Podcast: Navigating cybersecurity: Insights for the publishing industry

In this month’s podcast episode, cybersecurity expert Francis Syms joins us to discuss the evolving landscape of digital security. In our conversation, we explore key insights and best practices to safeguard digital assets against cyber threats.

(Scroll down for the transcript.)

Want to make sure you never miss an episode of the podcast? You can subscribe for free on Spotify, iTunesPocket CastsTuneIn, or SoundCloud.

Further Reading/Listening

Transcript

Nataly Alarcón: Welcome to a new episode of the BookNet Canada podcast. I am Nataly Alarcón, BookNet's marketing and events manager. In today's episode, we're delving into a topic that's become increasingly crucial for everyone in the industry: cybersecurity. With the rapid digital transformation of the publishing landscape and cybercriminal methods becoming increasingly sophisticated, cybersecurity has emerged as a vital concern for protecting sensitive data and ensuring the integrity of our digital assets. So, to shed light on this important topic, we've invited Francis Syms, an expert in the field, to share his invaluable insights with us today. Francis Syms is a senior industry professional and educator in the areas of cybersecurity, risk management, project management, and telecommunications. Francis is the Associate Dean of Information and Communications Technology at Humber Institute of Technology and Advanced Learning.

Welcome to the BookNet Canada podcast, Francis. We are thrilled to have the opportunity to talk with you about the intricate world of cybersecurity. How are you doing today?

Francis Syms: I am great. I'm so excited to be here with you. Thank you for having me. I'm always happy to talk about cybersecurity.

Nataly: Thank you, Francis. Before we dive into our discussion for today, could you share a little bit about your journey in this field?

Francis: I've been a technologist for some time, worked in industry in a number of different roles in hardware and software development. I worked at BlackBerry in the glory days when BlackBerry was number one. And over time, I kept coming up against issues where security was a concern. We were having, you know, problems. People were able to get into devices or software where they shouldn't have been. And so, increasingly, I became more aware and interested in the profession. And after a while, I started taking on a course instructor role at Humber College here in Toronto in cybersecurity. And that's sort of really what solidified the space for me. I started teaching it, and then at my own consultant practice, I started practicing cybersecurity, working with industry professionals. And I realized that there was a huge gap in terms of awareness and knowledge, and I've been, you know, really emphasizing that in my work at Humber College. We're building a number of different programs, and now I'm an associate dean, where we do a lot of cybersecurity work with students and with industry.

Nataly: Thank you, Francis. That's fascinating. Shall we start with our first question?

Francis: That sounds great to me.

Nataly: So, what makes cybersecurity essential for both organizations and individuals?

Francis: When I think about cybersecurity, you really have to step back and think about what is connected to the internet. You know, 20 years ago, maybe you would have a computer, and you may just have, you know, a dial-up connection 30 years ago that you would connect your computer to the internet, and that would be it, right? And so, if somebody was gonna hack you or do something bad, they'd have to get into your computer over this old phone line. Now everything is connected to the internet, right? And so, what that means is that everything is vulnerable to a cyberattack. You think about your smartwatch, if you're lucky enough to have it, or your mobile device is connected to the internet. Your thermostat at home could be connected to the internet. You might have a smart alarm system in your own store that's connected to the internet.

And so, anything that's connected to the internet is vulnerable to somebody trying to get in and either doing things like disrupting, doing something to hurt your business, take it offline, maybe steal things from the business, or exploit you maybe for ransom, or try to threaten you. So, because our whole life is connected to the internet and increasingly healthcare devices are connected to the internet, you might have a diabetic monitor or an insulin pump that's connected to the internet, or sometimes pacemakers are connected to the internet so that doctors can check in on you. So, all these things that we need to live our life fully are connected to the internet. So, we need to think about what that means in terms of our safety. Just like you might lock your front door when you come into the house at the end of the day, you need to think about what are all those other doors in your life that you need to make sure that are secure.

Nataly: That is an excellent analogy. What types of cybersecurity threats are commonly encountered, and is there an increased likelihood for certain threats affecting the book industry or individuals in the book industry?

Francis: What's interesting about cybersecurity is we sometimes think about it as this crazy, techy-type field that, you know, you hear stories about people making hundreds of thousands of dollars doing crazy hacking type maneuvers. But the reality is that most of the cybersecurity attacks, more than 90%, sometimes 98% occur through social engineering. What social engineering basically means, most people in your listeners would probably know this, is effectively tricking somebody to do something that they shouldn't do. And how that manifests itself with respect to cybersecurity is usually through email, right? Or a text message. You could be a bookseller, and you might get an invoice email from somebody out there that says, "Oh, you know, here's the list of materials that I want you to ship to me.” It's a PDF. It looks legitimate. You click on that PDF, and then it installs or infects your computer.

Most of the time, most of the ransomware attacks that we hear about when we talk about ransomware, I'll talk about what that is in a second, it occurs through somebody clicking on something on an email. And ransomware is something that we've heard a lot about that with the Toronto Public Library. The City of Hamilton was just recently hit by a ransomware attack. Hospitals in Ontario recently, last year, were hit by an attack. And that's a type of thing where usually it starts with somebody clicking on an email and something is downloaded to the computer and spreads across the network and then effectively locks people out of their systems under threat of, you know, never giving that back until you pay some sort of money. So, they might say you need to pay $50,000, $30,000, a million dollars before they'll give you access back to your system, right? And so, I think both on the social engineering side and on the ransomware side, those are probably two of the biggest types of attacks that we hear about in the news today.

Nataly: I think what you're saying also is that these incidents might start, not necessarily in a malicious way. I mean, from the victim's point of view, and sometimes more like an accident, but if we do take some steps, that can be avoided.

Francis: Yeah, and often it's the end of day, right? Maybe you're leaving the store or your business to rush out to get the kids and pick up some takeout on the way home, pick up the kids from school or daycare. And an email comes in last minute, and it looks legitimate. You don't really have 15 minutes to spend trying to make sure that it's okay. So, you spend 30 seconds, it looks okay, so you click on it or you forward it on to somebody else. That's very often the situations where people are victimized, right? And these attackers, they design it to exploit vulnerabilities at the end of the day.

Maybe you're an entrepreneur, and you're always trying to figure out your tax situation with Canada Revenue Agency. And so, you're very often used to talking to them about, did you pay enough tax? Do you owe more? You're a small business owner, right? You're trying to file your T2, and you're not sure if you've claimed everything correctly. You expect some sort of interaction with CRA in that situation. So, that's a perfect vulnerability for somebody to exploit and they pretend to be the government calling and saying that, "Oh, you owe something. I need you to do something about it now, or you're in trouble." And so, those are the types of things that are most likely to happen in these types of attacks, the exploitation of where you're weak, and basically where you're ultimately human.

Nataly: Thank you. Thank you for those insights. As the book industry embraces digital platforms and ecommerce, what are some of the key measures that professionals in the industry can take to secure their digital assets?

Francis: That's an excellent question. We talked about social engineering. And I think in that space, one thing that people in the industry can do is to make sure that employees have an awareness and they have an awareness of what they should do and they should not do in certain situations. You know, it seems sometimes silly, but being able to recognize if an email is real or fake is something that you need to practice. And especially with AI, right? Increasingly, those emails look real. So, there are tools out there that can help, and I can provide the listeners ... I can provide you a link that you can distribute to the listeners in that space. So, I think that's one thing that's low-hanging fruit that's easy to implement to protect business owners and people working in the space.

The second thing is to think about who you're interacting with, right? From what we call a supply chain perspective, right? We'll see in the news the word supply chain attacks as a very popular way for hackers to get in. What that really means is that if you have a small business, you're likely working with somebody on an online platform. It could be somebody that's doing your bookkeeping, right? It could be somebody that you're using to get your books from, right? Maybe another supplier, and that supplier has potentially access to your database, or you have access to their inventory database. Something like that. Well, what you have to think about is this. So, you may have some good security hygiene and practices in your own business, but what are those other people doing? And when you give them access to your internal database or network, maybe you give them a login, a username and password, or you have something that lets you log in to their network, well, effectively, what's happening in those situations is you're joining. It's like you're opening a door between your business and that business. And maybe you can control who's walking in the door on your side, but you don't know who's walking in the door on the other side.

So what people need to think about is how they're connecting to other organizations and asking some questions around security. Do you have some sort of security plan? Do you have cybersecurity insurance? That's increasingly popular because, inevitably, you can't close all the doors. You might not even know where all the doors are. Or the window might be open a crack, and you never knew. So, having things like cybersecurity insurance can help because it can help to protect you. It can help to protect your customers if their data is breached. So, I think social engineering, supply chain attacks, and I think the third thing is really the data piece, right? Because often, when attackers come into your business, they may want to disrupt your business. They may want to, you know, make the website go down for two days, maybe, but they also want your data, right? And that data is valuable.

And that data, you have an obligation to protect the data of your clients, your customers, your employees, you know, an obligation to the government of Canada. And so, what that means is that you need to really think long and hard about what kind of data you're storing, and is that data accessible to the internet? We saw several months ago, a hospital in Southern Ontario attacked. And what we realized is that there were 30 years of patient records that were accessible to the internet. There were X-rays there from patients from 30 years ago that attackers were able to get. So, you may not need that. Maybe it's convenient for you to be able to work from home or your supplier to be able to log into your system to see what your inventory is, but think about what exactly they have access to and who has access to it. Do all the employees need access to, you know, personal information of customers? Maybe, maybe not, but it's not always obvious to think about that because you bring up a new system, a new database, basically everybody, you know, has access to it. You may not be tech-savvy, and so you may not think about restricting, you know, which doors people can open and which doors people can't.

So, those are three steps, I think if business owners or, you know, people working in the publishing space were able to address would go an awfully long way. Maybe four. I think I said the social engineering, the training piece, making sure that your suppliers and your partners have good cybersecurity practices, making sure that you restrict access to information to people that only need it. And maybe the fourth pillar really is the insurance piece, right? Buying cybersecurity liability insurance can help to protect you in case somebody can get in.

Nataly: That's excellent. Thank you, Francis. So, now thinking about smaller businesses in the book supply chain with limited resources, what are some cost-effective cybersecurity measures they can implement to protect their operations and sensitive information?

Francis: I think one of the things that small businesses that are especially under tight budget should do is they should start with resources that the Canadian Centre for Cyber Security provides. There's lots of training resources out there. There are a lot of other free resources that people can use. PBS in the United States has a whole training module for people on how to protect themselves from social engineering attacks. So, there's a plethora of things out there that are free that you can use to educate yourself and to potentially educate your employees. So, often, when people think about cybersecurity, they think they need to pay some high-end person a lot of money to come in and do an audit. You know, that helps, but that's not necessarily the most important thing to do. The most important thing starts with leveraging the resources of the government and organizations out there provide to do that.

The second thing that they can do is they can come to organizations like Humber College, other post-secondary organizations that provide usually free services to the public and to small and medium businesses. At Humber, we have a digital innovation lab where companies can come and get a free cybersecurity audit. Increasingly, we're seeing public sector organizations like universities and colleges provide those services to small and medium enterprises because it's a gap, right? And protecting them is basically protecting everybody in Canada. So, I think looking for resources that you have access to is step number one.

The second thing is ensuring that you have a good data hygiene policy in the organization that the people that have access to things like addresses, telephone numbers of customers should have access to them. And that people that shouldn't, don't, right? It's as simple as maybe a supplier doesn't need the phone number of one of your customers when they're looking at the client list. It's easy for business owners to collect personal information as part of a loyalty program, right? That information is valuable. But you have to think about where that information is stored and does it actually need to be connected to the internet, right? So, that's what we consider as a data hygiene policy. I think thinking long and hard about who has access, even if it makes it more convenient for you or your employees to have that data accessible from home, it has risk to your business, and maybe you don't want that risk.

So, I think leveraging free resources to do training, maybe an audit, and thinking about data hygiene policies, those are three steps that I think can go a long way to help small business owners in that space.

Nataly: I completely agree. And we are going to make sure that we list all those resources and links in the episode notes. Shifting gears a bit. So, you are part of the Canadian Association of Defence and Security Industries, which advises the Canadian government, right? How do you see the collaboration between the public and private sectors evolving to address the increasingly sophisticated nature of cyber threats?

Francis: I think what we're starting to see is better cohesion. Sometimes, when you think about cybersecurity or security in general, you think about what we call the threat surface, where all the parts that are attacked can come in. Because ultimately, Canada is only as strong as the weakest link, to put it that way. And if you have an employee that works at say, for example, a utility that exposes some piece of software to the internet, well, that means an attacker can get in there and potentially cause some massive disruption.

There was an example several years ago where an employee of a water treatment plant in Florida had used this software that wasn't authorized so that he could log in from home and check water treatment levels. Was there enough chlorine, right? And so, what happened is somebody figured out how to get in and started increasing the chlorine to a point that would have been dangerous for people. Not even chlorine, it was some chemical like that. Some treatment chemical to a point where it would have been dangerous for residents. Luckily, they caught that in time, right? But the point is that you can imagine people that work in these large enterprises or in the security establishment are well-trained in cybersecurity because that's their bread and butter. They need to be, right? They're protecting intellectual property, they're protecting assets that have real monetary value. But what we need to think about is protecting and training employees that are on the front lines that are maybe managing water treatment or information of customers that are vulnerable when they come into the business is equally important.

So I think what we're starting to see is we're starting to see a realization that cybersecurity and cybersecurity practice is important for everybody and not just for the private sector or for the defence industry. And so, there's a huge push in Canada to make sure that everybody, all Canadians, have access to resources that are gonna protect them because protecting them means you protect everybody in Canada, especially now that we see an increase in nation-state-type attacks. And when I say nation-state type attacks, what we mean is we mean other countries that will tend to attack, usually through a proxy. They will have, you'll hear about, you know, a group in some country in Eastern Europe or Russia or China, that looks like a private organization launching some sort of attack, but ultimately it's potentially sponsored by the nation-state, right? And those types of attacks are more frequent, and they tend to be on things like our critical infrastructure because it causes mass disruption. And I think that, you know, there's people like you and me and our listeners that are working at those places that need that awareness, need that support and training. So, yeah, I think we're gonna be seeing a convergence in the next few years, especially with the advent of AI and increase in misinformation. Working more closely together is more important than ever.

Nataly: So it seems that there's definitely some sense of urgency.

Francis: Yeah. I think what we're seeing is we're seeing an evolution of the concept of digital literacy, and it used to be, you know, can you just use Microsoft Excel, email, you know, all these types of things? I think what we're seeing is that you need to be able to use tools like ChatGPT now. You need to be able to understand and discern misinformation from real information. And so, I think that what we're gonna see is an evolution of what it means to be digitally literate in Canada. Increasingly, in many organizations, people are being trained on AI because AI is everywhere. In education where I work, there's students that are using AI to complete assignments and assessments, and understanding how to use those tools effectively in the classroom and determine if the student has used it to submit an assignment, it's not so straightforward and easy, and it's a conversation at this point. But I think we're gonna see increased awareness and training in that space that'll help everybody.

Nataly: What about the growing emphasis on privacy regulations? How do you think that organizations can maintain a strong cybersecurity posture while respecting customer and employee privacy? Are there any specific challenges or best practices that you would like to share?

Francis: And I think I might refer back to some of the comments from before. So, I think it starts with data hygiene, right? You need to make sure that you have it. I think every organization, it is prudent upon every organization to have a policy written down about how they manage data, right? And to ensure that that policy reflects government regulation, like PIPEDA, for example. And I'll make sure that I provide a link to your listeners and other various government tools that are out there to govern what happens.

For example, if an event happens and there's a data breach, right? Well, the business, it's upon the business to determine if there's something called real risk of significant harm to the end-user or to the client. That's not a straightforward thing to figure out. So, developing an internal policy around, and maybe just write it down on one page, around how you manage data is a good step because it means you're gonna probably consult and think about what it means in the context of current regulation in Canada, which is actually changing and evolving over time. So, I think having a written policy is good.

I think number two, and if you have any stakeholders in the business, make sure that they all understand, make sure all employees understand. For example, do not collect the social insurance number of a client, right? Many businesses might've done that in the past, especially if they're doing some sort of credit check, right? There're small steps like that that you can take as a business owner to protect yourself and to protect your clients. So, collect the data that you only need to conduct the business that you want. Don't give the data away to other people.

It's tempting when you have a partnership with the supplier or somebody else to hand over your client list. There may be an incentive for you to do that. "We can work more closely together. We can do some analysis on your clients and tell you which books they're gonna buy, right?" It's very tempting to give that information away, but think long and hard about that. Because when you give information away, you don't know where that information is gonna go. Is it gonna stay in Canada? Could it be copied over to some other server in some other country, like the US? Once it leaves Canada, there are certain rules around how data should be managed in Canada. Not everybody understands it, number one, but then once the data leaves Canada, you lose complete control over that, right? And those are your customers. And likely, if you're in a small shop, you care a lot about those customers. You have personal relationships with them. So, think long and hard about what data you collect and what you do with that data. I think those are important considerations.

Nataly: Thank you. Looking ahead, what emerging trends or technologies in cybersecurity do you think that our audience should be aware of?

Francis: I think the elephant in the room obviously is artificial intelligence. And most recently, there's a version of ChatGPT called ChatGPT 4, which people can license for a sum every month. It's tempting to use those tools, and everybody should be aware of those tools because we're all using them. But one thing you need to think about is if you start to use those tools to do things like create contracts or maybe to help write something. You could be an author, and you use ChatGPT to write a chapter of your book or something to that effect. We see this all the time. When you put that data into the tool, you lose control over the intellectual property of that data in most cases, right? So, when you type something into ChatGPT, maybe it could be a contract, maybe it's a mortgage agreement. And we hear stories in the law of people using it to look up information in court. You give that information away, you lose control of it, and that's gone. So, it's tempting to use these tools to do sensitive things because what they spit out is great, but you have to think about the fact that you lose that information. At this point in time, who owns it is still something that's up for debate and discussion in general across the industry. And at this point in time, it's unclear, and likely you lose the rights to anything you put in that tool.

But that being said, I think it's important for everybody to understand what those tools can do. Because if you're gonna detect what's real and not real, you have to have some sort of awareness, right? Because you could be a publisher, and you have to be able to discern if this is authentic or if this is something that a tool generated. Maybe you don't care, but understanding and having an awareness of it will help you to build a policy around what you're going to take and not take, because that's not going away.

And then, on a cybersecurity side, what we're seeing is those tools are creating more convincing messages from a social engineering perspective because those tools get fed data from everything you put on Facebook. Maybe on Facebook, what happens is you put, it's your mom's birthday, and you say, "Happy birthday, mom," and you put her maiden name there. Well, maybe that maiden name is what you use to log into your bank accounts as well, right? It's one of those challenge questions. Or maybe to get into your cell phone provider account. And so, these tools, what they mean now is that these tools can scrape that data off the internet and use it in an automated way that would have had to be done manually before.

And it might have been that, you know, maybe for me, if an attacker came at me, well, they said, "If I spend an hour trying to figure out how to attack Francis, it's not worth it. This guy's not worth my time. I'm not going to make any money off of it." But if there's an automated tool leveraging AI that can do it, and it takes, like, a second, and there's no manual intervention, then everybody is more vulnerable to attack. And they're using information from my LinkedIn feed or my Facebook feed. So, I think having an awareness of what AI can do is gonna only help us in terms of identifying and preventing these types of attacks going forward.

Nataly: Lots to consider and think about. Thank you so much, Francis, for sharing your expertise and your insights with our audience.

Francis: It was my pleasure. Thank you so much.

Nataly: Thank you for tuning in to today's episode of the BookNet Canada podcast. We hope you found our discussion with Francis Syms insightful and informative. Stay tuned for a future episode where we will delve deeper into this topic, exploring the real-life experiences of an arts organization which has experienced cybercrime and emerged stronger. Their lessons learned and best practices will provide invaluable insights for safeguarding our digital assets.

Before I go, I’d like to take a moment to acknowledge that BookNet Canada’s operations are remote and our colleagues contribute their work from the traditional territories of the Mississaugas of the Credit, the Anishinaabe, the Haudenosaunee, the Wyandot, the Mi’kmaq, the Ojibwa of Fort William First Nation, the Three Fires Confederacy of First Nations (which includes the Ojibwa, the Odawa, and the Potawatomie), and the Métis, the original nations and peoples of the lands we now call Beeton, Brampton, Guelph, Halifax, Thunder Bay, Toronto, Vaughan, and Windsor. We encourage you to visit the native-land.ca website to learn more about the peoples whose land you are listening from today. Moreover, BookNet endorses the Calls to Action from the Truth and Reconciliation Commission of Canada and supports an ongoing shift from gatekeeping to spacemaking in the book industry.

The book industry has long been an industry of gatekeeping. Anyone who works at any stage of the book supply chain carries a responsibility to serve readers by publishing, promoting, and supplying works that represent the wide extent of human experiences and identities in all that complicated intersectionality. We, at BookNet, are committed to working with our partners in the industry as we move towards a framework that supports "spacemaking," which ensures that marginalized creators and professionals all have the opportunity to contribute, work, and lead. We'd also like to acknowledge the Government of Canada for their financial support through the Canada Book Fund. And of course, thanks to you for listening.