Canadian Underwriter
News

Cyber risk management starts with preparing children ‘around a whole different mindset,’ says former Toronto deputy police chief


March 6, 2017   by Greg Meckbach, Associate Editor


Print this page Share

Cyber security is more of a human resources issue than a technological issue, while cyber security threats are often detected more than six months after they occur, speakers told insurance professionals at a conference last week.

“The nature of IT and the changes in facing in terms of technology, we are going to have an entire group of actors from street gangs on corners to nation states combining their enterprise on to cyber platforms for many different agendas, all of which will require an increase in funding, and that funding comes from us,” said Peter Sloly, executive director at Deloitte LLP. “I genuinely believe that this is not a technological issue as much as a human resources issue and it’s not just a battle for top-level talent. You have to start preparing people coming out of the grade schools and the high schools and the post secondary schools to operate in the new normal, and the new normal is that there will always be new ways to utilize technology but that technology will be able to be utilized against you the individual and the corporation.”

Sloly made his comments March 3 at the International Cyber Risk Management Conference.

“You need to start educating the grade 8s and 9s and 10s who are going into university five years later, who are then going into your pools, around a whole different mindset,” said Sloly, a former deputy chief of the Toronto Police Service,

“I want to see a police service that not only has a high-end cyber security intelligence outfit, but also has, at every level of the organization, particularly front-line officers, in schools, in communities, in small and medium-sized businesses, which still employ the majority of Canadians across this country, and get them as much cyber prevention education as possible,” Sloly said. “Inevitably, your companies will draw from those employment pools as well.”

The International Cyber Risk Management Conference was produced by MSA Research Inc. and held at the Allstream Centre in Toronto.

“The fact of the matter is, the law enforcement community, the policing community, is significantly outgunned and will continue to be so increasingly going forward,” Sloly said. “They will always be part of the potential solution set, but an increasingly smaller part going into the near future and the long-term future. There is no structural or financial or technological way for them to ever catch up.”

Sloly was one speaker on a panel titled Preparing for the Challenges Ahead.

Also speaking was Corinne Charette, chief digital officer of the federal department of innovation, science and economic development and the federal senior assistant deputy minister, spectrum, information technologies and telecommunications.

Kevvie Fowler, national leader of cyber response for KPMG in Canada

“Technology advances the Internet of Things, but on the other hand, as a regulator, we are also concerned and pre-occupied with ensuring that we have proper legal and regulatory framework to maintain the trust of Canadians and maintain a secure and resilient digital economy,” Charette said. “So it’s a careful balance.”

She added every industry “is being transformed by sensors and machine to machine communications in one form or another.”

Sloly warned of a “convergence of the physical and the cyber.”

Ransomware, Sloly added, “used to attack and encrypt your data.” But ransonmware “will now attack and destabilize or make unusable your physical environment as well,” Sloly warned. “So they can go after your crown jewel data or they can shut down your HVAC system and cause your data to be corrupted in another way. We have seen those attacks already happen and will be happening to a greater degree going forward.”

The third panelist was Kevvie Fowler, partner, advisory services forensic at KPMG LLP.

“The security industry as we know it is not geared towards identifying and managing modern threats,” Fowler said. “What happens is, based on any research survey that you look at, there are 200 plus days between when an incident actually happens to when it’s detected.”