Cyber crime has been affecting Canadian businesses, institutions, consumers, healthcare – even agriculture. While anti-virus security programs have existed since the 80s, we still haven’t managed to outpace threats with technology.
The average data breach per Canadian company is a staggering $7M, and as advanced technology increasingly becomes used daily for previously highly-guarded activities, like banking, sharing of confidential documents, health information, and donation records, and beyond, simply installing cyber attack prevention platforms does not stop “threat actors” from easily infiltrating.
Michael Castro is a cyber security expert and founder of RiskAware. RiskAware provides organizations of all sizes and needs with cyber security services designed to identify security gaps and provide solutions based on size of organization, budget, needs and level of risk (sophistication). As former CISO to numerous Canadian institutions, he’s seen firsthand the devastation and increasing cost to SMEs and major organizations to cyber attacks.
We sat down with him to understand just what a “threat actor” is, their potential costs to fintech companies, how to identify risks, and how to build in solutions to avoid your company losing millions of dollars due to security breaches, and the immeasurable costs to your company’s reputation as a secure financial organization.
What exactly is a “threat actor” and how does RiskAware combat them?
MC: A “threat actor” is an increasingly sophisticated individual or group of individuals who have often studied an industry to the point of being able to pass off as a member of it. They are such good “actors”, that their threat levels are deemed nil or very limited, and can surreptitiously slide into highly sensitive data with relative ease, manipulating their victims and their networks quickly and insidiously – and expensively. RiskAware operates as:
- An extension of your IT team, with a focus on cyber security as a fractional CISO (chief information security officer)
- Does an audit of your teams’ security and assesses gaps and how to fill them through training, leadership
- An automated subscription model that provides dark web scanning, phishing simulation testing, and cyber training.
Some kinds of businesses are probably more at risk of expensive and sophisticated cyber attacks. Are fintech companies at elevated risks for these attacks?
MC: All companies are at risk, fintech companies are especially attractive to cyber attacks and cyber terrorism because of the sheer nature of fintech – tech and money. Most fintech companies tend to be more vigilant with sensitive data and are careful with due diligence, activity monitoring and being proactive in protecting their assets and those of their clients. However, cyber attackers are getting more sophisticated in their tactics, and more targeted in who they choose to focus on. According to a recent report in the World Economic Forum (WEF), even as organizations are more prepared for cyber attacks, many are concentrating their efforts in the wrong areas. Instead of preparing for obvious attacks, they spend more money and resources on less likely threats, making them more vulnerable to more basic phishing scams that can come up innocuously-seeming in links within company-wide emails.
In many ways, Fintech companies offer the highest possible yield due to the nature and scale of transactions in the space, so they are more enticing to attackers, especially those who have evolved and gotten “creative” as defensive measures have increased.
Is finding the right personnel for your team part of the challenge in preparing for cyber attacks?
MC: Yes. It is a challenge to find and retain skilled cyber security personnel, and costs are rising. This is added to by a “cyber security attrition” that has developed as internal teams are bombarded with reminders to update security software, sometimes to the point where they start to subconsciously ignore the warnings. A full 95% of security incidents happen when a user clicks on a malicious link in an email or a website. Companies must find ways to reach their staff, and I see that happening through more engaged, meaningful training techniques and positive reinforcement.
It depends who you speak to.
What are red flags for identifying “threat actors”? Are there any obvious ones that companies should look out for?
MC: For any requests for password changes or access granting, the source or sender should be closely examined before action is taken. Often, cyber attackers can guess your format for internal emails, even see who is responsible for what kind of information, and they can closely mimic that email address to the point where it seems entirely legitimate.
What are the top 3 most frequent types of cyber attacks that you’ve seen businesses struggle with?
MC: Threat actors are getting increasingly creative, even using text messages, WhatsApp groups and social media to hack into data. These are the 3 most common threats that we see in cyber security:
1. Phishing Scams
Phishing scams are one of the most prevalent cyber security threats in the modern world. A phishing scam is a form of cyber crime that involves scammers masquerading as legitimate businesses or individuals with emails and messages designed to trick users into giving away valuable personal information, such as passwords and credit card numbers.
In companies, these messages can be most dangerous when on-boarding a new staff member, or changing some sort of organizational system. These messages will often, very convincingly appear to be legitimate requests for personal information, such as an update to your account or a password reset. Victims might not even realize they’re being scammed until the damage has already been done.
2. Malware Infections
Malware infections are the second most common cyber security threat. Malicious software, or malware, is designed to infiltrate systems and spread quickly throughout a network. These programs can be responsible for stealing information such as passwords and account data, wiping computers clean of valuable files, or simply creating chaos on a system through ransomware attacks.
The problem with malware is that it can spread so quickly. Just one phishing email or compromised website could result in an entire network becoming infected. Once your system has been compromised, there’s no telling what kind of damage malware might cause – to you and your clients. The reputational costs are really high for fintech companies with this particular threat.
3. Ransomware Attacks
A ransomware attack is when hackers break into computer systems and then overlay the data on those systems with a message demanding payment to remove the overlay and regain access to information. Hackers can target individual users or large organizations, making this a hazardous cyber attack. Often, victims will have to pay hundreds or even thousands of dollars before their systems are unlocked.
What are the biggest advances in cyber attack threats that you’ve seen since your first experiences as CISO at various large corporate institutions?
- Phishing growth – and increasingly sophisticated phishing techniques
- 3rd party supply chain risks
- Surge in IoT (Internet of Things) vulnerabilities
What is the first thing that a company can do if they suspect they’ve been hacked?
- Don’t panic
- Don’t “knee jerk” with what you think you should do
- DO pull out your incident response plan
What is one piece of advice you’d give any CISO or IT personnel member responsible for managing cyber security for their organization?
MC: Always be prepared – yes, the Boy Scout motto still applies. We all see incidents around us and know or have known that incidents will befall all of us in our career. Continuous improvement is the key to make all of us stronger to deal with the future.