Into the breach – Cybersecurity in the window business
By Jack Kohane
Securing company information systems need serious attention.
By Jack Kohane
Breach: defined as infraction or violation of a law, obligation, tie, or standard; or a broken, ruptured, or torn condition or area.
Dread the darknet – the nether side of the internet. It’s out there lurking. Get pounced on and it can cripple a business. Ask Mike Bruno, president of the family-owned Everlast Group, a leading Canadian manufacturer of windows and doors. In late 2016, a malicious ransomware attack commandeered Everlast’s entire IT infrastructure. “The first sign we were hit by malware was when our IT consultant tried to log in online,” recalls Bruno. “An odd email popped up, saying that our IT network was locked down.” It was found that company files on the server were encrypted with a ransomware message demanding payment of four bitcoins (a total of $4,000 at that time) to unshackle the network. “We refused to pay,” stresses Bruno, who speaks from his 42,000-square-foot plant headquartered in Toronto. Incapacitated for business as usual, Bruno and his team struggled through the next three months, unable to access accounting files, financials and other smart-technology functions such as their sophisticated CNC machinery. “We had to outsource some of our equipment time due to the encrypted files in the programming,” he adds. Bruno opted to use a backup of his accounting software and re-create the data. Hardships included employees losing work hours due to the loss of the equipment; the unexpected extra costs to purchase and reconfigure a new internet server; and additional costs to re-install and configure a whole new sales application. “We pulled through eventually, but it was a tough challenge every day. Those ripple effects of that cyber breach could have ruined us.”
Tim Banks says it’s a sad sign of our times. “Businesses using information technology are prone to threats from ransomware and other forms of malware, and it can surely affect the existence of the business,” points out the Toronto-based senior counsel at Amazon (which supports the Amazon Web Services business). Banks explains that email phishing is a commonly used source of ransomware, and recommends that organizations should take steps to protect themselves from such attacks.
“It’s advisable to not open emails received from suspicious sources,” Banks cautions. By opening such mails and downloading the attachments, ransomware can quickly gain entry and encrypt company files. “It is always better to not open such emails rather than being a victim to a dangerous IT attack.”
Another enterprise imperative today is to keep network systems updated with the latest IT security features that are important for all business applications. Hackers can easily affect operating systems with outdated software, so it’s important to download the latest Windows updates as well as a reliable anti-virus suite.
“Hackers prefer trading in bitcoins as the transactions are completely anonymous,” notes Banks. “The source of payment cannot be identified easily.” He points out that hackers are becoming smarter day by day. “File backup helps avoid such attacks. This will prevent any kind of future threats and loss of information.” Organizations should back up their files by opting for direct-to-cloud solutions. It enables multiple controls and helps them to run numerous scans on their third parties, which can ensure data safety, security and easy recoverability.
“A good practice to safeguard against a cyber attack is to implement cyber security awareness programs and train employees regularly, so employees become aware of the latest hacking tricks and methods,” says Banks. “Organizations should prioritize educating themselves with the latest IT techniques so as to not fall victims to such attacks.” As well, before a breach occurs, Banks encourages managers to craft an action plan in advance. First, think about how to communicate the news of a breach. “Employees, customers and stakeholders need to know,” he says. Describe why and how the incident took place, and how it will be prevented in the future. The plan should guide the organization’s security policy and other best practices, such as password security, to prevent future incidents. Next, document everything you did, as well as everything you learned to help you avoid the same issue in the future.
Under federal law, Canadian companies must immediately report system breaches, what information was lost and how the attacker gained access. The information is to be reported to the Office of the Privacy Commissioner of Canada, who will decide whether it needs to be released publicly, or if that information can be used to alert other businesses to the hackers’ tactics. Organizations that fail to report data breaches to the privacy commissioner’s office, or fail to keep records of prior incursions, could face fines of as much as $100,000.
To help safeguard a company’s IT assets, beyond the standard anti-virus, anti-malware and firewall software, selecting cybersecurity insurance can mitigate against the potentially staggering costs of a cyber attack. And the time to select may be now. According to a recent news release issued by Aon, a leading global risk solutions firm, it’s predicted that in 2018 companies (small, medium and large) will have heightened cyber exposure due to a convergence of several trends, including companies’ increasing reliance on technology, regulators’ intensified focus on protecting consumer data and the rising value of non-physical assets.
“Given that Canada is one of the most wired countries in the world, cybersecurity insurance makes sound business sense,” enthuses Imran Ahmad, a partner in the Toronto law office of Miller Thomson who leads the firm’s national cybersecurity, technology and privacy law practice. “The internet of things today makes companies relatively easy to break into, where not even tech-savvy companies like Yahoo, Verizon or Ebay are immune to cybercrime. Cybersecurity insurance is hugely important today.”
Ahmad notes that cybersecurity insurance can not only cover the costs of the legal aspects after a security breach has occurred, it can also cover the costs of reputational injury, litigation defence costs and regulatory penalties, income lost due to business interruption and crisis management, including forensics and public relations.
Says Ahmad, “Insurance coverage is designed to encourage actions by policyholders to reduce their risk of loss from cyber attacks, so cyber insurance encourages increased investments in protection from attacks.”
Everlast’s new state-of-the art cybersecurity systems are designed to snare problems at the doorstep. The company has trained its staff to recognize when not to open incoming suspicious emails. The proper cyber insurance has been put in place, and a reputable server now ensures company data is as safe as possible. “As of now, everything is good,” says Bruno.