Protecting against cyber crime and social engineering fraud risks

The digital revolution that has occurred since the invention of personal computers and mobile devices has led to numerous benefits for individuals and organizations seeking to maximize their efficiency and output, while reaching the most possible consumers for their businesses; however, the advancements made also have businesses struggling to keep up with the ever-growing risks of cyber crime and social engineering fraud.

Cyber crime refers to criminal activity that uses and/or targets personal computers, mobile devices, or the networks connecting to these devices. Some examples of cyber threats include malware, ransomware, and spoofing, but this is by no means an exhaustive list. The prevalence of cyber crime requires businesses to be vigilant in preventing cyber threats. Consequences of failing to protect against cyber threats include privacy and data breaches, network loss and damage, and even property damage. These consequences also all come with significant monetary cost. Failing to protect the personal information that businesses accumulate and store about their consumers can also attract regulatory liability and penalties, depending on the governing legislation for the protection of personal information and privacy.

Social Engineering Fraud is the art of influencing people to disclose or to give access to information they otherwise would not provide. This fraud is distinct from cyber crime because it relies on human interaction, rather than hacking a network or connected device. Social engineering fraud is dependent on the social networks we now use through personal computers and mobile devices. Specifically, criminals will learn about individuals through social networks, before targeting them through various scams (much like cyber crime). These scams include phishing, smishing, and piggybacking. All of these frauds rely on our natural tendency to trust each other, and to believe that information is credible, rather than questionable.

The most important way for individuals and organizations to guard against the risks of cyber crime and social engineering fraud is through education. While the use of anti-virus software, password protections, and other technical safeguards are all necessary and important, businesses must recognize that these safeguards can only do so much if their officers and employees are not educated about the risks of cyber crime and social engineering fraud, as well as how to guard against these risks.

Individuals and organizations should adopt and implement policies and procedures designed to educate everyone involved in day-to-day operations about cyber crime and social engineering fraud. At minimum, these policies and procedures should include a plan for regular and recurring training, detailed steps for responding to a potential cyber threat or fraud, and clear identification of the roles and responsibilities of individuals who will be primarily responsible for responding to cyber threats and frauds. On this point, it should be emphasized that provincial and federal legislation imposes requirements on private-sector businesses to protect the personal
information of consumers in their possession. Therefore, all policies and procedures designed to guard against cyber crime and social engineering fraud must be drafted in compliance with and cognizant of the provincial and federal legislative framework governing the protection of personal information.

Beyond having a strong set of organizational policies and procedures to guard against cyber crime and social engineering fraud, businesses may also look to additional means of protection, including cyber insurance. Cyber insurance, like other forms of insurance, is designed to compensate individuals and organizations where they have suffered a loss due to a cyber attack, data breach, or fraud event. Of course, like any insurance, the coverage offered under cyber insurance policies can differ. Eligibility for coverage in the event a claim may also be dependent on the safeguards a business has put in place before a claim materializes. Therefore, when obtaining the cyber insurance policy, businesses should ensure that they understand not only the extent of coverage available under a cyber insurance policy, but that the insurer will expect the organization to minimize the potential of a
claim before issuing such a policy.

This discussion is only a primer on protecting against cyber crime and social engineering fraud. As always, you should consult a lawyer for advice where necessary.

Kaylea M. Dunn, KC
McKercher LLP
374 Third Avenue South
Saskatoon, SK
(306) 653-2000

Graham E. Quick
McKercher LLP
800 – 1801 Hamilton Street
Regina, SK
(306) 565-6500

McKercher LLP