One hour presentation to IT professionals at Ontario school boards. Covers labour issues in MFA rollout, threat information sharing and business e-mail compromises and PHIPA.
3. o Multi-factor authentication is one of the most
critical information security controls, yet
some boards do not enforce participation
o Boards and other institutions have enforced
a mandatory rollout after attacks, and as
part of the response process, which invites
sub-optimal change management
o Installation of MS Authenticator on personal
devices is a sensitivity, and some
employees will not have compatible devices
o Hardware tokens are expensive
The context
Labour issues and MFA
3
4. o School boards have management rights that
allows them to establish and enforce work
rules
o But any rule enforced by disciplinary power
must meet the so-called KVP test, which at
its core requires “reasonableness”
o An arbitrator will weigh the Board’s
justification against the impact of its work
rule, including the impact on personal
privacy
The law
Labour issues and MFA
4
5. o CUPE grieved requirement to work from
home during the pandemic due do the
alleged downloading of costs
o TDSB provided scope for some
reimbursement and problem solving
o Arbitrator Geldof dismissed the grievance
o Decision warns against a reach into
“metaphorical pockets” but relying on or
piggybacking on expenses already borne by
employees in their personal capacity
The TDSB case and piggybacking on personal phones
Labour issues and MFA
5
6. o Do it now, not when you are in an incident
and in a rush
o Conduct a privacy impact assessment on
MS Authenticator (or your alternative)
o Build a change management plan and
implement it, and collaborate with labour
relations from the start
o Consider offering hardware tokens to those
without compatible phones
Practical advice
Labour issues and MFA
6
8. Costs
→ You’ll help others and be perceived as
helping others
→ You will receive that help when you need
it
→ If you need response help, others may
offer
Benefit
Threat information sharing
8
o Time and energy when time and energy
are limited
o There are limited confidentiality risks
9. Threat information sharing
9
o This is a “prisoner’s dilemma” problem, but for the sector as a whole the costs
outweigh the benefits
o There needs to be an understanding about confidentiality and there needs to
be a means of streamlining the sharing
o Anyone who receives threat information must respect the responding
institution’s need for space and autonomy
o Sharing through a trusted intermediary would help
o Encouragement and principled commitment to sharing rather than hard
rules/commitments should be adopted
11. o Access to an account by a threat actor
o Depending on your license, you may have
access to data about what was browsed and
downloaded
o If legacy protocols are enabled you may have
evidence that the entire account was synched
out
o Oftentimes, there is a lack of evidence of
anything other than account access
o And evidence of a motive other than data theft
– e.g. lateral phishing or gathering intelligence
to support a wire fraud scam
Business e-mail compromises explained
BECs and PHIPA
11
12. o Entire account exposure is
expensive to deal with
o Assume $5,000 to $15,000
per account for analysis
o We have seen lateral
phishing attacks that expose
100s of accounts
Business e-mail compromises explained
BECs and PHIPA
12
13. o IPC PHIPA decision from April
o IPC (without deciding the issue) sets out its position
that access to an account equals access to the
information in the account (under PHIPA)
o IPC has now taken that position with BLG clients –
position rests on the words “make information
available” in the definition of disclose in PHIPA
o We question the position, but boards need to
consider this when PHIPA regulated information is
in accounts – beware counsellors and social
workers
o And boards need to build and/or enforce policies on
e-mailing personal health information and re-
consider e-mail retention
Decision 205
BECs and PHIPA
13