Is Your Pension Cyber-Secure?

The Canadian Jewish News reports, Fund invests $30 million in Israeli cybersecurity firm:
Claridge Israel, an investment firm founded by Stephen Bronfman and the Quebec Deposit and Investment Fund, is investing US$30 million ($38.7 million) in Cyberbit Ltd., a cybersecurity company based in Ra’anana, Israel.

Cyberbit, a subsidiary of the high-tech company Elbit Systems Ltd., was founded in 2015. It is described as a leading provider of cybersecurity training and simulations.

With this major new funding, Cyberbit will expand its sales and marketing, primarily in North America, boost product development and enhance customer and partner support, according to an announcement released on June 4.

Claridge Israel, which is based in Tel Aviv, was created in 2015, as a partnership between Claridge Inc., the private investment firm headed by Bronfman, and the Caisse, the Crown corporation that managers numerous public pension funds and insurance programs in Quebec, with the aim of finding business opportunities in Israel.

Oded Tal, the managing partner of Claridge Israel, will join Cyberbit’s board of directors.

The Caisse is one of the largest institutional investors in North America, with net assets of $298.5 billion.

Cyberbit is a pioneer in the use of hyper-realistic simulations to train cybersecurity experts. The company says there is a shortage of skilled people around the world who are able to manage cybersecurity threats. By 2021, it says that Cybersecurity Ventures predicted that 3.5 million jobs in the field will be unfilled, while the number and complexity of cyber attacks only grow .

“Elbit Systems sees the cybersecurity field as a growth engine,” stated Bezhalel Machlis, the company’s president and CEO.

Claridge Israel managing director Rami Hadar said that “Cyberbit’s growth in just three years has been remarkable. This growth is driven by a unique product portfolio that addresses several of the most pressing industry problems, a solid go-to-market strategy and a highly capable team that is executing successfully and creating a leadership position in several markets.”

Meanwhile, the Jerusalem Post reported that Israel Aerospace Industries (IAI) has teamed up with a Quebec-based company to produce surveillance drones for the Royal Canadian Air Force.

IAI and L3 MAS, which is located in Mirabel, Que., will make the Artemis Unmanned Aerial System (UAS), a medium-altitude, long-endurance system, based on IAI’s most advanced unmanned reconnaissance aircraft, the Heron TP.

“The Artemis UAS is uniquely positioned to assist Canada in preserving its national security and sovereignty interests at home and abroad,” according to an IAI press release on June 3.

“As the prime contractor, mission systems integrator, and ISS provider, L3 MAS looks forward to breaking new ground in Canada’s defense and aviation sectors with IAI’s Artemis UAS,” L3 MAS vice-president and general manager Jacques Comtois stated.
I find it interesting how the Caisse teamed up with Stephen Bronfman's Claridge fund to invest $30 million in this fast-growing Israeli cybersecurity firm, Cyberbit. You should look at the company's blog here, they have posted great resources on their site.

Today, I'd like to focus on pensions and cybersecurity. However, I don't just want to talk about pensions investing in cybersecurity firms but rather want to focus on pensions addressing cybersecurity threats.

There are quite a few papers and presentations on the net, including this paper from Allen & Overy and this NCPERS presentation from Ronald King of Clark Hill.

We live in an age of major cybersecurity threats. Every public and private organization needs a plan to address these threats.

I enlisted the help of a friend, Mike Petsalis, President & CEO of Vircom, a Montreal-based company focused on email security, to discuss the topic of pensions and cybersecurity. I'd also like to thank Robert Ravensbergen, Vircom's marketing manager for his help with this material.

Mike was kind enough to provide a short comment for my readers:
Cybersecurity is still terrifying, to the point where major media stories have not desensitized us to its risks. Equifax, Yahoo!, WannaCry, NotPetya and more attacks have all become terms common in the security lexicon, characterizing the mass and variety of risks that every organization faces large and small. While the perpetrators and method of execution for each attack may differ, both in major and minor ways, the methods to prevent or address them are fairly similar across industries, including with pension funds.

For instance, while the aforementioned attacks are all large-scale breaches or ransomware attacks spread through zero-day exploits (more on those later), over 90% of attacks start with a phishing email. Email and other channels are perfect fodder for social engineering attacks, which focus on attacking people rather than systems, manipulating them into sharing information.

That point being made, it’s better to consider a summary of cyber risks and what pension funds can do to address them before considering how organizations should prioritize their security decision-making. Because of the nature of pension fund organization – usually having a large number of members but a small number of employees handling a large amount of data and money for said members – there are certain kind of attacks or risks to which they can be most susceptible. These generally come in the form of social engineering attacks, but a large amount of risk is also present in the general likelihood of loss or mishandling of data and the need to quickly address instances where such breaches do occur.

What are the main cyber security risks pension funds face?

There are five primary risks that pension funds face in maintaining their cyber security.
  • Loss or mishandling of member data (especially protected data)
  • Loss, mishandling or espionage of data through social engineering attacks
  • Loss of funds or data due to social engineering attacks or cyber-enabled fraud
  • Accidental publication or sharing of protected or proprietary data
  • Malicious publication or sharing of protected or proprietary data by a bad actor
The loss or mishandling of data is a common concern for any business, but it is particularly critical to address for organizations that rely on trust and a good reputation. There are cases where this is malicious or out of a grudge, but without sufficient accountability, any employee can either collaborate with fraudsters or commit a fraud themselves. This risk doesn’t apply only to money handled by pension funds, but also the data which funds hold for their members, as data in itself can have tremendous value to fraudsters and other bad actors.

Beyond a fraud or data risk in which an employee consciously participates, the attacks in which employees are unwitting accomplices pose the greatest risk to an organization and are also far more common. This could be executing by spoofing a colleague’s email address in requesting funds or member information or compromising trusted accounts and jumping in on existing conversations. Access to and management of this information could be excessively high in situations where an encrypted email service isn’t being used for protected data, while impersonation attacks could also carry malware or spyware that compromises communications and data stored on an employee’s devices – both on desktops and laptops or on mobile. This is especially risky if a fund employs a BYOD (Bring Your Own Device) policy, where an employee’s personal activity could compromise organizational data or allow attackers to glean critical information – a fairly common tactic in cultivating a successful fraud.

The threats above usually involve some degree of intention, either by a malicious actor or employee, but risk is also present in employee inattention. This applies wherever data is accidentally shared, either on a one-to-one basis or published in a publicly accessible channel like a website or compromised piece of software. If you’re looking to fully address cyber security risks, limiting the potential for basic accidents is also crucial.

Cybersecurity solutions that Pension Funds can prioritize

Incidentally, as there are five primary risks that pension funds face, there are five primary solutions that they can also use to manage most of the risk they face in attacks
  • Protection against malware
  • Protection against social engineering attacks
  • The ability to encrypt transmission of protected data
  • Data-Loss Prevention technology to prevent accidental or intentional release of information
  • User education, training, awareness and authentication procedures that prevent loss or compromise of data or funds
The triumvirate of basic protection for your organization contains a good Firewall, a good anti-virus and an effective email filter. While rudimentary versions of these will protect against 90+% of viruses, spam and more conventional threats, today’s most dangerous attacks often leverage new iterations of malware or advanced social engineering techniques which require unique solutions that either use a varying combination of machine-learning, advanced threat intelligence and more to prevent against specific instances of attacks in an up-to-the-minute manner..

For instance, with a virus or piece of ransomware, certain identifying characteristics may be programmatically changes as they’re delivered, preventing a traditional anti-virus database from identifying them and containing them before infecting a device. The same tendency towards clever fraud can also be seen in email attacks, where a malicious URL may only have hostile content hosted after delivery, evading a traditional spam filter but failing to bypass a filter that features URL rewriting or some other form of Time-of-Click protection.

Encrypting email transmissions and incorporating Data-Loss Prevention techniques are otherwise useful for preventing both intentional and accidental loss of data by employees. Email encryption permits users to deploy a secure platform on top of an email system, containing the presence of data to only specified addressees and locations, minimizing the possibility of said data being compromised. Data-Loss Prevention, on the other hand, can be used to identify the movement of data, defining and blocking pre-defined or protected terms from leaving an organization, or simply encrypting it as it leaves. Enterprise DLP solutions will monitor and block all unauthorized data transmission, whether it’s through cloud apps, devices, storage channels, emails or web communications. Often prohibitively expensive, solutions like email filters can incorporate DLP specifically for email without the added risk, managing much of the risk, but not all of it.

Finally, while the user is the main source of risk for many of today’s attacks, the best way to turn the tables is to strengthen them as a “last line of defense”. This requires basic education on what not to do when presented with suspicious materials or requests, but examples of these requirements can be as basic as:
  • Not inserting found USB drives into their devices
  • Checking email headers for accurate email addresses (compared to addresses that could be used by imposters)
  • Double-checking unusual requests for funds or data via email with a phone call
  • Updating their device software and security tools as updates are released, ensuring security-related patches and improvements are always present
  • Listening to the advice of IT specialists, consultants and administrators when it comes to security (even if they do lecture from time to time)
Teaching patience and observational skill to users is a critical aspect of ensuring your organization is secure, and can be put in a constructive, conscientious framework, rather than being treated as a chore. Great examples are now present of tools that educate and inform users, rather than berating them for making mistakes. Wombat is one among many, but solutions aren’t always required, as tips and resources can be found that simplify things for your users. This quiz from Pew Research is a simpler way to get started.

Addressing a data breach

No system is perfect, and while most pension funds will not deploy broad or unique cloud systems which require some of the latest threat monitoring and management techniques, the solutions referenced above should be sufficient to stop the threats that are faced by relatively small-staffed financial organizations.

That being said, the primary risk or requirement incumbent upon a pension fund following any successful cyber-attack or fraud is disclosure. State laws in the United States usually place a limit of three days passing after a data breach for it to be disclosed, whether the loss or compromise of data constitutes a material or physical risk to customers or if any protected data is unaccounted for. Data protection requirements are also increasingly stringent in Europe and Canada, meaning that the ability to address a breach after its occurred is just as important as preventing one. In advising on a breach, organizations are expected to notify authorities and the public within the time period legally required by their jurisdiction, specifying what protected data may have been lost and what risks this could pose to those who’ve lost their data. This allows those who’s data is at risk to take action that further mitigates any negative impacts of a breach, while also limiting the liability of an organization that’s suffered a breach.

Addressing this risk effectively comes down to accountability. The EU’s GDPR requires the appointment of a “data protection officer” and the concomitant categorization of all data stored by an organization and its partners. This can be as simple as appointing an employee to devise and maintain an excel spreadsheet that simply lists whose data is stored where and for what purpose, which offers a resource that can then guide where vulnerabilities are present and where disclosures must be made. While most non-EU organizations might not necessarily want to follow GDPR if they aren’t compelled to, this model of internal accountability is actually relatively useful for any organization, even if they aren’t compelled to implement it by law.

Defining success with your cybersecurity strategy can be difficult – primarily because the absence of a data breach or successful attack doesn’t mean you’re adequately protected. However, trying to get the best value out of solutions, address common and fast-growing threats, and building conscientious employee behaviour are all the necessary elements most organizations need to confront the unexpected.
I thank Mike for sharing a well-written comment on pensions addressing cybersecurity threats.

Those of you who want to learn more about this topic should email Mike Petsalis (mike.petsalis@vircom.com) or Rob Ravensbergen (robert.ravensbergen@vircom.com) directly to learn more on how Vircom can help your organization be cyber secure.

Below, a clip from Blue Sky Pensions on how to keep your pension scheme safe. I also embedded a clip on Cyberbit Range, a simulation platform enabling organizations to establish and manage training and simulation centers for instructing and certifying cybersecurity experts.

Lastly, a clip from Vircom’s Email Security Threats Video Series. In this video, they discuss what spam, viruses and malware are and what risks they pose to your business.





Comments