TORONTO -- During a panel session on information security at the Payments Canada Summit, experts sent a clear message to corporates in the audience about training their employees on security: Make it personal. They also addressed two of the most significant incidents in the past 12 months—the WannaCry ransomware attacks and the hack of the Democratic National Committee.
Making it personal
Bobby Singh, CISO of TMX, stressed that instead of instructing employees about how to protect corporate data, show them how their personal bank data or households are at risk. “Instead of having a talk about corporate security practices and hoping that will translate into good behavior, why don’t we spin it the other way around?” he asked. “Teach them about personal stuff, hoping that personal traits will translate into the corporate environment. Eventually they’ll manage corporate security the same way they manage their personal information.”
One way that companies can make it really personal is by actually tying cybersecurity to employee bonuses at the end of the year Singh said. “There are a couple organizations in the U.S. where, if you fail a phishing test, 2 percent is docked from your bonus,” he said. “And trust me, the rates of who clicks on a phishing link are very, very low.” The (very few) organizations who have applied this practice are in the information security sector, Singh said, but other types of companies could eventually adopt the practice as well.
Kent Schramm, director of Cyber Risk Services, agreed, noting that corporates need to change the culture when it comes to training employees on cybersecurity. The old method of herding everyone into a room and showing them a PowerPoint presentation isn’t sufficient anymore—if it ever was in the first place. “You want to make it persona. Improve the cybersecurity habits at home, with the hopes that people will transfer those habits into the workplace,” he said.
Adam Hatfield, senior director of the Canadian Cyber Incident Response Center (CCIRC), Public Safety Canada, noted that WannaCry happened primarily because of unpatched systems. That will continue into next year and beyond, because no matter how much you stress the importance of keeping your systems up to date, there will always be companies that don’t get the memo.
He asked the crowd how many of them were hit by the WannaCry attack—something that was also asked during a cybersecurity discussion at the AFP Executive Forum earlier in the week. Both times the results were the same—no one raised their hands. While that is hopefully the truth, Hatfield stressed that a key problem with cybersecurity continues to be the reluctance by businesses to disclose when they’ve been hit with an attack. He encouraged attendees to join information sharing groups like the Financial Services Information Sharing and Analysis Center (FS-ISAC). “The only way you will ever know what is really going on is if you talk to each other,” he said.
And while apolitical treasurers might not have been too concerned with the DNC hack, there are parallels that can be drawn there with the corporate sector. To recap Hillary Clinton’s campaign chairman John Podesta fell victim to a phishing email after being misinformed that it was safe to click on. As a result, his personal emails were leaked over the internet.
“The DNC incident wasn’t just a hack and an extraction of data. It’s the fact that they leaked that data over a very long period of time—driving the media discussion, taking emails that were out of context and only releasing the juicy bits,” Hatfield said. “Imagine that happening to your business when you’re going through a routine acquisition or doing an IPO on the stock exchange. Someone can use that information to not only embarrass you but completely sidetrack and disrupt your organization. So that kind of sophistication of using cyber to have an impact much broader than just a hack, we’re going to see more and more of.”