Five Good Ideas
Five Good Ideas about security and justice
Published on 28/05/2019
Exponential technology changes mean that almost everything that we know will be radically altered in the next 10 to 20 years – this includes our basic understanding of “security and justice” in the Fourth Industrial Revolution. While we can’t imagine being without our everyday technology, like our mobile phones, smart speakers, and computers, many of us are also experiencing the threats that these exponential technology-driven changes can bring to our lives. In this session, Peter Sloly, a security and justice thought leader, explores how you and your organization can be more secure while also advancing a more just and sustainable society.
Five Good Ideas
- Understand that your business has a spectrum of threats for the spectrum of operations
- Identify and prioritize your business assets (both physical and data/digital)
- Assess the threat risks to your priority assets – and plan for those risks
- To be cyber safe (at work and at home), you have to invest in these three areas: be secure (prevent), vigilant (monitor), and resilient (respond)
- Understand that cybersecurity and physical security go hand in hand
- Canadian Center for Cyber Security
- Small Business Cybersecurity Corner
- Millennial Digital Native Ritesh Kotak
- Digital Citizenship: Guide for Parents
- Deloitte Cyber Risk Services
Full session transcript
Thanks folks for the warm welcome and for the kind words, Liz. There is only one falsehood in what Liz said earlier on. It wasn’t so much an ask, she threatened bodily harm against me if I didn’t accept. This is why it is the second time that I am here. But who could say no to Liz or to any of the McIsaac clan I guess is the way to put it.
I was actually very pleasantly surprised that there are so many returning Five Good Ideas participants. The first time I did it, I learned as much as I shared. I was involved in a follow-up exercise around the book Five Good Ideas and, again, tremendous insights from different people and perspectives.
I am not presenting here as an expert — that would be going too far. Maybe a thought leader is accurate. In fact, I will very humbly tell you, anybody that presents themselves in this day and age as an expert on security and justice is probably fooling themselves. The fact of the matter is the world has changed so much, faster and differently than any time before. You are about as expert as you can be coming out of the backend of the last security or justice incident that you, your family, your business, or even your society has been through.
One of the challenges for a small and medium-sized business leader is that the world is changing faster than your resources and ability to even conceive. You are so busy heads down trying to run a business, get through payroll, make sure the bottom line ends up on your right side, dealing with staff issues and everything from accounts receivable to IT. There is not a lot of time to look up at the horizon, like I do, and look around corners to figure out what is coming to hit your business and prepare yourself. Nor is there the amount of capital or operating budget to allow you to do that. This is uniquely challenging, period.
The other thing I want to say, and I think you folks know it, Canada runs on small and medium-sized businesses. Although most of the work that I do is for Bay Street executives and large multinational organizations, the fact of the matter is that small and medium-sized businesses employ the most people. It makes you incredibly powerful, important, and I believe influential, although I am not quite sure you are punching at the weight class that you carry.
The more you can inform yourselves around the good, bad and ugly of what you are going through, the more you are going to run successful businesses. The more your employees feel safe and valued, the more your customers are going to feel safe and wanting to come back as repeat customers.
I am going to share some ideas with you. They are not all the ideas and solutions that you are looking for, but hopefully they will add to what you have already been doing. They will validate some of what you have already done, and maybe even inspire you to do a little bit more in ways that you hadn’t considered before.
I am going to start off talking about trends that are impacting businesses around the world. The first thing, and I referenced this, is the nature of change. It is exponential in the way that it is happening, in terms of the speed. I was at my parents’ place last night for my son’s fifth birthday, and I just thought about how much the world has changed since he was actually born five years ago. In terms of geopolitical activities, the advance of the Fourth Industrial Revolution and how much it has disrupted so many different industries, including my own industry, the professional services industry. Blockchain is probably going to eliminate anywhere from 50 to 70 per cent of the accounting jobs that Deloitte was built on over 150 years ago.
The nature of change is a reality affecting everybody. How much time and effort can you put into understanding the nature of change and anticipating the changes that are coming? I would say that at this age and stage of my life, in my 50s, and having been through now my third career, I started to get a bit cynical about change. The fact is change is good. For the most part of human history, it has brought about the advancement of humanity. Some things are bad and have been incredibly destructive. If we are not careful, some of the things that are changing can destroy your business, can harm your family, and can potentially at this point, because of the scale of technology, actually harm the earth itself.
But change is good. Look for the threat but also look for the opportunity in there as well. Growing up as a young kid in Scarborough from Jamaica, my life was in the physical world. I got together with my friends by going and knocking on their door and see if they wanted to go outside to play ball. We went over to the schoolyard and we played throwing the ball against the wall or against each other’s heads in the schoolyard. And we went home for dinner and communicated with our family about how the day went. Now, you can imagine most of the kids growing up today communicate and get together online. They meet online and discuss with their parents what went on online.
The world has changed. It is no longer just physical. It is a converged world. We are literally split between the time we spend together in a physical space like this and the time we spend together, increasingly, on digital platforms. Canada is the largest producer of social media apps and one of the largest consumers of digital media anywhere in the world. Disproportionately, Canadians spend increasingly more time online. So what does that mean for your customer base? What does it mean for your vendor supply chain? What does it mean for your own employees who could potentially work from home or work from distance in order to support you? Some of you might actually have employees or vendors that work in another part of the world.
As I was coming here today, I was quickly looking through my Twitter feed and saw yet another example of our CEO putting out a notice about artificial intelligence (AI). It can now do lung cancer predictions and diagnosis better than doctors. At some point, people who are suffering from illnesses, concerned about climate change, about whether or not they can automate their business, you are going to have a huge advancement by AI.
The other end of the scale, badly crafted or implemented AI programs, bad use of algorithms or data that feeds those algorithms can create unintended outcomes of disproportional impact. For example, my phone can now talk to my toothbrush. So, in the morning, when I am brushing my five-year-old’s teeth, there is a chip in that toothbrush that allows me to know when I need to change the toothbrush. These two devices are communicating and I don’t know the information being shared. Is it looking at the photographs that I just took for my birthday party last night? This is the reality of the internet of things. Everything talks to everything. That’s an amazing ability for you to create a security system for your business or for your home. But if the system is not created in the right way, you could actually create additional vulnerabilities for the things that are supposed to be securing you and your family. Your data can be converted and weaponized against you.
This is a global village and it is now a global market that operates 24/7. Your brand or product is out there all around the world in places that you can’t imagine, and are not monitoring. Which is great for your brand or product. It is not so great if someone is trashing you on a livestream YouTube video and they have 5,000 followers. And so again, how much ability do you have to set up a social media monitoring site to make sure that you are tracking your reputation on certain key platforms.
Let’s talk about the threat actors. I want to remind you that this is the dark and scary part of the whole presentation. The fact is most actors are good people. They are people that want to be informed. They are looking for services. They want to create a trusted relationship with a vendor or a company. They want to have a relationship with a human being and they want to interact with you and your business in some way, or your family, as the case may be. But the reality is, even in the Garden of Eden there was a snake. There are a few snakes in this Garden of Eden who are just a little more sophisticated than they used to be.
The tradecraft of the threat actors has exponentially grown. There was a time, as a cop walking the beat, there were very few people who knew how to commit a fraud, to pass a bad cheque. Not a lot of people knew how the banking industry worked or had access to cheques. Not many people would have the smarts and parts to walk into a small business in order to create a fraud and gain some monetary advance. The fact of the matter is anybody can go online, and if you have a little bit of computer skills you can go deep under the line into the deep web and there are literally play-by-play cookbooks for the most sophisticated fraud activities in an individual capacity and on scale. You can literally talk to nation-state actors who have the most sophisticated capabilities. You can buy tools with relatively small amounts of money to make your ability to create online white-collar-type crime. You can go from a rookie to an all-star within a very short period of time and very little investment.
The other half of the matter is that once you are into online crime or white-collar crime where you are not actually going in and passing over a cheque that we can dust for fingerprints, investigating you becomes difficult. Mainly because most of you will never report those frauds. When you do report it, most police agencies do not have frontline police officers who are going to be able to receive the report and conduct an online investigation. We have the best police agencies anywhere in the world right here in Canada. We have the number one justice system anywhere in the world right here in Canada. But the reality is, right here in Canada, like everywhere else in the world, the bad guys are way ahead of the good guys. Looking for the law enforcement and policing to be your number one protector against fraud, online crime, or even physical crime occurring in and around your business is becoming less and less of a viable prospect, particularly for small and medium-sized businesses. And so defense, monitoring and reducing harm are your best ways to address it.
Hopefully, if you are a victim, you will report it. And when you report the crime, it will be to a police officer or an agency that has developed some capability around the threat actor tradecraft and can conduct online investigations. If you are lucky enough, they can identify the data or information that was taken from you. If you are even more lucky, they can access the database where that particular data resides. If it is in Russia or in Iran, unfortunately there is no way to get that data back into this country. And even if they do investigate and achieve attribution, meaning they know someone who did it, getting the data back in here and then mounting a successful prosecution in a court of law where a Crown attorney and a judge would understand the nature of the online investigation is difficult. Those are all reasons why criminals are moving further and further away from showing up in your store and taking money from your till, and moving further and further online. They are less likely to be reported, discovered, investigated, prosecuted, and incarcerated.
Cyber threat actors, who are they? Is this a shadowy group that operates out of a factory somewhere in Central Asia? Is this a group of organized crime members who have paid PhD students coming out of MIT to sit together in a cabal and attack mass entities like you? Is it that pimply-faced kid in their grandmother’s basement who spends 23 and 1/2 hours a day online? It is all of those folks and that is the reality. The physical actors are still there. For those of you who own a variety store or dry cleaner, operate a 24/7 business or retail outlet, you are still potentially victimized by shoplifters, people who will commit small assaults or unarmed robbery. These are all the realities for those of you who still have a physical space or a mostly physical space where you are in a dense urban environment or even a remote rural environment.
The physical threat actors have new tools as well. Instead of having to sit in a car and surveil your property late at night, they can just fly a drone across the property, map everything out, geocode, and have a master plan before they even come anywhere close to your property. Then again, the reality is that cyber criminals still use the physical space. And physical criminals still use the cyber space against potential victims.
The following threat is one that rarely gets talked about but one that actually commits the vast majority of crimes and victimization within any size business. It is your own employees. In most cases, it is their indifference or ignorance; or they simply don’t follow your governance or password protection practice. They are the ones that click on a link without thinking. They are the ones that did not invest time in any personal security hygiene or corporate security hygiene that you have asked them to do. They rush through the tasks as opposed to thinking about the security and enterprise that you are running. The biggest investment you can make, before tackling geopolitical or nation state-organized crime members, is to look at your own employees.
For those that work out of your own home, your insider threat expands from your employees into the family and the home. I can’t tell you how many times I had to sit my little 12-year-old daughter down and say, “Okay, do you know the risk that you just put yourself into by what you just posted online?” Many times, I had to sit down with her and say, “Did you change your password without telling me?” “And when you changed your password, did you go from one that was pretty strong that I gave you to one that is pretty easy to pick up?”
Another example — my wife ordered a new Wi-Fi system from our telecom provider. I was traveling on business for a while, I didn’t realize that we hadn’t changed the original Wi-Fi password from what the supplier had given. A good friend of mine, I will introduce him very shortly, said, “Dude, you have got to change that Wi-Fi password.” And in fact he was over for dinner and I said, “Well, change it for me, let’s get secure here.” That is the reality. If you are running a business out of your home, if your family are employed in your business, they now become part of that insider threat chain of risk and reward. Teaching good cyber hygiene and practicing good cyber hygiene in your home will actually help you to secure your work as well.
All right, we are coming out of the dark and scary part. Small and medium-sized businesses, there is a security spectrum that I want you to think about. The first part, you need to understand what the assets in your business are. Assets or fancy things that are valuable to you as a business owner. You will be surprised to learn that Fortune 500 companies, when I asked them this question, many haven’t really thought about it or done a rigorous review. And many companies haven’t done anything to secure those valuable assets to a greater degree than they had before.
Again, what are your valuable assets? Is it a product that you sell or a service you provide? Is it the person who built the product or who delivers the service? Is it the IP that is related to the product or the service? Is it the physical facility, the capital assets, vehicles, property that you own? Do you know what they are and have you secured them properly? If you don’t actually know what is most valuable to your business, you are least likely to be able to protect those most valuable assets.
Whatever the weakest link is in your security system, however mature or immature it is, that is what the bad guys are looking for. If you don’t have a particularly good lock on the front door, that is probably where they are going to come through. If you don’t have a particularly good set of passwords on your cyber doors, that’s probably where they are going to come through. Look for the weakest link. I will give you a hint or second hint. It is probably your own employees and family members that are most likely to click on the link because social engineering is tricking somebody. The human being is actually easiest to trick because there are a thousand different ways to do it. There is only one way to go through a deadbolt or through a password. But to go through a human being that is open to flattery, can be tricked or distracted, who could be tired or going through mental health issues, there are so many different ways to exploit a human being.
The people that work closest to you and closest to those most valuable assets are most likely the vulnerable point or your weakest link. At the end of the day, you are all going to be victimized. I have been victimized. My personal accounts have been hacked. I have been targeted online. None of us are immune to this. It is not a matter of if, but when you become a victim — how quickly will you realize you have been victimized. Would an alarm go off to let you know your backdoor to your warehouse has been compromised so you can get there before they remove everything out of the warehouse? Would an alarm go off if your data has been breached? Would you know by your own ability to monitor or by some other person’s ability to monitor? It can be the physical eyes of your employees, your neighbouring businesses who keep an eye on you because you are working in the same mall area? Is it your neighbours at home who can keep an eye on your place while you are away? Would they call you? Is it a device that you set up like a doorbell that can monitor your premises while you are away?
If you are not monitoring, you will not know when you have been victimized. You can reduce the amount of time to respond and mitigate against the loss and learn from what took place in order to be even more target-hardened going forward.
Here is how you do that:
- Know your assets.
- Address your weakest links.
- Recognize you will be victimized at some point.
- Learn from the instance and make yourself even more resilient going forward.
Any business is going to have a spectrum of security risks associated with a spectrum of business activities. This goes from the pure physical world into the cyber world. Most of you will have some sort of a facility in which you work in. Very few people are in a virtual business where literally you are walking around with mobile devices, contracting and transacting online. Somebody is going to work out of a basement office or you are going to have a storefront rental or you are going to actually own property. Sensors and CCTV cameras that you might be having to monitor in and around your business or mobile communications.
We talked about IoT. When you install a new camera system, it can talk to your lighting system and HVAC system. IoT is happening across your supply chain. Everyone gets something from somewhere within the global village. People need to have ID and access such as password pieces. You might have a Cloud service provider or your own database that you have within your facility or in another location and then into your hardware, the actual computers and laptops that you have.
All of the above give you a pretty good idea of the spectrum of things that make a business work. Every one of those physical surfaces and the cyber surface represents a potential way to exploit a valuable asset, a weak link. And to go about it in a way that will give a threat actor time to take, plant, and later take something, that is the spectrum around which you have to defend your businesses. It is not just the front door and the back door.
We talked about asset mapping earlier on. What are your crown jewels? Digital assets, IT systems and software, data, your website, your social media platform, intellectual property. Those are all what I would call your cyber assets. Your physical assets: cash or equivalents, facilities, employees. Employees are incredibly valuable. For example, your employee is injured during a robbery and they quit. You might not have 12 hours to cover that shift. You need to ensure your employees feel healthy both mentally and physically. If they could be vulnerable online, then give them tools to be safer online.
Cyber hygiene taught at work can help your employees to have that hygiene going home. You are creating a value proposition by just doing these very simple things that don’t cost a lot of money but require intentionality.
- Identify your digital assets and physical assets.
- You need to do a threat assessment of the weak links. What are the areas where your business has been traditionally vulnerable and what are the areas that you can conceive of in this Fourth Industrial Revolution, this online world where you might have new challenges?
I was just at the CivicAction Summit here in Toronto and an expert on urban disaster planning said that for the last 2,000 years, maybe even longer, fire was the number one threat to a city. The number one threat to cities now is flooding. You have to consider natural disasters and new insurance to protect your business. If your employees are family members or if you work out of the home, that is as much of a threat to your home environment as your business. You have to make sure that your people are safe, healthy, and feel supported by management.
Flipping over onto the cyber side of it. Here are some threat actors:
- Attacks that can knock your website offline or ability to transact.
- There is also reputational harm. For example, someone who simply has never even been a client of yours can put all sorts of misinformation online about you and your business. If you are not aware of it, it could be eating into your small profit and loss margin.
- Ransomware is moving from securing your data to securing your physical facilities. I will give you an example. A small boutique hotel in Europe was attacked by having their electronic door locks secured by a threat actor. Nobody could get in or out of their hotel rooms. Can you imagine business people or families who are trying to travel and can’t get out of their hotel room? Once that happens, the reputation of that small boutique hotel was trashed. It is not just ransoming your data but it could be ransoming your physical facilities because of that IoT factor.
- Corporate espionage. This is probably not a direct attack factor on small and medium-sized business, unless you are developing unique IP that later on can be monetized to an extremely high level. For example, Liberty Village and their small start up community are developing some of the most influential and potentially impactful IP. They could be the source of an attack from a nation state. More likely,
Cyber threat actors are looking at your weak databases, client profiles, and individual information. They are scooping up massive amounts of data by simpler attacks against people like yourself, which will be then leveraged in some other way against a larger target.
Here is what you can do to protect yourself:
- Be secure and protect your place.
- Be proactive through crime prevention by environmental design. Cyber security by design. Privacy by design.
- Think about being vigilant across the entire enterprise and increasingly across the entire ecosystem in which your enterprise is working.
- And then be aware that at some point, it is not a matter of if, it is a matter of when you are going to be victimized. How resilient will you be, how quickly will you identify that you are being victimized, assess the nature of the threat that is now impacting you, address the threat, learn the lessons from it, and make an investment so you are less likely to be victimized again in the same way?
- Set good passwords, do penetration tests, and set good policy for your employees.
- Practice cyber hygiene, produce cyber hygiene lessons and opportunities.
- Monitor your valuable assets. Any time there is a new patch in the system, your iCloud is updating itself, make sure you patch an update as quickly as you possibly can.
- Sit down with your employees or through a conversation ask, “All right, if we got attacked on this or if we lose this asset or if this asset is targeted in some way, how would we respond?” That alone would give you some practice before the actual crisis would come.
- Set up good firewalls for your systems. And to the larger ecosystem, think about VPNs, Cloud and how secure that is, and manage your service providers.
Again, I know there is not a lot of extra money to potentially invest in this area, but if you simply can’t do this because you don’t have the ability or the time or the capacity, you might employ somebody else to provide a layer of security monitoring. USB keys are still some of the simplest ways for people to get into your systems. I actually did my presentation in a USB key but I stopped bringing it so I don’t want to plug anything into Liz’s computer systems.
Social media accounts should be monitored because they can be compromised very quickly. People can take them over and do all sorts of bad things on them under your name. Also, one of the greatest cyber and physical exploits in history were done through the supply chain. For example, if you think of a Middle Eastern company that has a large nuclear program and someone in another country decides to plant a small piece of malware into the supply chain of a national nuclear industry. That malware infects the actual operations of the nuclear industry by making a particular dial read one way when it was actually reading another way. A couple years into this exploit, the nuclear program almost ground to a halt. This is an example of a major play on both the physical and the cyber side.
We talked about the ecosystems. I know a lot of you are your IT leader, your legal leader, your HR leader, your operations leader. I get it, you wear multiple hats. But whether you have separate people under those hats or you are wearing all those hats at the same time, you have to step back a little bit and map out how this plays out. Are you hiring people that have some cyber hygiene training? Are you bringing people, and giving them access to critical databases, making sure that their training has been updated or their responsibilities around that have been updated?
You are wearing your IT, legal, HR, and operations hat all at the same time while being the manager and thinking about the financial bottom line Whether you are wearing multiple hats or you have multiple people wearing one hat, you have to look at the cyber and physical impacts, your security and assets, securing your assets across the entire enterprise. And then you move even further out. Think about your supply chain, regulatory bodies, family at home, police and emergency service providers, the community. They all can be your best eyes and ears and teachers.
Here are five good resources.
- The Canadian Centre for Cyber Security, recently opened, massively funded and still growing. You can go to their website and find all sorts of resources that you can tap into at any time in very simple-to-use language. Even a luddite like me can actually learn a few things from it.
- A US-based organization that I found searching online preparing for this event. They actually had a very good section and user-friendly section on small business cyber security. It is called the Small Business Cybersecurity Corner.
- It is not all about cyber crime prevention through environmental design. You also need to secure the physical environment within which you work. It might be simply clearing away shrubbery and bushes, putting good locks on your doors, creating line of sight inside your operating area, putting in proper access and control systems. There is a number of things that you can do from an environmental design that are relatively cheap that can provide that physical security.
- Ritesh Kotak was one of the best police leaders that worked with me back in Toronto Police. He was actually my cyber guru that taught me most of what I am teaching you today. More importantly, he and his family run a small medium-sized business right here in Toronto. And in fact Ritesh set up the first physical security system and the current cyber system for his family’s business, and so he knows more on this topic than even I do. He is also a guest speaker on CTV and talks a lot about cyber security and the changes going on.
- Last but not least, teach your kids, grandparents, parents, and yourself. I am constantly learning, making mistakes, having to remind myself that as smart as I am, as wise and experienced, I still haven’t caught up with where the curve is. And so be humble. Recognize that these are different skills. We used to teach our kids how to walk safely across the street, street-proofing our kids, now you have to cyber-proof your kids even before they can walk. The fact is that both of my kids had a smartphone in their hands and were accessing the World Wide Web before they could even walk. This is the reality. We all have to learn how to walk again in this Fourth Industrial Revolution.
This transcript has been lightly edited for clarity.
Peter Sloly is a security and justice thought leader and trusted c-suite advisor who leads Deloitte Canada’s national “Security & Justice” (S&J) practice. The “security” portion of the practice helps organizations assess and address increasingly complex converging threats across physical (operational) and cyber (logical) domains. Peter’s “security” clients include Fortune 100 social media companies, global financial sector institutions and national retail organizations. The “justice” portion of his practice helps Canada’s justice sector organizations achieve optimal mission readiness to build a healthier, safer, more sustainable country. Peter’s “justice” clients include municipal police services, provincial justice ministries, and national security agencies. Peter leads an experienced and passionate S&J practice team that includes former police, military, and national security leaders who bring their expertise and evidence-based best practices for the benefit of Deloitte’s clients. Peter helps his S&J clients overcome their most challenging issues and leverage their most exciting opportunities while navigating the new normal of constant change. Prior to joining Deloitte, Peter was a highly decorated and respected Deputy Chief with the Toronto Police Service where he helped improve public safety, public service, public trust, and public value. Peter is also a graduate of the FBI National Academy and he completed two tours of duty in the United Nations Peacekeeping Mission in Kosovo. Peter has a Master of Business Administration and a Bachelor of Arts, Sociology. Peter is a former professional soccer player and a former member of the Canadian Men’s National Soccer Team.