The most important asset in the world is people’s personal information because every piece of data that we provide to the internet through social media or through interactions with pension funds and online banking are valuable information sources, said Darace Rose, co-founder and chief technology officer at Oppos Inc., during the Canadian Investment Review’s 2022 Investment Innovation Conference.
It’s estimated about $600 billion is lost to ransomware year to date, said Rose, noting people usually pay the ransom rather than informing the authorities when there’s an issue. But when individuals pay the ransom, they’re marked as an easy target, so perpetrators set a bug on their network to detect web traffic, sales and capital cycles in order to strike again, likely under a different name. They can also sell the information they hacked from a company to other people on the dark web, he noted.
Without the protection of a firewall, institutional investors can leave their organizations — and the pension plans of millions of members — exposed to ransomware attacks, said Rose, advising those in the financial sector to always ensure their employees are set up on a virtual private network and are changing their passwords used to access that VPN on a regular basis. “A VPN is so critical because . . . [it] encrypts information, so if somebody gets access to your device, they can’t really interpret what information is on that device.”
He also encouraged investors to update their operating systems on their mobile phones, despite the inconvenience, likening this to having a home with a deadbolt lock on it but choosing not to turn the lock. “It’s very important . . . to make sure that every peripheral device that we use in our network is protected at all times, or in a routine time, because the hackers are always knocking. They have bots on the internet that are designed to knock on all doors at all times and, once there’s an open door, they go in and exploit [the network].”
Rose also cautioned investors to beware of social media, as their privacy rules constantly change. He suggested organizations refrain from posting information about events and initiatives in real time. “You can wait until you get home to post about an event . . . or a president’s club trip when the protections are in place. . . . Just remember that everything you put out there can and will be used against you in the court of cybersecurity and cyberattack.”
He recommended institutional investors also ensure they’re on top of different end-user license agreements and have antivirus software on their company phones. When corporate email systems are installed on phones, they aren’t necessarily encrypted, which means, if the phones are lost, the information is also lost. Some apps could also have malware on them, he added, which is why it’s very important for ‘bring your own device policies’ to have an acceptable use policy or security software associated with them. Additionally, staff must understand the difference between corporate information and personal information, ensuring the former is protected, encrypted and not at risk at any time.
“Always use [a] VPN wherever you go, especially Starbucks [Corp.]. . . . Coffee is not really [a] good exchange [for] all your private and corporate information. Maintain social privacy . . . or ensure that you have the right privacy settings on all of your . . . social media platforms [and manage] the mindset.
“It’s really just understanding that you, . . . regardless of what department you’re in, have a role to play in protecting your company’s information and security.”