Canadian Government Entities Under Scrutiny for Lax Cybersecurity

Canada’s government sector is increasingly coming under scrutiny for both lagging privacy and security both in legislation and in practice

 

In a sign of the times, figures released in February to the House of Commons reveal that the personal information of at least 144,000 Canadians was mishandled by Federal department and agencies, including the Security Intelligence Service and Department of National Defense.  The breaches were widespread, impacting over 10 separate departments and agencies, with evidence indicating that these figures are being underreported due to inadequate reporting requirements.  The Canada Revenue Agency led the pack with 3,020 identified breaches over the last two years impacting at least 59,065 Canadians. 

 

Helical’s offerings meet the “Baseline Cyber Security Controls for Small and Medium Organizations” published by the Canadian Centre for Cyber Security and can be scaled up according to need.  You can learn more about how we meet these requirements here or for more information about Helical, visit our website.  

Share

IT Projects & Black Swans

Have you ever been involved in an IT project that was difficult and resulted in a less than optimal outcome? I still joke about being a survivor of a large-scale IT implementation project. That was more than ten years ago and the memories are still fresh and painful. That is not to say that all IT projects end in disaster and I have seen a number of IT projects succeed in my career. Still the stigma remains and there is ample anecdotal evidence in the workplace that IT projects are particularly prone to failure.

Does this belief hold up under more rigorous scrutiny? According to Oxford University professor Bent Flyvbjerg, who has spent his career studying this subject, IT projects are actually not the worse type of project. He found that globally, across all industries, the percentage of projects that come in over-budget are:

Ø  50% of IT projects

Ø  60% of Energy projects

Ø  70% of Dam projects

Ø  90% of Olympic Games[1]

So only half of all IT projects come in over-budget. That somewhat mixed news for IT projects is tempered, however, by the obvious fact that IT projects are much more prevalent. IT projects are happening every day in organizations all over the world while large energy projects, dams and Olympic games are much fewer in number and less frequent.

In another study, Flyvbjerg and his colleague Alexander Budzier, focused solely on a sample of almost 1,500 IT projects.[2] The projects in the study included enterprise resource planning, customer relationship management, document management, and other management information systems. Many of the projects looked at were in the US public sector but surprisingly the results showed little difference when compared to projects in the private sector or other locations around the world.

Here is what they found:

Average IT project cost overrun is 27%

While that average might not seem alarming what they were startled to find, and what that average was hiding, was this reality:   

1 out of 6 IT projects had cost overruns of 200%

1 out of 6 IT projects had a schedule overrun of 70%

That means nearly 17% of all IT Projects are nightmare projects or what they call “black swans”.[3] Using a term popularized by best-selling author Nassim Taleb, black swans are “high-impact events that are rare and unpredictable but in retrospect seem not so improbable”.

There are many reasons for this high rate of IT project black swans but Flyvbjerg and Budzier point out a common finding was that sales and product development engineers and managers often have less than adequate skills in implementing the technology itself.  

The end result of these IT black swans is usually the same: increased financial pressure, reputational damage, and often loss of jobs, particularly those deemed responsible for the project. If a private sector organization is already weak before the black swan, the black swan IT project can often be fatal to its very survival. In the public sector, the organization survives but the public is left to pay for the mistakes through additional tax burden.       

To avoid becoming the next IT black swan case study, Flyvbjerg and Budzier say that we should always assess our organizational readiness through a 2-part stress test before beginning our next large IT project:

1.       Can the organization afford the cost if our largest IT project goes over-budget by 400% or more and if only half the benefits are realized?

2.       Can the organization absorb the impact of having 17% of all our medium sized IT projects coming in over-budget by 200% and missing the project deadline by 70%?   

These scenarios seem far-fetched when viewed at the outset of the latest IT project but the records show they happen all too often and no organization or industry is immune.  

As I said at the outset, many IT projects do succeed coming in on-budget and on schedule. According to Flyvbjerg and Budzier, the IT projects that are successful all share these common 7 key characteristics:

1.       Stick to the schedule

2.       Avoid scope creep

3.       Break the project down into manageable pieces

4.       Have the right people

5.       Minimize turnover of team members

6.       Align with business needs

7.       Focus on single objective and measure all activity against that target

  

  


[3] Nassim Taleb, “The Black Swan: The Impact of the Highly Improbable”, Random House, 2007

Share

How Do I Set up a Webinar? Productivity Tools to Help

muniSERV’s professional members know that as part of their membership, we advertise their webinars directly to our municipal members. We know it’s hard to get past municipal gate-keepers so what better way is there to increase your visibility and credibility with municipal decision-makers, than with a webinar?

 

And our municipal members love webinars – particularly the free Lunch & Learn type webinars.  We know this because our open and click-through rates for our newsletters are consistently higher than the industry average rates.   

 

To be successful though your webinar must be educational and address a topic of interest to municipalities.  Municipalities won’t register for your webinar if they think it’s just about “selling” your product or service.  

 

Here’s What Our Members Say

 

“At Emergenetics we are always looking for strong, credible partners as we build our international brand in Canada and I have loved partnering with muniSERV and muniJOBS.  

I am continuously impressed by the outreach opportunities we receive with our muniSERV membership, the response we receive to our webinars and the quality of the audience it attracts.”

Gail Green, President – Emergenetics Ontario  April 2019

 

Ideas for Webinars

 

If you sell risk management software, provide some educational – or even scary statistics and inform municipalities on ways to mitigate online losses.

 

If you sell HR services, speak to the importance of performance reviews and what led you to develop your solution.  You can even provide a sneak peek of your solution with a quick demo – but again, it must be delivered as a solution to the problem you are educating them on and not just a sales pitch for your services.

 

Here’s where I feel a bit hypocritical though. I know the value and the power of providing webinars (that’s why we encourage our members to do so), but I confess, that while I have co-sponsored some webinars, I have never actually set one up myself.  (because shamelessly – I don’t know how to do it!)

 

So, in order for me to help you I had to help myself by learning how to conduct a webinar.  Here are some tricks and tools I learned along the way.

 

Webinar Tools

Your webinar can be as basic as creating PowerPoint slides and delivering a webinar by using remote conferencing services that use cloud computing, such as Zoom or JoinMe.  

 

I use Zoom to share my screen and provide online demos of muniJOBS.  While I pay the annual fee for Zoom, you can use many of their features for free. However, their specific webinar service comes at an additional cost.

 

If you want folks to register for your webinar (and you will so you can gather leads), you will need a way to handle the registrations even if registration is free.  There are many registration tools available, but one I’m familiar with is Eventbrite.

 

To create and deliver webinars you may want to consider using specific webinar software.  Here’s an article by Joe Warnimont for codeinwp, that summarizes and compares the Best Webinar software of 2019.  

 

Once you’re ready to start creating your webinar content, these Six Tips for Success are a great guideline to follow.  Don’t forget to engage your audience with a poll, some direct questions or an icebreaker to make it interactive and fun.  There’s nothing worse than listening to a “talking head”, with no opportunity to provide input or ask questions!

 

Also, be sure you turn off any chat windows and on-screen notifications that could (and will) pop up while sharing your screen.

 

And finally, be prepared with extra batteries for your wireless mouse and a fully charged headset – because we’re all well aware of Murphy’s Law!

Share

Using Technology to Expand Municipal Capacity

Transparency in politics has become a hot-button topic, especially over the last five years. Government mistrust is at a peak and people are demanding answers and access to information. Voters calling for transparency was witnessed in this past Federal election of a minority government. Federal and Provincial politics are having an influence on how municipalities operate. Most municipalities are the principle point of contact for the average citizen which forces them to adapt faster than what’s been happening at the provincial or national level.

The Government of Canada is committed to being an open government, which they believe can be achieved through three streams: open data, open information, and open dialogue. The goals being to empower citizens, fight corruption, and strengthen technology, which helps overall governance. Providing citizens with these three streams will allow government to create trust and accountability. Once data is openly available, citizens will be informed and educated. With the rise and access of new technologies, governments can combat these problems and secure public confidence. It’s the governments responsibility to enable technology to combat these concerns.

At the local level, many municipalities are adhering to these three streams far better than their national counterparts. They are posting their bylaws, procedures, meeting minutes and agendas online, so their constituents are informed and up to date. In fact, some municipalities are going as far as taping council meetings so there’s full disclosure and little room for mistrust.

To read the full BLOG click here!

Share

North Carolina County loses Millions to Business Email Compromise and Phishing

North Carolina County loses Millions to Business Email Compromise and Phishing

Written by Michael Castro, vCISO and founder of RiskAware

Late last year, Cabarrus County in North Carolina fell victim to a crafted email asking to change banking information for a contractor with whom they had started business earlier that year. Within 3 weeks, the County had sent more than 2.5 Million dollars to who they thought was their contractor. It wasn’t.

It took a few more weeks to discover that they had been compromised. When the dust settled, the County was able to recover some funds, including a mere $75 000 from insurance, but even now, more than 1.7 Million remains unaccounted for.

Last year, losses to business email compromise topped 1.2 Billion dollars. As such, it is clear how an easy scheme can net quite large returns, and why it is so popular amongst cyber thieves.

Just the month previous, the city of Griffin in Georgia lost $800 000 in a compromise scheme.

Email as a process is not enough to deal with impersonation email, email fraud and wire transfer processes. Municipalities need to build new processes with checks in place to prevent the easy route of email compromise and fraud. Changes to account payable processes, proposer cybersecurity planning and education can all greatly improve the chance of such a scheme being caught before any money is lost.

Municipalities should also consider bring in cybersecurity experts to help with governance, compliance and process models that go beyond technical security controls and systems. For those government groups that have smaller budgets set aside for cybersecurity, a fractional or virtual Chief Information Security Officer (vCISO) is a good resource to help plan and build a more resilient cyber presence within a budget and capability of the municipality.

RiskAware is a boutique Cybersecurity firm, specializing in Security Governance and Strategy, assisting organizations of all sizes with security and risk advisory services and security-on-demand capabilities. RiskAware and its founder Michael Castro also provide fractional CISO services

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca

 

 

 

Share

What is the difference between LEADERSHIP and MANAGEMENT?

In short: leaders create risk, and managers reduce it.

LEADERSHIP ANTICIPATES THE BEST OUT OF PEOPLE, AND MANAGEMENT ANTICIPATES THE WORST. While leadership invites others to follow, management ensures the followers are following.

Leadership is the act of inviting others to a new and better future.  A leader inspires and creates change by casting a vision of a destination that is different, better, and achievable.

Management is the ensuring things happen by creating, communicating, and monitoring expectations.  It tracks individual people to see that they perform as expected, as opposed to inspiring a number of them. 

Leadership skills can be summarized as those skills relevant to interacting with large groups of people, and to inspiring and creating vision. Conversely, management skills are those which are relevant to interacting with individual people, and to specifying and monitoring performance.

Many of the skills required to lead people are also the ones used to manage people. However, the expression of these skills can be significantly different.  For instance, a leader needs to effectively communicate to be compelling and inspirational, and a manager needs to effectively communicate to be precise and personal.

Because of the skillset overlaps between management and leadership, it is quite possible that a single person assumes either of these roles.

 

Want to learn more about leadership?  Check out EVERYTHING YOU NEED TO KNOW ABOUT LEADERSHIP.

Share

Smiling is Contagious. Try it!

It has been a spring that many will say there was nothing to smile about. It was cold, rainy and dark. From all the rain we have beautiful green lawns and flowers starting to bloom. Again there are many people in parts of the world that are not smiling with all the rain causing flooding and destruction. I wanted to take this opportunity to write about smiling and how contagious it may be in our workplace and for our clients.

Some people are always smiling, cheerful, and they seem to brighten up a room. Their positive attitude and gusto are identified by those they come in contact with. Moreover, we have all encountered those have the opposite effect on people-the “doom and gloom effect.” we often refer to one’s attitude and yet what is that? It is your mental state or the position you take regarding life.

Zig Ziglar once said, “Your attitude, not your aptitude, will determine your altitude.”  If you take the word “OPPORTUNITYISNOWHERE,” some people see the “no where” while others see “now here.” So is the glass half empty or half full? Often the difference between success and failure is not linked to how we look, how we dress, or how much education we have; it is based on how we think!

Great leaders share the same thought; knowing that a positive attitude is contagious. As leaders, it is vital that we display a positive mindset daily. After all, if we expect our employees to express positive attitudes, we should model such behaviours for them to see.

Each day we have a choice of whether we elect to display a positive or negative attitude. Daily, we encounter negative attitudes at work and in our personal lives. If you remain positive amongst pessimism, you can be contagious.

Some times it is not that easy. I have found some tips I would like to share to help you be positive from “Attitudes are Contagious. Is Yours Worth Catching” by Patti Wanamaker.

  • Be enthusiastic – people love to be around enthusiastic people. Enthusiasm is contagious and draws others to you like a magnet.
  • Associate with positive people – if you want to stay positive, stay away from people that drag you down. Associate yourself around like-minded people.
  • Smile – smiling makes it all better. Smiling releases endorphins and serotonin, which are known as the feel-good hormones. It is a lot easier to adopt a positive attitude when you feel good!
  • Change your thoughts – positive thoughts lead to a positive attitude, while negative thoughts lead to an adverse reaction.
  • Stop complaining – limit your complaints. Whining and griping about anything and everything will not create a positive attitude. When you are complaining, you are spreading negativity.

·        If you want more success in your leadership role and to have a positive impact on your employees, then make sure your attitude is worth catching.

Many of you are thinking, what is there to smile about, and why maintain a positive attitude when there are doom and gloom around us? Research has shown that there are health benefits of smiling in the workplace. We are dealing with conflict, mental health issues and have difficult situations arising every day as we manage our workplace. Interestingly many years ago, it was declared that “the smile is the best medicine for the happiness of humanity.” Later scientific research explained the effects and physiological benefits of smiling for a healthier life. Smiling can be beneficial, in dealing with illness, pressures of everyday life, stress at work, and smiling can even substantially change the quality and forecasts of our lives.

Would life not be better if people smile regularly? I think smiling every day would keep you away from the doctor and feeling self-confident. Try these:

  • By smiling, we can reduce the level of stress hormones. Smiling helps us to increase the number of antibody-producing cells and improve the effectiveness of other cells.
  • Smiling is good for our general health. Smiling 100 times is equivalent to ten minutes of rowing or cycling in fifteen minutes.
  • Sometimes we just want to laugh or cry. That means you want to release all the pent feelings in your head, making you feel both physically and mentally better. So to reduce anxiety smile often, even when you are not happy. Smiling at others will, in turn, help them be happy.
  • Smiling can take you from being angry, stressed, feeling guilty, and negative to putting you in a more favourable frame of mind. Smiling will make you change yourself and improve the attitudes and thinking to other people to the better.
  • When people can view an event that may be frightening as funny, they may be able to feel more content and see the events occurred just merely as a “challenge” in life, rather than a threat.

There are times when smiling, and laughter can be contagious. If you smile more than you can make other people around you also smile more. So by smiling yourself, you can reduce the stress levels of people around you and change their moods. Maybe even improve the quality of social interaction, and reduce your stress level as well.

They say that optimists have a stronger immune system and can fight disease better than the pessimists. There is a link between a positive attitude and good health, which is measured in many different ways. In general, researchers have discovered that optimistic people are more healthy, and they have a stronger immune system.

According to the British Organization of Dental Health, a smile has the level of stimulation as eating 2000 chocolate bars.

A smile does not cost you a cent, and it is easy to spread. A recent study showed that preschool children laugh 400 times a day, but the time we reach adulthood, we just laugh an average of 17 times per day.

So take the challenge and smile more often and find things in your lives that you can laugh about.

Stay great and healthy.

 

Monika B. Jensen PhD is Principal of the Aviary Group and can be contacted by email at [email protected]

 

Share

Cyber Attacks & Municipalities: A Tale of Two Communities

“There are only two types of companies: Those that have been hacked, and those that will be.”, 

Robert Mueller, FBI Director, 2012

Executive Summary

In 2018, many municipalities in North America fell victim to cyber-attacks, and in particular ransomware. This study reviews two municipalities, Atlanta, Georgia, and Wasaga Beach, ON whom both were impacted as a result of a malicious attack on their networks.

Atlanta

Atlanta (pop. 486 000) was hit in March 2018 with a cyber-attack through ransomware. A ransom of $51 000USD was demanded but not paid. Over the next few days, critical systems and activities were taken offline as city staff struggled to regain access to systems. Impact included:

·       Public Wi-Fi disabled

·       30 mission critical applications disabled

·       8 000 employees were unable to access their email or networks for days

·       Citizens were unable to pay fines or parking tickets

·       Forms had to be completed by hand as systems restored

·       Many official documents were not recoverable

Final tally was close to $10 Million, including costs for additional contractors, system upgrades, new technology and computer replacement.

Wasaga Beach

Wasaga Beach (pop. 21 000) was hit in April 2018 with a similar type of ransomware attack. Initial demand for close to $150000 was reduced to  $35 000 and paid by the municipality. Despite this, the town was impacted for weeks even with recovery efforts. 

Impacts included:

  • Government data inaccessible for weeks
  • Systems had to be re-imaged and rebuilt
  • Payroll systems hampered

Final tally close to $252 000, including $50 000 for consulting,  $160 000 for lost productivity and overtime, system upgrades, new technology and computer replacement. Some costs carried into 2019 Budget Year.

How to be Prepared in Your Municipality

While Atlanta and Wasaga Beach are different sizes, they both suffered similar negative impacts due to a malicious attack, and having inadequate preparation for the type of attack that hit each separately.

Being prepared begins with a proper security risk assessment and review of the security practices and processes currently in place. Assessments should typically review such areas as:

  • Technology in place for security controls
  • Policies and standards related to Information Security
  • Training and awareness in place with staff
  • Incident Response plans
  • Disaster Recovery Plans 

Municipalities should also consider:

  • Training for IT staff on cybersecurity
  • Cyber Insurance
  • Testing and training of staff on cybersecurity issues
  • Use of third parties with cyber specialization to complement skillset of internal team.

Conclusion

Cyber Attacks can be indiscriminate and attack all levels of companies including municipalities large and small. However they can also target municipalities, due to limited IT budgets, strained technical resources and small if any dedicated security personnel.

Municipalities should take proactive measures to prepare for cyber-attacks and reduce the impact and likelihood of financial costs and loss of services.

“The effectiveness of one’s security program belongs to those who see the possibilities
before they become obvious.”, 
Michael Castro, 2018

RiskAware is a boutique Cybersecurity firm, specializing in Security Governance and Strategy, assisting organizations of all sizes with security and risk advisory services and security-on-demand capabilities.

RiskAware can be contacted at [email protected] or visited at www.riskaware.ca

 

Share

Cyber Security and Municipalities: Balancing Risk and Budget

Weak or nonexistent cybersecurity programs represent a massive organizational risk for municipal government agencies across North America, and of course Canada. Municipal leaders are often unaware of these risks because they assume that security is addressed or believe that a threat is minimized as a public sector organization.

In 2018, reports from three Ontario municipalities, one in BC and one in Quebec surfaced. All around ransomware, and all impacted adversely the operations and privacy of their records and impacting their constituents. Each also had a financially impact to the municipalities as each had to work to eradicate the malware, recover data or pay ransoms.

While ransomware attacks are often indiscriminate and are about disruption, other attacks are imminent that also hinge on weak security measures and experience. Theft of data from the public sector is valuable and should not be overlooked. Land deeds, mortgage information, birth and death records, SIN numbers and more, all constitute Personally Identifiable Information (PII) and all can equate to valuable dollars to those who can use them for further criminal activity.

Municipalities need to be looking at various areas to shore up cyber security for their offices and staff and help reduce the risk associated with these threats.Actions can include but not limited to:

-Developing a cyber security strategy to combat threats and understand security posture

-Implementing technology and security tools to handle threats as they emerge

-Awareness training for staff to help know when threats like phishing email are present

-Developing a information security policy for all staff to follow

Cyber threats is a multi billion dollar industry for cyber criminals. Municipalities are not immune to the threats that are present every day. Each municipal leadership team should look at their own areas and determine what steps are needed to be performed.

In the end it is not IF a cyber attack will affect them but rather WHEN and HOW impactful it will become.

 

Interested in an assessment or virtual CISO services? Feel free to drop a line

 

Michael Castro

Founder and Principal, RiskAware Group

[email protected]   www.riskaware.ca

 

 

 

Share

Top 4 Considerations to Save Money When Improving Citizen Services

By checking your own internal bias you stand a better chance of Finding the best solution

We all want to better our citizens’ services but, when pursuing this goal, what can we do to ensure we are spending the right amount of money on the right plan?  The only way is to look at your citizens, your goals and what you currently have to achieve the right balance between spend and results.

Here are four areas you should consider to make sure you are getting the most for your money.

1.       Understand first. 

·         When creating any plan, the first action should be to understand the needs and wants of your target.  Not all people will have the same issues as you. The only way to know is to ask your citizens, listen intently and believe them. This is particularly true when you think you have solved certain issues already.

·         In modern agile technology development, the practice is to rely on the” voice of the customer”. This is to ensure when the product is complete it meets the needs expressed by the potential buyer.  The same is true in finding the best solution for your citizens.

·         Remind yourself that you are not the citizen. Assume that you do not really know anything about your citizens’ needs. This way you will not try to prove your bias right or dismiss some expressed citizen needs as “not important” or “already solved”.

2.       Look at what you have today.

·         Look at the processes you have today that are at the heart of any of the issues identified by your citizens (e.g. a citizen is not notified when an issue is fixed – perhaps because a work order is lost after a job is completed so there is no record of it being closed).  Ask yourself what vehicles, tools, and processes you are using to meet your “citizen service goals”.

·         Are you using your website to get information out?  Do you have posters in community gathering spaces? Do you have a section every week in the local paper? Do you have a CiRM or a spreadsheet to track issues?  Do you have a written policy that helps all staff to address citizen issues quickly?  Do any of these create or solve the issue expressed by your citizens? These types of questions are key to success.

 

3.       List all potential solutions.

·         Improving citizen services may not require buying new hardware or software and spending a bundle on installation and configuration.  A successful solution, regardless of how great it is, may very well need to be coupled with bettering an internal process. Or maybe it is a simple matter of increasing the awareness of your website or creating posters to inform citizens about how you do things and why.  It might also be possible to improve services by repurposing technologies that you already have in hand (e.g. using your CRM in a unique way or changing access permissions so more people can answer the questions posed by citizens).

·         Listing solutions should not be an excuse to try to make current software do things it was not meant to do. Look at the process you want to have first then find the solution that best fits it.

·         Do not be afraid to look at human resource factors.  Maybe the answer is to better train staff in citizen resolution or conflict management (customer service skills). Maybe you need to ensure that all staff members know your policies and how they should be implemented.

4.       Consider technology solutions by task, not product name.

·         List your “service goals” and rate the importance of each of one. The best way is to break down your list into the following columns: “must have”, “good to have” and “nice to have”.

·         If you think that technology might solve some of the issues, list only the “service goals” you want your software to address, i.e. not what features or what brand will be the best solution.

·         Remember the technology may not need to be citizen facing to increase satisfaction. It might just enable an improvement in your processes to offer better, faster and more reliable citizen services.

If you consider these four areas, you will likely find a solution with that best fits your budget, and that will have the largest impact on your citizens.  By checking your own internal bias, you stand a better chance of making sure the right process, tracking and communication methods (internal or external) are part of your change, and the costs may well be less than you thought.

At AccessE11 we understand that paper systems and endless email chains are not productive when it comes to citizen services and support. There are too many opportunities for an issue to fall through the cracks, or for delays in responses to issues.

We promote instilling processes that make sense and that are easy to adopt so that everyone in the municipality can become a citizen support expert.  Please visit us at www.accesse11.com to find out more.

Share