The threat of data breaches or ransomware attacks have become a reality for many businesses and organizations.
The 2020 Cyberthreat Defense Report, created by CyberEdge Group which surveyed 1,200 security IT professionals in companies from 17 countries, found that 78% of Canadian companies experienced at least one cyberattack within a 12-month period, a figure which rose in 2021 to 85.7%. That same report also determined that 72% of Canadian respondents dealt with a ransomware threat in 2020, which luckily dropped in 2021 to 61.2%.
Locally, Statistics Canada figures show a total of 3,298 cyberattacks in Waterloo Region per 100,000 population in 2021, which is up from 1,113 recorded in 2017.
Many of the larger local attacks have media headlines, including a cyber threat on a supplier company in March of this year which prompted Toyota to halt operations at 14 plants in Japan and three manufacturing facilities in Canada, including its Cambridge plant. More recently, the Waterloo Region District School Board became a victim of a cyberattack which resulted in pay disruptions for some of its employees.
We asked John Svazic, Founder and Principal Consultant of EliteSec Information Security Consultants Inc. in Cambridge, to share his thoughts on what businesses can do to ensure they are prepared for any potential cyber threats.
Q. What are some of the misconceptions surrounding a cyberattack or data breach?
John: The biggest misconception is that a business believes that they are not vulnerable or a target of cyber criminals. Sadly, that’s not true. If you have any form of presence on the Internet, say a Facebook page or an Instagram account, then you are at risk of an attacker.
The attacks may be different, but they will impact you regardless. I’ve had clients who had their Facebook accounts taken over and used for advertising by a foreign company. That can harm your reputation. Similarly, Instagram account hijacking is also common, and unfortunately recovery of accounts is time consuming and not always possible, leading to a lot of lost customers and influence.
Q. Are there degrees, or levels, when it comes to a cyberattack?
John: Yes, definitely! The types of attacks we’ve seen locally in the region are a great example. The most recent example from the Waterloo Region School Board seems to be a ransomware attack, which is where access to your computer network is “locked out”.
A more common occurrence is these attackers will take data from the network first, then threaten to release these details to the public if the ransom isn’t paid. This so called “double extortion” style of ransomware is particularly devastating to a company because there is no guarantee that the attacker won’t come back and ask for more money later. Ransomware costs vary wildly, but it’s not uncommon to see demands from between $500 per computer to a few thousand dollars per computer, plus fees for not publicly releasing information.
Instagram and Facebook account takeovers can range from a few hundred to a few thousand dollars, depending on the attacker.
Q. Are there certain types of businesses that need to worry more about an attack or breach than others?
John: The short answer is no. Every company that has any type of Internet presence is a potential victim, but the likelihood of a small company being expected to pay out millions of dollars is near zero.
The major criminal groups that get into the headlines are generally targeting larger companies because they understand that they have a greater chance of getting a large payout. But smaller companies may also face extortion costs albeit at a smaller scale.
Sadly, there are criminal elements at all sizes, much like we have in the legitimate business world, all targeting specific markets, from enterprises to SMBs.
Q. What are some of the first steps a business should take to protect themselves? Or can they?
John: The best thing anyone can do is make sure they use some type of two-factor (also called multi-factor) authentication for your online accounts. This is commonly done by getting a six-digit code you get from your phone via an authenticator app or text message. You then use that code in addition to a password when logging into email, etc. This is an easy (and free) way to better protect your online accounts because it becomes a lot harder for an attacker to take over your account.
Using a password manager is also strongly recommended. This can help avoid the use of re-using the same password everywhere.
A lot of people will think that their password is safe, until one of the websites they use that password on gets breached, and then anywhere else they may use that password becomes vulnerable, regardless of how secure that website may be.
For organizations that do financial transfers, there should be a protocol in place to get some type of verbal confirmation for transfers and not to rely just on an email or text message to confirm the transfer.
Q. Do many businesses utilize cybersecurity insurance?
John: I find that cyber insurance policies are often used in tech companies because they view themselves at a higher risk, but for most other companies they don’t necessarily see the need.
The policies I have seen range from helping pay for ransomware attacks such as paying the ransom to offering assistance to get help from an incident response firm, which is a type of cybersecurity company that will help find out how these attackers got in, get them out of the network, and then make sure they can’t get back in later.
So again, larger companies or companies dealing with other enterprise customers are the main group seeking out cyber insurance.
Q. Has the awareness around the potential for cyberattacks increased significantly for businesses?
John: Cyberattacks are becoming more mainstream in terms of the amount of coverage from more traditional media outlets, which is leading to a wider realization of how bad these things can be.
However, only the “big” attacks get headlines, and a lot of the attacks that happen often never see the light of day. I would say that a lot more organizations have had a cyber incident than they care to admit. Reputation, pride, and fear are some of the main factors for this.
My advice to those companies is not to bury your head in the sand, but rather seek out help to ensure it doesn’t’ happen again, even if you don’t want it to be made public.
Q. What are some mistakes businesses make when it comes to data protection?
John: Aside from thinking it won’t happen to them, one of the most common mistakes is giving out the keys to the kingdom to all the employees. Using the same login to a shared computer, for example, rather than giving individual logins for each employee. Re-using passwords, not updating software regularly, no anti-virus on computer systems, not questioning strange requests, using company email as if it was personal email, insufficient access controls for sensitive information, etc.
There are a lot of different things that companies can do, but a lot of it is about doing what makes sense for your own specific organization. The basics would be not re-using passwords and making use of multi-factor authentication.
The biggest thing to remember is that it’s not about building up Fort Knox for your business, but rather making sure that you are secure enough for an attacker to look for an easier target instead, i.e., you don’t need to outrun the bear, you just need to outrun the guy beside you.
To learn more, visit EliteSec Information Security Consultants Inc.
October 3, 2022
June 25, 2021
Canadian Chamber of Commerce
January 29, 2021
March 27, 2020