behaviour (training),
and controls that contribute to the
success or failure of these systems
and their relationships seems to be a
challenge for leaders, but the desire
to learn is there.
SCOTT: I think they have a better
understanding of what cyber risk
means than they did before. It is
very much a discussion topic at
board levels due, in large part, to
the massive (i.e., Target, Home
Depot) breaches in the media. I feel
that there still is some uncertainty
of the threat, but with the landslide
of information on this subject over
the past couple of years, I feel the
uncertainty is relinquishing.
2. CM: What would you say is the
biggest barrier to any organization
protecting itself from cyber risks
and how can we bridge the dis-
cussion and acumen within our
organizations without scaring key
decision-makers?
TELCO: In the broadest sense,
it would have to be the capital,
like everything else, or the lack of
commitment of capital. For many,
security is an after-thought—more
specifically, lack of security skills
and capacity (capacity in terms of
timelines and human capacity to
identify, implement, and operate
key controls).
Risk and information security profes-
sionals need to increase their profile
in the organization by being a key
player in decision-making commit-
tees and/or have direct access to
board of directors, board-level risk
committees, and executive spon-
sored committees. From a work
perspective, integrate cyber risk
into a holistic risk view with ERM
and consistent language—Threat,
Vulnerability, and Impact—and par-
ticipate in more benchmarking.
TIM: The human failures of con-
trols are, in my personal opinion,
one of the biggest barriers. The lack
of awareness of the evolution of
the threats and the misconception
of technology controls gives the
end user a false sense of security.
Although the technology is better
than it was a few years ago, it is
not perfect. As well, not fully test-
ing the business continuity/disaster
recovery plans with realistic assump-
tions and stakeholder expectations
for getting back up and running
affects the success of any program.
There is a need to invest in specific
training on topics like Software as
a Service (SaaS), Microsoft Office,
Dropbox, and phishing, as well
as general cyber security training
for all staff. The combination of
both targeted and specific train-
ing not only helps users become
more efficient, but also protects an
organization from victimization by
corporate information leaks on social
media or sensitive documents found
unprotected on SaaS sites.
3. CM: How would you describe a “bad
day” from a cyber threat perspective?
TIM: In my career, I endured a few
bad days: external intrusions, natural
disasters, human failures of con-
trols, loss of a data centre, and key
passwords compromised. However,
the worst day I would not want
to see is a major release of health
care data. It is such a personal and
private intrusion.
SCOTT: From a cyber underwriter’s
perspective, a bad day would be a
collapse of a large Cloud comput-
ing company (e.g., Google, Amazon,
and Rackspace). This could create
a number of systemic issues within
the commercial sector. System out-
sourcing becomes something very
common for the corporate world due
a number of factors—security, costs/
budgets, limited office space, and
efficiency, most of all. What we, as
an insurance company, look to is not
just individual loss scenarios, but a
systemic scenario such as the above.
4. CM: What are the most common
threats you or your colleagues
are experiencing?
TIM: Organized crime is still a com-
mon source of threat. Cyber crime is
an inexpensive way to operate with-
out violence. The risk of prison is
relatively low while the payoff could
be in the millions, if not billions.
SCOTT: What we are seeing in the
marketplace with relation to cyber
claims are hacking-related events
(denial-of-service attacks (DDoS),
phishing, malware, Cryptolocker
extortion, social engineering, etc.).
The next biggest threat we are seeing
is employee-related breaches. This
could be as simple as a misplaced
laptop or lost USB key, but also
3. Risk Watch Summer 2015 The Conference Board of Canada 9
could be a rogue employee who is
taking and selling specific data or
providing access to information to
others for their individual gain.
5. CM: What gives you hope that you
or your organization will not experi-
ence such an event?
TELCO: We have strong, experi-
enced security leadership that act-
ively participates in industry-sharing
events, targeted communication,
and education and awareness, which
gives us comfort. In addition, our
solid governance and comprehensive
programs for the controls, policies,
collaborative business involvement
in security strategy, and a good pro-
file with direct access to board and
executive-level committees help with
“tone at the top.”
TIM: Information security profes-
sionals are starting to drive home the
message of being resilient. We have
changed our messaging to be more
realistic so that it is not a matter of
“if” but “when.” In addition, when
leaders are making calls to engage
you for information in the decision-
making process, it proactively closes
the gaps in your programs.
6. CM: How does an organization stay
ahead of this rapidly evolving threat?
TELCO: Sharing cyber threat infor-
mation with internal and external
partners as well as participating in
industry forums. Because the “bad
guys” are already good at this, we
have to be equal or better. Ensure
the sensors are on and information
is consolidated and analyzed. We
investigate alerts and take action
to shore up defences as required.
Hold executives accountable for
controls and compliance. Conduct
regular security testing on all assets
and suppliers.
SCOTT: The irony is that most
companies spend roughly 10 per
cent of their time focusing on system
security, and the “bad guys” spend
100 per cent of their time trying to
break in. Having network assess-
ments performed on a consistent
basis helps to identify potential vul-
nerabilities in your system. This can
be somewhat costly to most insureds,
but having the results to help build
your system security strength can
save you greatly over the long term.
Another way to stay ahead is to
have a well-structured and detailed
incident response plan that is in
practice. Always prepare for the
worst and practise the organization’s
response often.
7. CM: Where do you see the oppor-
tunity in cyber risk?
TIM: The opportunity would be if
we get the concept of cyber risk into
post-secondary institutions and make
it a part of mandatory learning for
those who are looking at work in
web design, media, and information
technology/systems. It ought to be
fundamental learning early on before
students apply their training in the
real world, but we are not there yet.
Also, having security practitioners
learn to speak other business lan-
guages and communications skills
so they can connect better with
business leaders.
SCOTT: The opportunity comes
from awareness and knowledge-
sharing of this risk between
organizations. In the past five
years, I have seen the evolving acu-
men of this risk that comes from
executives and professionals having
dialogue with other organizations.
The information-sharing is pro-
actively identifying vulnerabilities
and threats.
8. CM: How do you see cyber threats
evolving in the future?
TELCO: Threats will evolve to be
quicker and more sophisticated. And
we will find it harder and harder to
catch up—choking productivity, as
the directions of technology evolve-
ment and security needs are moving
in the opposite direction. We will
likely see increased targeting of the
“weak links”: supply chain/external
users, end-user behaviour, and call
centres. There will be a focus on the
mobile platforms and smartphones
with an increase in state-sponsored
cyber attacks.
TIM: The interest focused on an
asset varies, depending on who is
trying to acquire information or do
harm to your organization. More and
more professionals in my field are
seeing breaches of not only credit
card data, but birth/death records,
health care files, and lists of political
contributors. “Shame” campaigns
in the social media with “hot button
issues” is one way this information is
used. This could affect many people
from contributing to democracy or
put forth very embarrassing, personal
information on someone that could
affect them for the rest of their life.
SCOTT: Cyber risks will develop
further than just the hacking of
systems and theft of personal and
4. Risk Watch Summer 2015 The Conference Board of Canada10
corporate information. There have
been more and more articles around
state-sponsored cyber attacks. I feel
that this is just the tip of the iceberg
and cyber warfare is very much a
growing concern for governments
all over the world. Also with the
increasing reliability and build-out
of the “Internet of things,” this is just
another access point for cyber crim-
inals to access and harm individuals.
INTERVIEWEES
With over 30 years of operational
experience in the IT and physical secur-
ity realms, Tim has extensive theoretical
and practical experience with security
for today’s digital age. Tim’s focus is
not just on building great systems, but
on developing business continuity and
disaster recovery plans to make sure his
organization can continue to add value
to its customers. Tim is very forward-
thinking in his constantly evolving line
of work. He recently completed his
master’s in science (security & risk
management) with Merit. Tim is also a
regular contributor to Canadian Security
Magazine and is the Regional Vice-
President for Region 6C (Saskatchewan,
Alberta, and British Columbia) of the
American Society of Industrial Security
(ASIS). Tim is a Director at Large for
(ISC)2 Alberta, and is a member of
two ASIS International Committees:
the Information Technology Security
Council and the Critical Infrastructure
Working Group.
Tim McCreight, MSc, CISSP,
CPP, CISA
Director Enterprise
Information Security
SUNCOR Energy
After completing his business admin-
istration diploma, Scott began his
insurance career at ACE Canada as an
errors and omissions (E&O) underwriter.
Over the past decade, Scott has looked
at E&O risks from both a Canadian
and global perspective. He has gained
extensive knowledge of the professional
liability risks facing individuals and
businesses across a broad spectrum of
industries, most significantly in the tech-
nology, media, and cyber areas. Since
joining QBE in 2012, Scott has worked
in partnership with brokers, sharing his
knowledge of the ever-changing risks of
professionals and businesses, and devel-
oping market-leading solutions to best
address those risks.
Scott Pidduck
Senior Underwriter,
QBE Canada
Christine Maligec is currently the Risk
Officer at Alberta Blue Cross. With
over 12 years of risk management
experience, Christine is able to bridge
her understanding across multiple
industries and disciplines to look at
risk from a holistic perspective. In
2014, Christine started an informal,
grassroots ERM networking group in
Edmonton. In addition, she supports the
Strategic Risk Council by co-chairing
its mentoring and coaching initiative
as well as sitting on an advisory and
executive committee. As an active
Risk & Insurance Management Society
(RIMS) member, Christine has been
involved with her local RIMS chapter
for almost a decade and is presently
the social and events chair.
Christine Maligec,
CRM-E, CRIS
Risk Officer,
Alberta Blue Cross