Cybersecurity 101

Cybersecurity 101
hacker
By PKF Team Blog March 7, 2016

Cybersecurity 101

Human beings have a natural tendency to remember good times and push to the back of their minds some more difficult issues in life. Basically most of us have a tendency not to focus on things that are not perceived to be likely to happen in the short term and can overlook the inevitability of unexpected problems that will occur later.
Protection of an organization’s data is vital, especially in today’s environment where access to data is seemingly easily obtained, and is one of an organisation’s most important assets. Most organisations do have controls to prevent unfettered access to data through access controls etc. However, just like we can temporarily ignore the inevitability of future personal problems we can also overlook the certainty of potential breaches of our IT security over data. Where there is information there will be someone, somewhere at some time looking to access that data inappropriately.
The subject of data security is very broad and we thought it would be worthwhile to discuss certain risks that organisations can often overlook. Before doing so it is important to recognize the frequency of breaches of security, where they typically occur and the lack of knowledge and skills that are available in the market place. Recently the Information Systems Audit and Control Association (“ISACA”) conducted a survey of cybersecurity managers and published a State of Cybersecurity – Implications for 2016. Some of the highlights from that survey are summarized below:
image-blog
It is concerning that in organizations this amount of daily malicious activity is occurring. Organizations are obviously not taking their security responsibilities seriously enough!
image-blog
Clearly there are not enough skills in the marketplace to address the cybersecurity threats and organisations need to ensure that appropriate recruiting/screening and training practices are adopted.

Malicious Activity

Malicious Code

Malicious code/software (malware) is any software that gives partial to full control of your computer to do whatever the malware creator wants. Malware can be a virus, worm, trojan, adware, spyware, root kit, etc. It is very common for people to use the word “virus”. However, it’s just one of many types of malware.

The impact of malware can be very different. It includes using your computer (without your knowledge) to conduct attacks or spread spam/viruses to formatting your hard drive. Additionally it can build on your computer (without your knowledge) a platform for the next attack and encrypt your files. It can also ask for a ransom to be paid (Ransomware is another type of malware).

Malware mitigation controls generally include Anti-Virus, Intrusion Detection and Intrusion Prevention Systems (IDS/IPS), firewalls, hardware and software for detecting Advanced Persistent Threats. However, as we know “a chain is only as strong as its weakest link” and the weakest link is not surprisingly humans. Therefore, security awareness training remains one of the most important controls.

Hacking

Although most people have heard of the term hacking many do not have a comprehensive knowledge of what is involved in this and what risks there can be to an organisation. A computer hacker is somebody skilled at manipulating computers. Generally, the term hacker is used to refer to a person who breaks into computer systems. Hackers may do this for material gain, to harm another person or as a prank. A hacker may also have more positive motivations — some hackers aim to expose security flaws before other, less scrupulous people can exploit them. While hacking is often thought of a computer expert sitting in front of a computer, hackers can also utilise social situations where an individual may inadvertently disclose personal information which then can used to break down passwords etc.

In addition where hacking occurs there are often cases where employees have valid access to information but can use this access for inappropriate uses. For an example an employee could access an organisations proprietary information for personal use or could pass that information on to third parties for personal gain. This can be detected by monitoring the transfer of large amounts of sensitive information from the organization and how this was done. In addition monitoring the timing of the use of computers can be done i.e. why is a person regularly accessing an organizations information at 10pm when he/she finishes work at 5pm.

When a network or systems gets compromised by hacking, we typically look for several controls:
• Preventative Controls: Intrusion Detection Systems, Anti-Viruses, Fire-Walls, Web Filtering Services; however these controls are good only for “known” threats, when vendors have developed signatures for them;
• Detective Controls: Advanced Persistent Threats are one of the most sophisticated and dangerous threats; only behavioural-like detection systems can detect and identify them;
• Security Awareness: despite all advanced technologies humans are the weakest point. “Security is only as good as your weakest point” – this statement relates to hackers but also applies to all areas of IT security.

Also there are many cases, when hackers are able to gather some minor but key information about employees by wearing “service” or “janitor” work robes, come to the offices and steal all sorts of assets (from documents to laptops). This can be prevented by building security, automatic logging off, passwords etc.

Additionally, the SANS Institute (a cooperative research and education organization) promotes the idea of laired security. This promote: a) company personal have good security awareness; b) company employees adhere to all types of security controls, from physical security (an employee must have an access card in order to enter to floor) to finishing administrative access controls (an employee must complete yearly security awareness training and sign the company compliance policy).

Online identity theft

Identity theft is a deliberate use of somebody else’s identity for impersonating someone else. The purpose of identity theft can be to facilitate financial gain (obtaining credit details etc.) and obtaining medical information (medical care or drugs), as well as terrorism and espionage (obtaining unauthorised information).

Mitigation controls for identity theft include security awareness, fraud detection and prevention software, strong authentication etc. However, conducting an Information Risk Assessment, which includes a Privacy Impact Assessment, is one of the key controls for managing risks associated with identity theft.

General Computer Controls

While the vast majority of organisations will have processes and controls in place to authorise its employees to have access to their systems and to ensure that inappropriate access is avoided including conflicts, these processes and controls need to be monitored on a periodic basis to ensure that they are still operational and effective.

Tip of the Iceberg

This article has described briefly some of the main cyber-security threats but there are many more that security conscious organisations should be aware of and have preventative or detective controls in place. Do not incur expensive security breaches – continuously monitor the position. There is no unique/universal model for protecting organization’s/company’s assets – there is no “ideal” security model. All companies and organizations are different: starting from the nature of the business and finishing with the culture and company’s style. This is why it is very important to engage security professionals, so they can assess, audit and develop the security controls, which are most applicable to your organization. PFC can assist with all aspects of IT Security.

Related Posts

hacker
How to defend your organization against fraud

The fraud perpetrated by employees, top management, or third parties is a vital risk and threat to any business that should be properly addressed.

1
23 Jun 2017
Canadian Real Estate Taxes
New Canadian Real Estate Sales Tax Rules
0 0
19 Dec 2022
calculator
Personal and Corporate Tax Deadlines

Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid. – Frank Zappa

3
25 Feb 2020
Photo by Christina Morillo
Tax Tips for Business Owners in Canada

“The hardest thing in the world to understand is the income tax” Albert Einstein Most Business Owners dread the Tax…

0 0
01 Feb 2022
art
6 Reasons Why You Need An Internal Audit Manual

Every internal audit function has its own internal audit framework which is Internal Audit Charter (the “Charter”). The Charter outlines the organizational status and role of the internal audit function, independence and governance, etc. However the Charter usually provides high level guidance, and therefore, it is also essential to have a robust Internal Audit Manual […]

0
18 Sep 2017
chart
5 best cloud accounting apps for private sector

When a business owner of a small to medium business is searching for best accounting software, he or she is looking for the user-friendly and inexpensive solution. Let’s look at available cloud-based apps that today’s market can suggest us today. QuickBooks Online Overall the best software for business is QuickBooks Online. It starts from $10/monthly, […]

0
14 Sep 2016
sale
Is your Business Ready for Sale?

“Action is the foundational key to all success.” — Pablo Picasso According to the study done by the Royal Bank of Canada, one in four business owners who are at the age of 50 of small and medium-sized business want to sell their business within the next five years. Unfortunately, 77 percent of owners do not […]

0
29 Dec 2016
Skilled Tradesman
Canada Invests in Labor Mobility to Boost Skilled Trades
0 0
19 Jan 2023
smoke
Carbon Levy – What does this mean to you?

Background The Carbon Levy came into effect January 1st, 2017 and will be charged on all fuels that emit greenhouse gas emissions at a rate of $20/tonne in 2017 and $30/tonne in 2018. Fuels include diesel, gasoline, natural gas and propane. The amount of Carbon Levy applied to each fuel is based on the amount […]

1
16 Jan 2017
chart
Passive income – Keep it below $50K

Under the new rules, investment income will be tweaked with a number of adjustments to come up with a new amount called, “adjusted aggregate investment income”.

0
04 May 2018
Personal Tax Deductions and Tax Credits

When calculating your taxes, it is important to understand your deductible expenses and eligible tax credits that you can claim. Deductible expenses are subtracted from your income before it can be subjected to taxation. Understanding these expenses will help you go a long way in reducing tax liabilities. Tax credits, on the other hand, are […]

0
12 Jan 2018
blockchain
The Blockchain Transformation of Accounting and Auditing

Blockchain is a growing list of record, called blocks that are linked using cryptography.

1
30 Sep 2019
meeting room
New Internal Control Framework

To improve is to change; to be perfect is to change often. (Winston Churchill) If it is not broken why fix it? – Is this practical or a myth? We have all heard about the theory of “survival of the fittest”, which is applicable for humans, animals and businesses. This theory has stood the […]

0
08 May 2016
Do you want to avoid CRA Audits? These are the points to watch out

When you’re getting ready your tax returns, you want to make sure you prepare your tax returns in such a way that the Canadian Revenue Agency (CRA) doesn’t approach you for a tax audit.

2
06 Dec 2019
Small Business Owner
How to Get Ready for CRA Tax Audit
0 0
24 Nov 2022