Welcome to be Ivy. Today the Daily Business podcast from business in Vancouver newspaper and by the dot com. I'm Hayley wood. Today on the show crypto currencies and cyber security we'll get a cryptocurrency exchange executive's perspective on the Quadriga sex scandal and 440.
That's the average number of cyber attacks organizations in Canada experience. Each year we'll speak to scalar decisions about how to remain cyber resilient at your company. Coming up on Thursday February 21st we're going to be exploring the due diligence and valuation involved with buying a business. If you ever considered selling a business this is the best place to be we're going to walk through all of the elements
that buyers take into account when looking for acquisitions. Our panel will also share insights into what can make or break a deal. I'll be moderating and I hope to see some of you there and once you've mastered how to buy a business you can join us on February 28 to learn how to successfully exit business. This is our annual retirement ready. Panel will walk through how to retire well wealthy and healthy. Both events are in the
afternoon at the Shangri-La Hotel. More information on those events and our other events is available at BBB dot com slash events. You're listening to VIP today. Quadriga C X is a Vancouver based company that says it's out of money where the money went to why it has disappeared is being debated in court this week. Some one hundred and fifteen thousand traders though are asking where and how they can get back 260 million dollars. This is a
big story that's developing by the day. I'm joined this morning by Michael Vogel founder of net coins which is a Vancouver based cryptocurrency exchange to talk a little bit more about this. Michael thanks for coming on the show. Oh good morning. Thanks for having me. I think everyone's wondering what happened here but maybe you could shed some light on how something like this could happen.
Yeah. So it's an extremely bizarre story. So avid encrypted crypto currency euros that have been using Quadriga over the last year have noted issues with slow withdrawal times not being able to take five years out or taking a long time for deposits to be credited but to make things even more complicated and confusing this new story emerged about their founder mysteriously dying in India and apparently along with that access to his laptop and passwords and private
keys which apparently contained the keys to the kingdom which is about 190 million dollars of funds that were stored on Quadriga FCX. So very bizarre indeed unusual that a company of that size would that would only have one person to two to manage that that amount of funds. So it's left a lot of people wondering is this a scam. Is this real. And more importantly not as a customer how can we get our funds back.
Exactly. A lot of people waiting for answers. And to me this really highlights the regulatory environment or maybe the lack of regulations around products like this. Tell me a little bit about how a cryptocurrency exchange and the regulations around that differs from say a more traditional exchange.
Yes. So essentially a cryptocurrency exchange allows users to buy sell and then trade Bitcoin. It's a lot like a stock exchange or like an online banking account where you trade stocks and bonds and whatnot. But with the added difference that you can then withdraw the bitcoins from that exchange as opposed to a stock exchange you can't really withdraw from there. So the problem is that when you have one of those on an exchange you're essentially giving
control of your bitcoins to that exchange. So if if you and I were to download a what's called a bitcoin wallet like an app on our phone and store bitcoins there we're essentially in total control of those coins. But when you're using a third party like an exchange when coins are stored there you're essentially giving them control. And so you have no real way to access funds
without their permission. And so what would have happened here is obviously when the company essentially loses access to those coins you as a user have no way to reach
them either. So what is what this story has really done is given us another reminder of how different Bitcoin is compared to traditional stocks and other investment tools where this is where bitcoin you become your own bank you're responsible for controlling your bitcoins and so if you are going to use an exchange the best practice really is just to use it for a purpose of buying and selling.
Don't store coins there long term. Although you would hope to think that a company like Quadriga was one hundred ninety million in assets would would have had better protection. But clearly they did. So what what you recommend if they say don't store things with a third party long term.
Right. That sounds like good advice and also as you pointed out I mean it framing it like becoming your own bank puts a lot of onus and responsibility on an individual to really understand what they're buying and how those systems work. Tell me a little bit about how the regulatory frameworks in countries is evolving around products like bitcoin because governments and securities commissions to some extent have been scrambling a little bit to catch up it seems no for sure.
I mean so in Canada the government has essentially taking a wait and see approach in terms of regulation that's been the policy for many years. There may be some some future of regulation coming just in terms of how customers are identified and record keeping. But in general Bitcoin is a very different animal. It's designed separate from traditional
banking frameworks and financial regulation. You know countries like China and other countries around the world at various times tempted to quote unquote ban bitcoin but really because it's just an internet token it's not really feasible to ban or control it because it's not really controlled by a one on one company like bitcoin itself.
Owned by Microsoft or like a standalone company that could be shut down. That's what that's what's called a decentralized currency. So attempts to regulate it may simply be futile and may not even be necessary. And then in the traditional way that we think of regulation. But yeah so that's sort of my initial thought on it.
Yes that's an interesting way of looking at it. I'm curious do you think a case like this where it's affected a large number of people there's a lot of money at stake. Might it turn some heads in government offices to say well you know maybe it's difficult to regulate but this wait and see approach maybe we've waited and now we're going to see what we can do.
Yeah I know for sure and you know stories like this definitely aren't aren't good for bitcoin in general they don't. They don't boost confidence although Bitcoin itself wasn't actually compromised in the story. Bitcoin was was not packed or or or stolen or disappeared.
It was dismissed as a result of Puerto Rico's intervention.
So Bitcoin itself is still robust but what it does really bring up is you know if a crypto currency exchange is going to operate in a country like Canada or the United States troops there should be more clearly defined rules about how funds are stored or insurance policies actually banks personal bank accounts are insured by CIC up to a hundred thousand dollars so yes the bank disappears or goes bankrupt and then mostly some insurance coverage there
poorly supported like that might be interesting. We may see stuff like that happening in the year going forward but you know the flipside is any type of new technology you don't naturally want to overregulate because you sort of run the risk of stifling innovation. Right.
So I mean think about the Internet when it came out there actually were were periods of controversy around things like encryption and you know who gets to control the encryption algorithms. There was big surprise was with the bill clinton government back in the 90s about control of the Internet and you know if we think about it the Internet was over regulated way back in the day then the Internet today probably wouldn't exist. And so hardcore bitcoin
fanatics have that same feeling right. Bitcoin is a very very revolutionary technology. It's fundamental. So if we overregulate it we do we ruin the potential future of what it promises.
Where do we find ourselves at the start of 2019 when it comes to the cryptocurrency craze and the bitcoin craze that we saw over the last couple of years it seems like there are so many companies popping up so many exchanges a ways to buy and sell and trade and do whatever you want. It seems to have died down a little bit. What's your take on what's happened in the industry.
Yeah it's very interesting. So I've been in this space since late 2013 or early 2014 when I founded neck wide. And yeah the history has gone through many phases. So when I started in Bitcoin is really thought of as this obscure weird nerd money it was trading for around
200 dollars or. People thought that there was no real application here it's just a very very niche audience but you get different different types of users entering that ecosystem over the years and over the last year or so the year before 2017 we saw Bitcoin cross 1000 dollars U.S. for one point and then later on in the year it crossed ten thousand dollars for one point and it almost reached twenty thousand dollars for one point. So 2017 is probably the first year that it really entered quote
unquote the mainstream. The initial wave of that and obviously people watch the price of bitcoin and when it's up and down because big emotional stars but I mean it's still a very new assets right I mean if we look at the daily volume of big ones that are traded in vs. the daily volume of MasterCard payments or visa payment.
Bitcoin is still an emerging industry.
So I think we'll see hiccups like this along the way as the industry figured itself out. The stories like the quite the quandary because of the world and Quadriga in the first exchange to go down will be hacked etc.. So I think these types of stories while they're bad there are learning outcomes from this. You know it helps customers learn better ways to store their bitcoins and it
helps the industry grow up in general. Of best practices right I mean every currency crypto currency exchange doesn't want to end up like what we got. If they want to have better protection better controls and even internally at not going to to the session that we've had many times it was you know we were shocked when we learned about the Puerto rigging story because obviously you know our company was set up that way and other large companies like coin square Coinbase etc aren't set up that
way either. So yeah I think the industry definitely has to mature and I think it's only good good thing that has I think for anyone investing in Bitcoin or Britain related companies. I think you know we started very very blue sky future ahead of us.
Michael I want to thank you for coming on the show to shed some light on what's going on here we may have to have you back in a week or so when we find out more what's going on with this case. But for now really appreciate your insight. Thank you.
Oh for sure. Anytime. As Michael Vogel founder of net coins based here in Vancouver. Canadian organizations on average experienced 440 cyber attacks over the last year. That and recovery costs after those attacks has reached an all time high. The 2019 scalar security study is out it's its fifth annual iteration and Theo van Wick the company's chief technology officer of security joins me now on the line from Toronto to discuss how companies can build a greater cyber resilience.
Theo thanks so much for coming on the show.
You're very welcome. Thank you for having me on the show.
So looking at this survey you you surveyed more than 400 I.T. professionals across industries and small through enterprise organizations. I found one hundred percent of them had experienced a cyber attack over the last year. Is this the new normal is this to be expected.
You know what it is it's actually it's actually very interesting to your point. You know this is the fifth iteration of us doing the annual study and every year we've seen high percentages of reports in terms of numbers of organizations attacked and breach but this period actually astounded us when we found for the first time that 100 percent of our respondents reported being attacked and in some form impacted with an incident. We believe unfortunately this is
the new norm. At the same time I don't think this is as new I think we're becoming more whereas organizations and we're becoming better at detecting and tracing this but it is definitely setting the tone that cyber resilience is becoming more and more important and critical for Canadian organizations.
And how would you define the term cyber resilience. What does that mean.
You know it's not traditionally in our field. We tend to talk about cybersecurity and it's been historically the theme of a lot of study. The challenge for us was cyber security because it places customers and employees in the concept of a pure defensive strategy where they're just thinking about strategies to prevent and once that fails in the cybersecurity program effectively fails. The reality is as we see here companies are breached all the time. And so cyber
resilience for us becomes a frame of mind. It becomes a state of readiness where defense is very important and critical part of that strategy. But ultimately it's about thinking holistically about how do we deal with the toxic situations so that we can survive that attack and that it's business as usual and we can carry on we always use the cold the cold or flu analogy if you will where we tell people that at some stage in your life you will get a cold or flu. It's
really critical is how you prevent that right. There's a preventative element to that. But if you do then get sick you're not sitting well is detecting it it's understanding where where the issue lies and identifying it and then having a response plans understanding how you treat yourself and how you overcome that.
And while that might be a simple analogy the point that's very applicable as you start thinking about cyber resilience for companies sticking with that analogy this study points out that the costs of carrying these calls are rising year over year it looks like it costs companies on average between four point eight and five point eight million dollars
after a cyber breach has occurred. Tell me why these costs are rising and very typically how companies respond to maybe what some of the challenges are too in responding to these attacks.
Absolutely. You're correct. We have noticed a rise in the and numbers. Now the one thing to be very honest and upfront about is there's a great variation in how companies calculate these costs but the reality is what we're seeing is attackers are getting more effective at getting into the networks they're getting more effective at getting at the data so and then just companies are becoming more aware of the impact that this is actually having under on
their networks and on their services. So I think it's a combination of the attacks are increasing in effectiveness but as a whole as an audit as a as an industry we're becoming better at defining it and realizing what the challenges are. We actually have on hand one of the interesting figures that we tried to drive out because personally I always struggle with these large numbers to see this in the study. So what we try to do is we drive a number that highlights the per employee
cost for a breach average. So this year we found it to be around two thousand six hundred seventy seven dollars or about twenty seven hundred dollars an employee. And that's important because if you're a smaller company or you know depending on how you picture your company you can do a quick bit of mental math and plug those numbers in there. And I have a number that perhaps
is a little bit more relevant to you. But the reality is it doesn't matter how you slice or dice it it's the downtime and the impact are significant to companies in terms of asking what companies can do. You know there's the security basics. And one of the key finding recommendations that we drive here is work on your
cyber resilience program. And that just means that thinking through things like incident response plan just having a response ready so that you're not caught off guard and so you walk through that step you think how do I prepare.
How do I respond whereas my important assets and then have that response plan ready so that you can jump in and address it and minimize the impact that the actual breach has on your organization.
So it would be just like having a crisis communications plan or an emergency preparedness preparedness plan except you would have that in the case of cyber threats correct.
Yes. So this is something where a lot of our customers work with either ourselves or their security partners and what they're doing here is they're building that up and it's a little bit all encompassing program. So this includes things like your PR response like how does your public relations response. What's the legal aspect. So it goes further than just the technology. But then obviously a very integral part is how do I keep seeing that threat. From
a technology perspective. And who are the correct key key stakeholders that I have to bring in very quickly and effectively to contain that breach and to return to a trusted normal state.
On that point of containment the report points out that one potential vulnerability when it comes to issues like this is third party security. So even if you yourself tend to be a very cyber secure or resilient organization if you're dealing with companies that aren't that could be a risk. What kind of recommendations do you have for companies in terms of how they work with their partners.
So absolutely right. It's a massive issue and you look for to to further your point.
If we think about some of the large breaches that's occurred in the last little while we think of the best buys in the home because the brand names but very few people can actually name the third party organization that caused the breach behind the big label if you will. So it's definitely something to be aware of. What we recommend there is understand your partners. It becomes part of
that cyber resilience and that security strategy. Right. And it's looking at things like does the third party vendors or organization have access only to the data that they really need access to. What are their internal security controls. Do they have a good security posture. Because obviously if you're working with somebody and you're giving them access to it's deep into your network or security or trust it's basis and they do not have a good posture that's something
to be concerned about. And as part of that there's a number of governance frameworks and security frameworks that companies these days will adhere to and get certified again. And that really becomes to some extent approved you just so show that they have security in mind when they're structuring their services. And then when they interact with you as well.
One of the recommendations in the report as well is identifying and classifying data assets in the study found that some of the attacks are quite significant on companies. They either had their data stolen deleted encrypted. I mean these can be very very serious privacy issues and operational issues. What does it mean to identify and classify assets and how can that actually help in situations like this.
So when we work with our customers we would typically recommend a thread risk assessment as a first step. And that's a risk assessment does exactly that. So it identifies the upside and it ties the business function to it. So then you can start understanding if this computer or the server or this device or the area of the network gets compromised. What does that translate to in a business process for me is it impacting actual customer facing services.
Is this where complex sensitive data lives. And so the first step in that is just it's really difficult to protect what you don't understand or if you don't know that you have it and you don't have a disability. So that first step is understand your business and how your business is using data and services. And then we design your security plan around that so that you you
secure the critical assets in the different areas. But it also becomes very important in your response plan and understanding when and how quickly you should respond and how you should apply your tactic. The other item where it becomes really important is it helps you prioritize your security spend because let's face it we're not we do not have unlimited pockets at some stage you have to decide where and how you place your dollars so that you actually
improve that security posture. And this is really key. And you know how do you apply those dollars if you don't understand where the proverbial crown jewels or important information is reside.
All right. That's the challenge they're having unlimited funds. Correct. Yes.
I think of small businesses who are often going to be takers of technology and services working with companies that are much larger than them relying on their services and products that kind of then means that they're assuming these companies are doing their own due diligence and taking steps necessary to be cyber resilient in the shoes of a small company or entrepreneur what can they do to make sure that the partners they work with are secure and
that they're doing everything they can to keep their operations safe.
So I think you know develop a relationship to ask the question. I understand sometimes being a smaller firm that's not always possible is not always possible to have the ear of the larger organization. But again this is something where you can then pull back and looking at certifications and there was somebody missed or ISO twenty seven thousand one or some form of framework certified that will actually attest to the fact that they that they are adhering
to security principles and they're thinking about it. And then on the flipside you know there's something to be said about the self-awareness. We just talked about the thread risk assessment and understanding what your process is and your data looks like and understanding when you're partnering with these larger firms. What.
To what extent do they have access to your technology or your information and what the possible implications are about it and it is something unfortunately that you have to assess on a case by case basis and be aware of. But in general we find that the landscape the temperature of the landscape has changed and most organizations now realize the criticality of having that security approach or that security narrative.
So it fortunately it is becoming a lot more a lot easier and more convenient to establish that.
And a final question What should we be looking out for him. You know my quarantine folder is a pretty good job of keeping out fishy emails but when it comes to more sophisticated attacks what should employees and employers be looking for and where he so if we if we focus on the employee side definitely you know you point the number one that fishing is still such a massive attack.
It remains the human element. It's always the area that the attackers love to exploit. And for that it's just have an inquisitive mind. We find a lot of times a lot of interesting attacks have been thwarted because somebody asked the right question. So if you get that e-mail from finance asking you to transfer twenty thousand dollars that happened to you just under the limit that need approval. Now pick up the phone. Give the CFO a quick call and say hey are you sure this is the
amount I need to transfer. You know it's such a simple measure but it's like little items like that really does help. And then to employers it's just a matter of Invest in your training programs. One of the study results we had we found is that there's still a significant amount of companies we're talking about around 30 percent that's a lot that's lacking training programs for employees security awareness and others. And you know invest in your employees.
They are your main line of defense. They're also the area that a lot of attackers will come into contact first in in one form or another. And the benefits to that then becomes those same principles are things to your point that you take back to your home boss or to your own digital life. Let's face it we're not we're not getting less technology integrated every day. So be aware of those things practice some of those own principles on your own home and personal security and make
them make it a habit. Make it a way of thinking so that you have that it doesn't mind and ask the questions. One other key item for employers to get a process in place that educates employees to report and ask questions. So if there's no you know with the product kids you can talk to that direct contact.
Have a 1 800 number or help line or inbox where an employee can fire a quick question and get a bit of a response in a decent timeframe to just report or just ask the question if they're if they're curious or if they find something that is suspicious.
Theo van Wick is the chief technology officer of security at scalar decisions. Theo thank you so much for coming on the show today.
Thank you very much. Have a nice day.
That's it for our show. Thanks for listening to be Ivy today in get notified of new episodes by subscribing to us on iTunes and Stitcher. You can listen to all of our episodes and read watch listen to more business news at Ivy dot com. I'm Hayley wooden. Thanks again for listening. We'll be back after the long weekend on.