1 Products and services may be offered by Royal Bank of Canada or by a separate corporate entity affiliated with Royal Bank of Canada, including but not limited to Royal Mutual Funds Inc., RBC Direct Investing Inc. (Member–Canadian Investor Protection Fund), RBC InvestEase Inc., RBC Global Asset Management Inc., Royal Trust Company or The Royal Trust Corporation of Canada
Small business security used to be a strong lock on the door, a guard, and a few security cameras. These days it’s often lines of code that stand between thieves and your money.
One out of five Canadian businesses experienced a cybersecurity incident in 2017, according to Statistics Canada. The total costs of prevention, detection and recovery from incidents in 2017 totaled $14 billion.
RBC Chief Information Security Officer Adam Evans says small- and medium-sized businesses need to assume that they will be the target of cyber thieves. “It’s not about if; it’s going to be a when scenario,” he says in the “How to Protect Your Business from Cyberfraud” podcast.
Listen to this podcast for more details on what you need to know about cyber crime and how it can affect your business.
This podcast was recorded in March, 2019 – Featuring:
Host: Denise Pratt, Director for Awareness & Education, RBC
Guest: Adam Evans, Chief Information Security Officer, RBC
Introduction: Jason Storsley, Head of Small Business Banking, RBC
Jason Storsley: Hi. I’m Jason Storsley, head of Small Business Banking at RBC. Did you know that one in five Canadian businesses experienced a cyber security incident in 2017 alone according to the latest Stats Canada research? In recognition of Fraud Prevention Month this March, we’ve invited some cyber security experts to discuss ways you can keep your business safe from fraudsters-–from privacy breaches and ransomware to phishing and mobile threats. I think you’ll get a lot out of this discussion. Thanks for joining us.
Denise Pratt: Hello. My name is Denise Pratt. I’m the Director for Awareness & Education as part of Global Cyber Security at RBC, and on today’s podcast, I have with me Adam Evans, who’s the VP of Cyber Operations and Chief Information Security Officer here at RBC. What he’s going to do is… well, we’re both going to talk about our views on Small Business. He has a little bit better of opinion than I do, obviously, being the CISO for how small businesses…
Adam Evans: I’m going to try.
Denise Pratt: …yes – are vulnerable to attacks, and some of the best practices that every small business should adopt to really protect their businesses. Welcome, Adam.
Adam Evans: Thank you for having me.
Denise Pratt: Maybe I’ll just talk about you and a little bit about your background. Maybe talk about, as your role, your current role, as CISO.
Adam Evans: In my current role, I’ve been in it for about a year. Prior to operating as RBC’s Chief Information Security Officer, I ran the Cyber Operations Group within Security, which is primarily responsible for incident response, threat intelligence, monitoring of the entire enterprise from a cyber threat perspective, running all of the security tools inside the organization and across the globe in the different lines of business to make sure that we can detect and respond to threats as we identify them. Then, the other side of the shop, which is really the Chief Information Security Officer role that I play, is really looking at the external landscape and what’s happening in the regulatory environments, what the businesses need as this organization transforms itself from a traditional financial services company into a technology company that provides financial services, that footprint, that technology footprint is continuing to grow. So, making sure that as the business is moving, they’re moving probably faster into the digital space than we ever have before, and there are a certain number of threats that come along with that move, and cyber is one of those threats that we need to start to make sure we have control over. So my job is to make sure that we’re working in line with the business, we’re educating the business with regards to the cyber risks so they can manage those risks to their business properly.
Denise Pratt: Maybe we can talk a bit about, in your role today, what makes any organization, any business, a target for cyber criminals?
Adam Evans: Well, I think there are a few motivators, certainly from a cybercrime or a threat actor perspective. Threat actors tend to be opportunistic. They tend to want to do the least amount of work possible to achieve whatever their target may be. And obviously, in the small business world, they don’t have the budgets, they don’t have the talent or people, certainly in cyber security, and they’re trying to adopt a lot of the technologies that our organization is trying to adopt, right? To scale and stay relevant to their customer base they have to find new ways of doing things and new business services that they can reach their customers with.
With that, you’ve got the proliferation of technology and the companies starting to adopt it, whether they’re small, medium or large; you have a talent shortage, and it’s very hard to put knowledgeable people into small business so they can actually deal with the landscape that they’re trying to operate their business in; and the last thing is that the bad guys are getting better at what they do, and they are learning how to leverage economies of scale, they are hosting criminal services and making them available to people that want to enter into the cybercrime world.
What that really means is the barriers into crime are coming down, and when you match that up with the fact that it’s very, very hard to pinpoint where they’re committing cybercrime from, meaning that they could be doing it from across the globe in a fairly anonymous way, and you’ve got things like digital currency – Bitcoin – that has started to emerge as a preferred way of moving money, that the landscape is really kind of catering to the cyber criminal, in that they can move the proceeds of crime outside of the financial system. We are increasing, whether we know it or not, the threat footprint, because we are adopting more technology and we’re adopting it faster than we ever have before, and it’s very, very difficult to find the people that can actually help us with the first two problems, that understand the threat landscape, understand what risks are being presented to the business, and making sure that we can manage those risks properly.
So, when you look at all of those things, regardless of the type of attack or threat they face, that’s really the crux of the problem for a lot of businesses, whether they’re small, medium or large.
Denise Pratt: Okay. A lot of people that I’ve spoken to that are small business owners, they think, well, you know what it’s like from being a big corporation. You’re obviously a target. We’ve all seen the list of the top 20 corporations, like Microsoft, et cetera, that are targets. But Small/Medium Businesses, are they really worried? Should they really be worried about cyber attacks?
Adam Evans: If you think about a business like RBC, we are part of an ecosystem. We deal with all kinds of organizations, whether it be small, medium or large. A lot of small businesses will find themselves somewhere in the supply chain probably of a larger company or a larger set of companies. If I was a threat actor and I’m looking at whether I come after RBC or I go after a smaller organization within the RBC ecosystem, chances are going after a smaller business is going to require less effort and less sophistication.
They can then start to look at the ecosystem surrounding that small business, and then figure out, other players are in the ecosystem. Eventually they will knock on the door of RBC, and they will look at how they’re going to target us, probably through one of these third parties or small businesses that we do business with.
Denise Pratt: let’s think about the end game. Is it always just money, or what are they looking for when they’re trying to go after these organizations?
Adam Evans: Great question. I think money is certainly part of it. They have to finance their business operations just like RBC would. So I think money is always part of it. But there are things like hacktivism that has emerged in the last six or seven years, which is really around these idealistic ideas of how corporations should be operating, and the fact that threat actors can use social media to organize, to distribute tools that they can attack organizations with. They can hold organizations like RBC accountable for their corporate policy. A good example of that would be moving into a space where we go and purchase an organization somewhere in the world, and downsize that workforce. And if somebody in that particular region takes offence, or doesn’t like the corporate policy or the corporate direction, they can organize on social media, and they can organize an attack against RBC. It’s not necessarily that they’re going to bring down business operations from RBC, but they can put us front and centre in the newspaper or on the Internet, and they can start having a brand or a reputational impact against the organization.
I think the other piece to this is really the things that can be turned into money, or monetized, over time, things like data. We talk about in cyber security a concept called “attack chaining”. Attack chaining is really targeting a small business or targeting an organization – doesn’t have to be a small business – to gather a bunch of information. You can do this to an individual, too. I can go on a social media profile, I can gain a bunch of information about somebody, and I will use that information to launch a further set of attacks. Compromising a small business and gaining access to their data means I would have access to their clients and their customers and their employees. I would then take that information and I would figure out how I want to use it to launch further attacks. So, depending on my agenda, I can start to launch further attacks that help support the outcome of what I’m trying to achieve, whether it be fraud transactions, hacktivism, or something else – business disruption, for example.
Denise Pratt: We know that 90% of the attacks usually happen through the people in an organization. So, when we look at how employees – we talk a lot about the technology, and obviously that’s an important part of your role – but also a key part of that is making sure that employees are aware of how they can be a target through things like social engineering. Maybe you can talk about some of the ways that the employees can be a target.
Adam Evans: As technologically advanced as threat actors and businesses become, the weakest link is still really the first line of defence, which is the employee or the individual. I think probably part of that is because we’re in a generation right now that certainly my generation is a generation that didn’t grow up with the Internet. We’ve had to learn the skills as we’ve moved, and there’s an inherent level of trust in people, and I think that’s what they tend to prey on through social engineering. They are looking at whether it’s phishing or spear phishing. Phishing is typically setting up a fraudulent website to steal credentials and log into your online banking. Spear phishing is about trying to get you to click on a link, and there’s a big difference between the two. Spear phishing is really targeted email campaigns against an organization to say you just ordered a package and it’s being delivered by FedEx, and they want you to click to track your package. Those kinds of things are the tactics that they use to try to either infect the system that you’re browsing the Internet on, or they’re going to try and harvest information from you in some way, shape or form – log into your Webmail, your online banking, your retail shopping sites that you’ve got.
It’s also going to be about gathering further information. When I go out and talk to either individuals or small businesses, I talk a little bit about the fact that if somebody gained access to your inbox, your Webmail, your Gmail inbox, for example, what would they be able to learn about you as an individual, and then how would you take that information and use that information against that individual, and their sphere or their circle of friends or their community?
I think in the cyber world, it’s those social engineering techniques that allow threat actors to profile and start to surgically target organizations or individuals. Everybody’s been hearing about data breaches for the last three or four years, and the pronounced ones: things like Yahoo and LinkedIn. The threat actors are going after those organizations because of the treasure trove of data that they hold on individuals, and they’re using that information to further target those individuals. When that information’s collected by the criminals, they can start to then augment that information. They start to gain more information either through places like the Dark Web, or they will surgically target an individual, get more information from phishing that individual, add that into the record that they’re capturing, and then start to figure out what they want to do with all the information, whether they sell it or they use it for, again, fraudulent purposes – depends on their agenda.
Denise Pratt: Right. And we’ve seen examples of that out in the marketplace. You’ve probably seen it in the media, and I know people that have experienced it, where they’ve been spear-phished – they have been the target because somebody had built a profile – and sometimes it’s because of their role. What we see is it’s their role that’s key. Either it’s in HR… let’s say, somebody that’s in Payroll or in Finance or somebody in Legal.
The other type of attack I thought maybe we could talk about when it comes to phishing is the business email compromise, which has increased over 17% in the past year. If you just want to briefly talk about that.
Adam Evans: Yeah. I think the business email compromise is an interesting one. We’ve seen it probably for the last couple of years, and it was making its way through retail banking to start with. Really what it’s all about is the compromise of an email account owned by an individual or an organization. Instructions or information will be sent from that email inbox and it will look completely legitimate. Where we would see it certainly in retail banking would be a customer of RBC that interacts with their personal banking officer through email, that customer’s Gmail account gets compromised in some way, shape or form, and the threat actors will sit and lurk inside the email inbox and watch the behaviour. The behaviour is every two weeks. I reach out to my personal banking officer, and I start to send instructions: wire this money here, wire this money here, and they will start to pick up on that behaviour, and then they will start to insert their own transaction requests into the communication with the personal banking officer.
It’s extremely successful, and part of the reason that it’s extremely successful is we don’t necessarily have a lot of visibility from an organizational perspective of what happens in that person’s inbox clearly. So the bad guys can lurk inside those inboxes, and they can learn, profile, gain information and socially engineer anybody that’s been associated with that inbox in some way, shape or form, whether it’s friends, family, business associates, whatever the case may be.
Denise Pratt: When it comes to being prepared as a small or medium business, how can they make sure that their employees are prepared?
Adam Evans: The preparedness is really around education, and I think the more education and the more learning that you do around this space, it’s going to help you, one, as an individual, but it’s also going to make you a better employee in defending the organization that you work for. I say that, because the foundational elements or the hygiene elements that we talk about with regards to our employees are very, very basic things. Change your passwords. Don’t do mission-critical things from public WiFi, right? Wait ’til you get home if you’re going to do online banking or access your Webmail or whatever the case may be. Making sure that you’re updating your software, making sure that you’re running the latest operating system when updates are available to you, install those updates, all those things are basic hygiene elements.
When you see the data breaches that have happened over the last three or four years, 99% of those breaches actually were the result of a compromised credential and an elevation of the entitlements that that credential has inside of the environment. So, in our world, it would be somebody getting compromised through an email, somebody assuming that person’s identity within the enterprise, and then moving through the enterprise and collecting information, injecting themselves into corporate systems or whatever the case may be, so the access hygiene is really important. Not reusing credentials for things like online banking and LinkedIn and a bunch of other online properties is also a really important part of that identity management.
Small businesses, I think rather than try to build out a holistic program around cyber, there are some fundamental things that they should be educating their staff: access, currency around the software in the systems that they run, making sure that they’re educated in some of the things that are trending in the media; the new types of attacks that are trending, and understanding what those things mean to their business and their operations; and then obviously, as I said, being educated really around the risks that your business is being faced with from cyberspace. All of that education basically equals preparedness, and once you’re prepared then you need to practise preparedness. It’s flexing a muscle and doing it regularly to make sure that everything that you’re putting in place you understand how to operate, and you understand what normal really looks like, so you can start to look for abnormality inside of your organization.
Denise Pratt: Okay. Let’s talk about preparedness, because I know you always talk about this kind of as a 3-step process or three stages of preparedness, what is before, during and after. Maybe if you wanted to talk about those three areas.
Adam Evans: Really, the before piece is understanding who the relevant parties are that need to be part of the conversation when you get breached. It’s not about if. It’s going to be a when scenario. I think that’s a big hurdle for a lot of organizations to get over, in that we can only prevent for so long, but sooner or later, there is going to be a cyber security issue in some way, shape or form inside of your enterprise. I think being prepared for it before it happens to you allows you to mobilize things quickly. So, having a response plan, understanding who the players are that need to be sitting at the table with you to make decisions on the behalf of your business, having retainers in place for legal or public affairs also helps you mobilize in starting to get legal opinions that this is going to become a criminal issue, making sure that you’ve got sound legal advice on how you want to capture information and how you turn it over to authorities, when you talk to authorities, what kind of help can they provide to you.
Being able to figure all of those things out before a cyber event happens is crucial because then you can fall back on your plan, you can look at that plan as you start to execute the different activities and make sure that you’ve covered all your bases when the event actually happens to you.
When you’re in crisis, really what you want to understand is how do you protect the customer, how do you protect your employees, how do you protect the organization, and what are the types of decisions that you’re going to have to make? No cyber event is the same, and it’s very, very hard to plan out in detail what you’re going to do in a cyber event. So, part of preparedness is actually testing those plans and making sure that you understand how to execute those plans and what the roles and responsibilities of each person within that plan really looks like.
And then, obviously, after – – is probably I think the most important part, which is, after the event happens and you’ve mobilized your response, how do you own the breach? Owning the breach is a very… it’s a critical part to it, because you control the messaging, and you act in the interests of your customer and your employee in protecting your business. If you do those things, you maintain a level of integrity and a level of trust with the community that you service. You’ve seen it done poorly with companies like Equifax, where they haven’t necessarily done that in the interests of their customers. I think you saw the backlash in what that actually translates to. Whereas you see companies that have done it very, very well – stock prices return to kind of normal levels – and you can also improve the relationship with your customer if you act with a level of integrity and professionalism when you’re going through an incident and being transparent about what’s going on.
The customers are always going to wonder how this impacts them, and I think the more transparent you are and the more honest and open you are with the affected customer or the community that you’re servicing, it maintains a level of integrity and trust in that relationship, and that’s hugely important.
Denise Pratt: Now, actually you bring up a good point about regulators. Obviously, being in an industry that is really… we deal with a lot of regulatory requirements…
Adam Evans: Heavily regulated, yeah.
Denise Pratt: From a small/medium business perspective, what would be your suggestion – is this something they really need to worry about?
Adam Evans: Absolutely. I think, as you start to see the regulatory environment change, and you’ve seen it certainly in Europe, and California now where privacy legislation has been pushed out, and they are holding organizations accountable for how they manage the information that their customers provide to them. Clearly, we’re a very regulated industry. When you’re talking about small business and why I said those foundational elements about protecting the privacy of your clients, trying to operate with some really foundational cyber security capabilities, when you get into a regulatory discussion in the event you have a breach or prior to – hopefully prior to – understanding what your requirements really look like. Then making sure that your program, your security program, not only takes into account the risks associated with operating your business but you understand the regulatory requirements that you have to fulfil. They can be as simple as protecting your customers’ private information and you build a program around that, or it can be more broad like what we have to deal with where we have regulatory jurisdictions all over the world, and we have to understand how to operate in those jurisdictions and what the compliance requirements are for our business operations in each one of those regulatory jurisdictions.
So this, to me, again, goes back to preparedness and education: understanding who regulates your industry or regulates your business, understand what the expectations of those regulatory authorities really look like, and then going back into your business, understanding whether it’s the regulatory risk, operational risk or whatever the case may be, and making sure that you design a program that allows you to comply with the requirements.
Denise Pratt: Well, I know that you always talk about if there is some sort of breach it’s not if it’s going to happen, it’s when it’s going to happen. I guess even as a small business owner you need to be prepared for something like that. I know one thing that you had talked about, regardless of regulations that are out there or government mandates, they have to be careful about securing personal information, their client information. Maybe talk about why that’s important from a trust perspective.
Adam Evans: Well, when you’re interacting with your customer or within your community, obviously their personally identifiable information is something that is a crown jewel to them, as well as a threat actor. Protecting that information will also help in the event that there is a compromise; there is not what I talked about earlier this kind of attack-chaining, or this kind of furthering of the attack surface and going after the individual customers.
To recover from identity theft, I think the last set of numbers that I saw certainly in Canada was about a $1,600 to a $2,000 amount for a comprised identity of an individual. If you think about that in the context of RBC, there are 6 million customers that come in and out of the RBC online banking platform. That’s a lot of impact not just to our customer base, but obviously how do we protect from that identify theft impact more broadly across the community that we operate in? Small businesses aren’t immune to it.
So, outside of regulatory penalties and things like that, I think dealing in trust with your community is really about your brand, and what you want your brand in your community to really look like. If somebody has entrusted you with something that they care very much about – their identity – I think you have a sense of obligation and a corporate responsibility to protect that information as best you can, and you owe it to your customer.
Denise Pratt: The other thing that I think is important to a small business is if they have a limited amount of resources, as somebody that’s worked in a small organization and now works for a large one, how would you say that they really can economize? How can they really focus on cyber security without having all the resources that a CISO at a large company like RBC would have?
Adam Evans: I think it’s very much about risk management – and I’ll go back to it. You can’t manage all your risks, or you can’t mitigate all of your risks, so is there something that you can do to offset the management or mitigation of those risks – things like cyber insurance. You can also look at third parties and say there’s some of these things I just don’t have the skills to do internally, and I want to outsource some of these capabilities. But even those things can be not viable from a financial perspective for a small organization.
So I think then what you have to do is really kind of focus in on core services of your organization. Again, redefine what the risks to those services look like, and really build a solid program around protecting your core services.
Now, from a technology standpoint, I think it’s a really interesting time because you’ve started to see things like the public cloud come into play, that can be leveraged by organizations. There are all kinds of hosted services out there where you don’t have to have an entire IT team to support the environments that you want to operate your business in. So you can leverage things like the public cloud, and then really focus. When you put things into the public cloud, you don’t have to worry about the servers and the databases and the technologies that your applications run on top of. You have to worry about the data that you’re collecting and the applications that are using that data, and making sure that the controls and the investment that you’re building or making are protecting those things, so you can kind of dimension it out and really figure out where the highest risk areas are and then start to focus more of the spend there.
As I said, there are a lot of hosted services out there now, probably more than ever before, so it’s educating yourself on what can be done and what you choose to do internally versus outsourcing to a third party company or a service provider that you can leverage.
Denise Pratt: Something we talked about earlier today that maybe I thought we could bring up that might also be helpful for a small organization that may be limited in resources would be CCTX.
Adam Evans: Mm-hmm. CCTX is a really great example of cross-collaboration across industry sectors. Obviously, we worry about cyber crime at RBC, but when we’re looking at it more broadly across Canada, we understand that protecting Canadians is also part of our corporate responsible and small businesses that operate in Canada. A group of organizations, RBC being one of those, and we had them from the energy sector, the telecom sector, financial sector, there’s a bunch of different organizations, that helped start this company called CCTX, which is the Canadian Cyber Threat Exchange. Really what it has been designed to do is share information. The beauty of CCTX is really that small businesses can sign up for services from CCTX where they can get intelligence from the big banks, from the Telcos, from the energy sector and from the Canadian government to help inform them about the types of threats that are targeting organizations, take those intelligence products, bring them into their organizations and get some visibility with regards to who is really targeting them or if they’re being targeted. It’s very much a community, so it’s a subscription model. You can sign up for it, and I think it ranges from about $500 to $50,000, depending on the sizes of the organizations that are signing up to be part of that community.
But it’s been a great collaboration exercise. It’s very, very young; it’s about two years in. But it was really our effort to put something out there that’s consumable by the Canadian public and the small business community, try to help to strengthen the overall cyber preparedness cross-sector, across the different industries that we operate inside the country.
Denise Pratt: Okay. I have to ask, is there a typical question that you get? Or common question that you get as a CISO?
Adam Evans: Yeah.
Denise Pratt: Okay.
Adam Evans: What keeps me up at night?
Denise Pratt: Yeah. That old gem. Yeah.
Adam Evans: Yes. It’s… I get asked that question a lot. And I think… you know, I would say that my answer has probably changed over time. Had you asked me this question two years ago when I was running Operations, I think I would’ve had a very different answer. My big fear there was, obviously, the compromise of the enterprise.
Today, I think it’s… my thinking around it has shifted a little bit, in that we get attacked every single day. We’re not immune to it. We’ve built really, really good capabilities inside of the organization. We’re four years into our cyber security journey and building out those capabilities. We’ve had to demonstrate those capabilities on more than one occasion.
That’s given me a sense of – I don’t want to say a sense of ease around delivering cyber security services in a bank this big. But I’ve had to turn, I think, my focus more about business enablement. You know, security can be an intrusive set of services when you try to introduce them to an enterprise like RBC, and even in the small business world you may have to lock things down so far that you cannot remain relevant to your customer base because you can’t operate the services or technologies the way you should be.
So when I think about security here and what keeps me up at night, it is slowing the business down, and how do I re-imagine security service delivery and maintain that level of, or that pace, so I can keep pace with the business, I can educate the business, and I can make sure that they’re making the right decisions with regard to managing cyber security risk more broadly. If I can’t do that, then we’re not going to be able to disrupt marketplaces or move into new marketplaces, which means we’re not going to stay relevant to our customers. And that’s the thing that really kind of keeps me up at night.
Denise Pratt: Right. And I guess that would apply to any business owner, whether it’s small, medium, large. But I guess that brings up another point, because part of your role, too, when you’re dealing with the busine
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.