{"id":31504,"date":"2022-11-18T15:45:16","date_gmt":"2022-11-18T20:45:16","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=513936"},"modified":"2022-11-21T22:09:04","modified_gmt":"2022-11-22T03:09:04","slug":"cyber-security-today-week-in-review-for-friday-november-18-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-november-18-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, November 18, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, November 18th, 2022. From Toronto, I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/25056336\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">In a few minutes David Shipley of New Brunswick\u2019s<a href=\"https:\/\/www.beauceronsecurity.com\/\" rel=\"noopener\"> Beauceron Security<\/a> will join me for a discussion. But first a quick look at what happened in the past seven days:<\/p>\n<p data-ar-index=\"3\"><strong>The parent company<\/strong> one of Canada\u2019s biggest supermarket chains is still saying virtually nothing <a href=\"https:\/\/www.itworldcanada.com\/article\/reports-swirl-after-parent-of-sobeys-supermarkets-admits-it-systems-issue\/512796\" rel=\"noopener\">about a cyber incident<\/a> that started a week ago today. Is silence golden? David will have some thoughts.<\/p>\n<p data-ar-index=\"4\"><strong>A ransomware attack<\/strong> against Australia\u2019s second-largest private healthcare provider<a href=\"https:\/\/theconversation.com\/a-new-cyber-taskforce-will-supposedly-hack-the-hackers-behind-the-medibank-breach-it-could-put-a-target-on-australias-back-194532\" rel=\"noopener\"> is getting the country angry.<\/a> The government has formed a task force to go after the hackers, and possibly forbid organizations from paying hackers. David and I will discuss whether cooler heads are needed.<\/p>\n<p data-ar-index=\"5\"><strong>And we\u2019ll look at<\/strong> a <a href=\"https:\/\/www.itworldcanada.com\/article\/some-in-ontario-broader-public-sector-are-struggling-with-cybersecurity-panel-chair\/513580\" rel=\"noopener\">recent expert panel report on cybersecurity in Ontario\u2019s broader public sector,<\/a> which includes municipalities, hospitals, children\u2019s aid agencies and education institutions. How much and what kind of help do they need?<\/p>\n<p data-ar-index=\"6\"><strong>In other news<\/strong>, a Chinese government intelligence officer was <a href=\"https:\/\/www.justice.gov\/opa\/pr\/chinese-government-intelligence-officer-sentenced-20-years-prison-espionage-crimes-attempting\" rel=\"noopener\">sentenced to 20 years in prison by a U.S. judge<\/a>. He was convicted a year ago for conspiracy to commit economic espionage and other offences for accessing aviation-related information of American companies. He would arrange trips for unsuspecting experts to China to give university presentations. But when he took his guests to dinner, Chinese agents hacked the computers left in their hotel rooms.<\/p>\n<p data-ar-index=\"7\"><strong>Swiss police<\/strong> have reportedly arrested a Ukrainian man wanted by the FBI for heading a cybercrime group.<a href=\"https:\/\/krebsonsecurity.com\/2022\/11\/top-zeus-botnet-suspect-tank-arrested-in-geneva\/\" rel=\"noopener\"> Cyber reporter Brian Krebs said<\/a> the man was arrested three weeks ago in Geneva. He is allegedly head of the JabberZeus gang, which goes after bank passwords of victims. <a href=\"https:\/\/www.cnn.com\/2022\/11\/16\/politics\/swiss-arrest-alleged-ukrainian-cybercriminal\" rel=\"noopener\">CNN says<\/a> this week Swiss authorities agreed he should be extradited to the U.S.<\/p>\n<p data-ar-index=\"8\"><strong>A threat actor<\/strong> has compromised over 15,000 WordPress websites. <a href=\"https:\/\/blog.sucuri.net\/2022\/11\/massive-ois-is-black-hat-redirect-malware-campaign.html\" rel=\"noopener\">According to researchers at Securi,<\/a> the goal is to redirect unsuspecting people when they do a search on sites they go to. They end up being sent to a fake question-and-answer site. Website owners have to regularly scrutinize their code for compromises.<\/p>\n<p data-ar-index=\"9\"><strong>A state-sponsored threat actor<\/strong> is believed to have compromised a digital certificate authority as part of its hacking activities. <a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/espionage-asia-governments-cert-authority\" rel=\"noopener\">That\u2019s according to researchers at Symantec<\/a>. The group, dubbed Billbug, usually goes after organizations in Asian countries. But the researchers worry that the gang can create legitimate-looking digital certificates that could fool any target\u2019s computer system with malware-filled software.<\/p>\n<p data-ar-index=\"10\"><strong>Google agreed to pay<\/strong> <a href=\"https:\/\/www.itworldcanada.com\/article\/google-to-pay-us391-million-for-misleading-android-users-on-location-tracking\/513415\" rel=\"noopener\">US$391 million to 40 U.S. states<\/a> for misleading users on the amount of location tracking Android did. Users thought turning off location tracking stopped data collection. It didn\u2019t.<\/p>\n<p data-ar-index=\"11\"><strong>Finally,<\/strong> an analysis of websites and applications suggests developers still aren\u2019t writing secure code. <a href=\"https:\/\/news.synopsys.com\/2022-11-15-Synopsys-Research-Finds-Vulnerabilities-in-95-of-Applications,-25-Impacted-by-Critical-or-High-Risk-Vulnerabilities\" rel=\"noopener\">Researchers at Synopsys<\/a> found 95 per cent of work it looked at had some vulnerabilities. At least 20 per cent were high-risk, and another 4.5 per cent were critical.<\/p>\n<p data-ar-index=\"12\"><em>(The following transcript has been edited for clarity. To hear the full conversation play the podcast)<\/em><\/p>\n<p data-ar-index=\"13\"><strong>Howard:<\/strong> We\u2019re going to start with questioning the communications strategy of Empire Group. It\u2019s the parent company of one of Canada\u2019s biggest grocery retailers. Under its brand are Sobeys, Safeway, IGA and other supermarket chains. Two weeks ago Empire said it was impacted by what it called an IT systems issue. But it\u2019s said little else since then. Other reporters and I have left messages asking for more detail, but statements have been rare. The grocery stores are open. On November 7th Empire said some in-store services were functioning intermittently or with a delay. In addition, some pharmacies were experienced difficulties in fulfilling prescriptions. It now says the pharmacy IT network is operating fully. On Twitter some employees reported seeing ransomware notes on in-store computers. As of Thursday morning, when this podcast was recorded, the company is still saying it is experiencing some system issues. David, is silence golden?<\/p>\n<p data-ar-index=\"14\"><strong>David Shipley:<\/strong> This is going to be a crisis communications lesson for Canadian firms. I don\u2019t think it\u2019s golden. It is a playbook that has been tried before and successfully used, particularly in the public sector, which doesn\u2019t have the same level of accountability of a publicly-traded company that\u2019s a critical part of our food supply chain. I understand all the pressures that they [Empire] must be under. They probably have a legal department that is screaming bloody murder about every single word that they issue to minimize their risk when it comes to their share price. They probably have pressure if they have cyber insurance for what they [can] disclose, when and how they disclose it, so they don\u2019t jeopardize their insurance. And I\u2019m sure that really, really hurts. They are probably trying to figure out how and where to message. [But] what exactly do they mean by \u2018confidential data loss\u2019 [<a href=\"https:\/\/www.thestar.com\/business\/2022\/11\/11\/two-provincial-privacy-watchdogs-confirm-sobeys-experiencing-data-breach.html\" rel=\"noopener\">The Toronto Star reports<\/a> two provincial privacy commissioners have been told about a \u2018confidentiality incident\u2019]? Because we\u2019re talking about pharmacies. This might actually get pretty sensitive. So there\u2019s probably a degree of caution. They are probably also very nervous about causing something to flow out of communication that might lead to something \u2014 like we saw in the pandemic: The great toilet paper shortage of 2022.<\/p>\n<p data-ar-index=\"15\">But the reality of really good communications \u2026 is eventually this stuff is all going to come out. You can either draw it out or get in front and own it. <a href=\"https:\/\/www.itworldcanada.com\/article\/maple-leaf-foods-suffers-it-outage-after-cybersecurity-incident\/511986\" rel=\"noopener\">I think Maple Leaf did a great job<\/a> [earlier this month]. You haven\u2019t heard a thing about Maple Leaf in the media since they said, \u2018Yep we had a cyber attack,\u2019 \u2026 because they answered the questions. Now the story is becoming how Sobeys is handling this \u2026<\/p>\n<p data-ar-index=\"16\">I\u2019ve received a lot of private messages from Sobeys employees since I\u2019ve been in the media talking about this, and I got to tell you they are dispirited. They\u2019re frustrated and some are worried about being paid on time. The company told them nothing. They\u2019ve been under extraordinary stress throughout all of this and basically learning about the attack through the media. That really, really sucks for them. I think we have to remember that when it comes to cyber security crises our employees are an important audience, and telling them what\u2019s going on, how you\u2019re going to make it right, how you need their help recovering makes them part of the solution. Just leaving them in the dark because you\u2019re afraid they\u2019re going to say the wrong thing \u2014 well, guess what? They\u2019re going to go to Reddit. They\u2019re going to post pictures. They\u2019re going to talk about this stuff anyway. So I don\u2019t think silence is golden. I think they [Empire] just dragged out the pain of this.<\/p>\n<p data-ar-index=\"17\">So Quebec and Alberta\u2019s privacy commissioners have been notified that there\u2019s been a confidentiality leak. Confidentiality leak of Scene points? Confidentiality link of my detailed pharmacy prescriptions? I\u2019d like to know today, please. They could get ahead of this but instead, we\u2019re just speculating about this chaos, and that\u2019s disappointing.<\/p>\n<p data-ar-index=\"18\"><strong>Howard:<\/strong> But the strategy is working: Stores are open, people are shopping, people may see some inconvenience. But apparently most aren\u2019t. <a href=\"https:\/\/www.cbc.ca\/news\/canada\/nova-scotia\/inside-turmoil-sobeys-ransomware-attack-1.6650636\" rel=\"noopener\">And according to CBC News<\/a> the company has even found a workaround to make sure staff are paid.<\/p>\n<p data-ar-index=\"19\"><strong>David Shipley:<\/strong> I would challenge that it\u2019s working. It\u2019s not like people are just going to stop shopping at Sobeys because they tell them, \u2018We had an incident.\u2019 If anything their stock price would take a hit probably no more than it\u2019s taken already. I really don\u2019t see what they have gained from this silence other than get the media going, \u2018Why do you have to make this so difficult?\u2019 \u2026 This is really important. Safeway stores in rural Canada are the only option for a lot of people to get their groceries. [Being more transparent] would engender public sympathy \u2014 particularly if there are shortages or staff are exhausted.<\/p>\n<p data-ar-index=\"20\"><strong>Howard:<\/strong> So is this a new PR strategy that someone has discovered in Canada? A large publicly-traded company can get away with saying virtually nothing for days at a time?<\/p>\n<p data-ar-index=\"21\"><strong>David:<\/strong> It\u2019s not new. We\u2019ve seen this with provincial healthcare cyber attacks, where the entire conversation was shut down under an overly broad envelope of \u2018Security.\u2019 It worked there, and I think it\u2019s a negative trend. I hope more companies follow the Maple Leaf example than this. What they are going to is force regulators to take more stringent approaches, particularly for publicly traded companies, saying they have to disclose more stuff. We\u2019ve seen this kind of legislation in the \u2018states.<\/p>\n<p data-ar-index=\"22\"><strong>Howard:<\/strong> Let\u2019s move on to ransomware. There\u2019s outrage in Australia after two huge cyber attacks. First, a wireless provider called Optus was hacked in September, and then in October Medibank, which is Australia\u2019s biggest private health insurer, was hit by a ransomware attack after refusing to pay a ransom. Stolen data of over 9 million current and former Medibank customers began appearing this month on criminal websites. One Australian cabinet minister said a task force has been formed to in their words \u201chunt down the scumbags.\u201d That\u2019s a reasonable promise or posturing to voters?<\/p>\n<p data-ar-index=\"23\"><strong>David:<\/strong> I\u2019ve been one of the advocates to release the hounds. We have to impose costs on cybercrime, and that can\u2019t just happen by being defensive and pouring money in. We\u2019ve got to disrupt the operation of gangs. The Americans did this very successfully after the Colonial Pipeline ransomware attack. I\u2019m not saying that this is going to result in a bunch of Russian organized criminals being marched into a courthouse in Australia, and that\u2019s not what they\u2019re saying, either. They\u2019re saying, \u2018We\u2019re going to ruin your stuff. We\u2019re going to leak your tools. We\u2019re going to disrupt as much of your operations as we can. We\u2019re going to cause you chaos. I think it is good to start throwing punches back at these groups. It will send a signal. And I don\u2019t think it\u2019s going to be great for Canada right now. Threat actors may say, \u2018Let\u2019s plant our flag there for a while.\u2019<\/p>\n<p data-ar-index=\"24\">I think it\u2019s important we point out that it\u2019s outrageous what the Medibank criminals did. The first file they posted [to the dark web] was about people who had abortions, then they posted information about mental health. These [attackers] are awful, awful people to do that. I think the Australians are mad as hell and they\u2019re not going to take it anymore. Good for them.<\/p>\n<p data-ar-index=\"25\"><strong>Howard:<\/strong> I\u2019m not sure whether ransomware gangs would necessarily turn their sights on Canada. <a href=\"https:\/\/www.itworldcanada.com\/article\/breaking-news-canadian-police-arrest-suspected-lockbit-ransomware-gang-operator\/512608\" rel=\"noopener\">A week ago Canada arrested someone who they believe is deeply involved in ransomware,<\/a> and they\u2019re apparently getting ready to be extradited to the U.S. for trial.<\/p>\n<p data-ar-index=\"26\"><strong>David:<\/strong> If you\u2019re dumb enough to be a ransomware affiliate in Canada and hitting Canadian and American folks \u2026 you\u2019re going to get nailed. Admittedly, it took a while for the law to catch up<a href=\"https:\/\/www.itworldcanada.com\/article\/canadian-sentenced-for-his-role-in-netwalker-ransomware-attacks\/472760\" rel=\"noopener\"> with the\u00a0 IT worker from Gatineau<\/a> who made himself $30 million \u2026 But to gangs that operate outside of Canada I would say we look like a pretty ripe target.<\/p>\n<p data-ar-index=\"27\"><strong>Howard:<\/strong> Australia\u2019s minister responsible for cyber security is talking about banning organizations in that country from paying ransomware gangs, I guess in the hope that the crooks will, I don\u2019t know. Will that make crooks give up?<\/p>\n<p data-ar-index=\"28\"><strong>David<\/strong>: If they know that there\u2019s no reasonable prospect of being paid it might force them to shift to other jurisdictions. I have talked about this before: I generally hate that we pay ransoms. I can understand in certain circumstances \u2014 an attack against a health care system, the loss of decades worth of irreplaceable medical research from a Canadian university \u2014 there foreseeably is no other choice but to pay. But for a lot of other use cases, no. They could recover. The city of St. John\u2019s, New Brunswick is a great example. <a href=\"https:\/\/www.cbc.ca\/news\/canada\/new-brunswick\/saint-john-cyberattack-records-1.6252873\" rel=\"noopener\">They took their lumps and rebuilt.<\/a> There may be some room for legislation that if not outright bans payments \u2026 Keep in mind we\u2019ve seen some precedent from the Americans that you can\u2019t pay ransomware groups that are on terrorist financing lists. The other thing that could be a really good disincentive is saying if an organization has to pay it has to get government approval and it\u2019s got to be made public.<\/p>\n<p data-ar-index=\"29\"><strong>Howard:<\/strong> We talk about governments going after the crooks and forbidding companies from paying ransoms. Shouldn\u2019t the conversation be around all the things that organizations can and should be doing to blunt the impact of ransomware attacks? You know, there\u2019s been no explanation of how Medibank attackers were able to access data on over 9 million customers. It sounds to me like that data wasn\u2019t encrypted, wasn\u2019t segmented and maybe they didn\u2019t have very good password control.<\/p>\n<p data-ar-index=\"30\"><strong>David:<\/strong> I don\u2019t think this is an either-or conversation, though I think we can have really good legislation that imposes cyber hygiene standards. I will give a shout to the province of Quebec for their work in having the most robust privacy and data protection laws in the country. Quebec\u2019s also done a great job of having a ministry of cybersecurity to send a signal that cyber security matters, and it matters the most senior leadership of the province and it expects that to be reflected in the corporate private sector as well. This is where<a href=\"https:\/\/www.itworldcanada.com\/article\/designated-canadian-firms-would-have-to-report-cyber-breaches-under-proposed-law\/488372\" rel=\"noopener\"> Canada\u2019s Bill C-26<\/a> is off the mark by only concentrating on four critical infrastructure providers. That wouldn\u2019t count Sobeys, so maybe we should go back and rethink that one. We can have good legislation that helps people understand what we expect from a due diligence defense. But let\u2019s remember even if you do all the right things you can still have a very bad day if the threat actors are really lucky. So if you absolutely have no choice to pay the ransom, that\u2019s okay \u2014 but you\u2019re gonna have to tell people you paid.<\/p>\n<p data-ar-index=\"31\"><strong>Howard:<\/strong> I\u2019ve reported here before that I covered a recent cyber security panel that involved police in Canada and the United States and they want victims of cybercrime \u2014 especially ransomware \u2014 to contact them so that they can get as much information as they can to help them go after crooks. At the Aspen Cyber Summit this week in the United States a Justice Department official said Washington is having Increasing success in helping victims who report ransomware attacks, and that includes sometimes getting the cryptocurrency back that they paid to hackers, shutting criminal cryptocurrency exchanges and getting foreign countries to arrest suspects.<\/p>\n<p data-ar-index=\"32\"><strong>David<\/strong>: Which is awesome. That goes back to mandatory cybercrime reporting across the entire Canadian public and private health sector to a single source \u2014 including, \u2018Yeah we paid the ransom here\u2019s the bitcoin address, let\u2019s see what we can get back.\u2019 \u2026 Please do contact your law enforcement and tell them when you\u2019ve paid the ransom so that we can fight back.<\/p>\n<p data-ar-index=\"33\"><strong>Howard:<\/strong> The final item we\u2019re going to look at today is the strain of cyber attacks on municipalities, school boards, hospitals and children\u2019s aid societies and how they can be helped. These are called the broader public sector. This week I interviewed the chair of an Ontario expert committee that looked into the state of cyber security in the broader public sector. Robert Wong told me that the situation is bad in some organizations, particularly the small ones with limited revenue and therefore little or no IT support.<\/p>\n<p data-ar-index=\"34\"><strong>David:<\/strong> It\u2019s an epidemic. The data shows just how small municipalities around the GT [Greater Toronto Area] over the last five years have been hammered. And we\u2019ve seen data coming out of the U.S. from the education sector showing ransomware attacks in particular against public education were up 56 per cent. Municipalities have just been robbed by these criminals there. This is not going to change because organizations in these sectors have lean IT budgets. They don\u2019t have a ton of money to invest \u2026 I think there\u2019s an absolute call to better co-ordinate across these sectors within provinces. Sectors can collaborate: The Canadian higher education sector under the leadership of <a href=\"https:\/\/www.canarie.ca\/cybersecurity\/cip\/\" rel=\"noopener\">CANARIE<\/a> and working with groups like <a href=\"https:\/\/www.orion.on.ca\/products-services\/cybersecurity-products-and-services\/ontario-cybersecurity-higher-education-consortium-on-chec\/\" rel=\"noopener\">ORION<\/a> have done cross-sector projects like DNS firewall and other things. They\u2019ve done the CanSOC project a shared Security Operations Center across numerous universities with a shared thread feed. So I think there\u2019s great precedent to ask how do we collaborate? Even in my province of New Brunswick many municipalities there are too small to stand up their own SOCs.<\/p>\n<p data-ar-index=\"35\"><strong>Howard:<\/strong> The Ontario expert panel made a number of recommendations. The main ones are that the province should create a single body to oversee cybersecurity efforts across the entire broader public sector. It wouldn\u2019t quite be a regulator but it would demand accountability in the form of regular reports from institutions that they have cybersecurity plans. The board would set cybersecurity standards and be a source of best practices. Sectors would have some flexibility to solve the problems that affect, for example, only school boards.<\/p>\n<p data-ar-index=\"36\">Second, these organizations would have to create common cyber security risk operating models based on the National Institute of Standards and Technology (NIST) cyber security framework. One advantage is all municipalities could talk to each other in a common risk language, and of course municipalities could talk to, for example, school boards and hospitals as well. Third, the province should encourage these institutions to create shared cyber IT services, like one you just mentioned. Fourth, there should be a threat intelligence sharing platform for these sectors, and fifth, the province should look at creating some sort of public-private cyber insurance program for the broader public sector.<\/p>\n<p data-ar-index=\"37\"><strong>David:<\/strong> Amen to the shared services. Let\u2019s have a real, honest conversation about what this cyber insurance actually going to look like. I think you absolutely have to have that common risk language and a baseline before the province says, \u2018Here\u2019s your insurance backstop.\u2019 The reality is the insurance industry in Canada is losing 100 to 300 per cent of its cyber insurance premiums to payouts this year. And let\u2019s be honest, it\u2019s [mainly from] the public sector. It\u2019s been hemorrhaging from these attacks, so it\u2019s getting really, really hard for hospitals schools and municipalities to get cyber insurance. That\u2019s going to have to get backstopped by the province, and I think Ottawa has a role to play \u2026 This is a national security issue.<\/p>\n<p data-ar-index=\"38\">Having a common security language based on NIST makes a lot of sense.<\/p>\n<p data-ar-index=\"39\">It\u2019s about incrementalism: We are not going to go from the state of cyber chaos we\u2019re in right now to a cyber utopia in five years. This is going to be a decade-plus effort, and it\u2019s going to require investment. It\u2019s yet another infrastructure debt and that we\u2019re going to have to handle \u2026 You know there\u2019s one thing that keeps me awake at night: I used to fret a lot about municipalities being in charge of the water supply. But someone on the critical infrastructure side of things told me it\u2019s a lot harder to mess with water than you think. But, the person added, a sewer is a lot more damning because once you screw up a sewage system it doesn\u2019t take long before it really can spread communicable diseases. So we\u2019ve got to get moving on this. But I\u2019d be cautious that we look at insurance as basically a disaster backstop. Without doing the hard preventative long-term investment \u2026<\/p>\n<p data-ar-index=\"40\"><strong>Howard:<\/strong> One thing Robert Wong said to me was the solution is not to throw money at towns and children\u2019s aid societies. He said cybersecurity starts with governance. Which means it starts with executives. If there\u2019s a will then money will be found, he said.<\/p>\n<p data-ar-index=\"41\"><strong>David:<\/strong> I don\u2019t necessarily agree with that. We work with a lot of these groups and their executives are scared. They\u2019re mayors, and their city councils are talking about this but they don\u2019t know where to get started. And keep in mind the talent shortage [of cybersecurity workers]. It\u2019s about money and people. The broader public sector needs to be supported by showing how to build a governance plan, how you build a staffing plan, here\u2019s what shared resources you can access, here\u2019s how an IT project approval process could work \u2026 When you think about these children\u2019s aid societies, it\u2019s not like they\u2019re flooded with cash right now and they\u2019re doing really really important work for the most vulnerable in society and they can\u2019t afford to take on an extra 10 to 15 per cent cost on the IT side to properly secure themselves.<\/p>\n<p data-ar-index=\"42\"><strong>Howard:<\/strong> One recommendation is these public sector organizations have to appoint a senior official responsible for cyber security.<\/p>\n<p data-ar-index=\"43\"><strong>David:<\/strong> I agree, because if no one\u2019s responsible for IT it\u2019s not going to get done. But they need to have a chief information security officer. Maybe it doesn\u2019t need to be a full-time position\/ Maybe you could share a CSO across a couple of small municipalities. Again, this has been done very successfully by Ontario universities. And they have a dual reporting responsibility back to the CIO, but they also report back to council. That way you\u2019ve got really good checks and balances and transparency.<\/p>\n<p data-ar-index=\"44\"><strong>Howard:<\/strong> The province of Ontario says it accepts the recommendations. I\u2019m not sure whether it means they agree with all of them. But it hasn\u2019t put forward a timeline for implementing them.<\/p>\n<p data-ar-index=\"45\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-november-18-2022\/513936\">Cyber Security Today, Week in Review for Friday, November 18, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion on ransomware, how companies should publicly respond to cyber attacks and an Ontario report on helping organizations in the broader public sector face cyb<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389,392,721],"class_list":["post-31504","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today","tag-ransomware","tag-sobeys"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=31504"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31504\/revisions"}],"predecessor-version":[{"id":31589,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/31504\/revisions\/31589"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=31504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=31504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=31504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}