25 Jan Cyberattacks are costly – is your data locked down?
More than two-thirds of large Canadian organizations experienced at least one cyberattack in 2019, with an average cost of $9.25 million to investigate and remedy, according to a survey by the Canadian Internet Registration Authority (CIRA).
“The cybercrime business is booming, and the criminals who profit from it are becoming increasingly sophisticated in their tactics”, says Dean McCarthy, co-founder of Protek IT in Toronto.
During the coronavirus pandemic, public health restrictions have forced more Canadians to work remotely, laying bare our reliance on digital systems to keep business running smoothly and highlighting the importance of robust security, says McCarthy.
“Within days of stay-at-home orders being issued, companies had to set up their remote offices while ensuring their IT systems were operating safely,” he points out.
McCarthy says the scramble to arrange virtual offices could mean important IT security considerations were overlooked for some businesses. Research shows that employees can unwittingly pose the biggest risk associated with cyberattacks and that human error is to blame for more than half of all security breaches. Training users is a critical component of any company’s security framework.
“Users are the vectors of attack, but If you teach them what to watch for and regularly test and reinforce that training, you can reduce your risk of a breach,” he says.
While much of the media attention on cyberattacks focuses on governments or large corporations, McCarthy says that doesn’t mean small and mid-sized businesses (SMBs) should think they’re immune.
“In a professional services environment, people don’t think twice about letting clients plug into their office’s Wi-Fi network, and in most cases, it’s fine. But what happens if your client has a compromised laptop? “It’s the one per cent you need to worry about,” he says.
Lawyers, accountants, mortgage brokers and other professionals who deal with client data could also become targets of cyberespionage by bad actors looking to steal –– or worse –– the sensitive information.
“You don’t know who your next client will be. A corporate lawyer isn’t going to be a target until he’s doing a big acquisition deal for a client,” McCarthy says. “Or if you’re the lawyer handling the Barry and Honey Sherman estate case, now you’re a focus. People want to know what’s in that will.”
Types of cyberattacks
Security breaches come in the form of ransomware, phishing, malware or denial of service attacks. They can paralyze a business, take down or infect its networks, compromise client data and cost a lot of money to fix. McCarthy says about 90 per cent of malware comes from email. Here are definitions for some of the most common types of attacks:
A phishing attack involves a fraudulent attempt to trick users into revealing sensitive information or data such as usernames or passwords by disguising itself as a trustworthy entity. Often, they include a link or attachment that appears legitimate.
In May of 2019, a municipal government in Ontario became the victim of a phishing scam. The threat actors posed as a known and trusted city vendor. In their fake email, they requested to change the banking information for the vendor, and when this was completed, $503,000 was transferred to the new account owned by the cybercriminal.
Malware is a software program designed to cause damage to a computer, server or network through a virus, spyware, Trojan horses or ransomware. Cyberattackers develop code designed to cause extensive damage to data and systems or gain unauthorized access to a network.
Denial of service
A distributed denial-of-service attack is meant to disrupt a business by bombarding one of its systems –– website, email service or a critical service –– with requests that force it offline. The incoming traffic originates from different sources, making it impossible to stop the attack simply by blocking a single source.
Large corporations are often the target by DDoS attacks, but that doesn’t mean small- to- medium- sized businesses shouldn’t take precautions to prevent or mitigate them, McCarthy stresses.
“Every business that relies on its IT systems to function can be a target,” he says. While the majority of these incidents are motivated by extortion or to protest the company’s practices, McCarthy says unhappy clients have also launched them, as have disgruntled former employees or anyone with the money to hire people to do it.
One area of cybercrime that grabs many headlines these days –– and with good reason –– is ransomware attacks. Malicious software is installed on the victim’s systems through deceptive links in an email message, instant message or website. Users are locked out of the system and their files encrypted. A message instructs the user that in order to decrypt the files, they must pay a ransom (often cryptocurrency such as Bitcoin).
The Canadian Centre for Cyber Security recently produced the National Cyber Threat Assessment 2020 report. It shows that over the past two years, ransomware campaigns have impacted hundreds of Canadian businesses and critical infrastructure providers, including hospitals and police departments, as well as municipal, provincial, and territorial governments.
McCarthy says that because the emails appear to be from a trusted source, users often open attachments or click on links, and in doing so, they unleash a “multi-headed hydra.”
“In many cases, the attachments look innocuous,” he says. “It could be a legitimate Excel file and once it’s opened, the virus instructs it to find files and lock them down.”
Businesses that use off the shelf anti-virus software may have a false sense of security around their level of protection, McCarthy adds.
“Most cheap or free anti-viruses only scan your hard drive, not the computer’s memory. If you open an infected Excel file, it can run in the background of your system, unbeknownst to the person who opened it.”
Data from Statistics Canada shows that of the businesses impacted by cybersecurity incidents in 2017, 38 per cent said the motive was to steal money or demand a ransom payment.
Ransomware has the potential for significant consequences, warns Derek Manky in a column for Security magazine.
“What we’re seeing more often is that valuable intellectual property and sensitive information isn’t just being encrypted and held for ransom,” Manky says. “Encrypted versions of that data are also being posted online, with the threat that if a ransom is not paid, all of the data will be released for public access.”
In the early days, ransomware emails were easier to spot as they often contained poorly written instructions or bad sentence structure that signalled to the reader that something was amiss, McCarthy says. Today, the players are much savvier.
Last year, users of Ledger, a hardware cryptocurrency wallet that allows you to store, manage, and sell cryptocurrency, were targeted by a phishing scam, which looked so authentic, it almost fooled McCarthy.
“The email said, “Your crypto vault could be compromised, click here to reset your password,” and was 99.9 per cent legitimate looking. I used a secure cellphone to click on the link and saw that the URL was ledger.com.io, not ledger.com, but the average person wouldn’t be looking for that,” he says.
Rolling the dice won’t cut it
Business owners who run professional services firms –– lawyers, accountants, financial advisors, mortgage brokers –– where client data privacy is paramount, can’t afford to skimp when it comes to securing their digital system. StatsCan data shows that almost one in five small companies experienced an IT security breach in 2017. More than one-quarter of mid-sized firms said they’d been compromised.
There are serious ramifications for businesses that fall victims to cyber villains –– reputational damage, downtime and cost to recover. McCarthy says his firm works with leading IT security companies to ensure his clients’ digital assets are protected with the latest innovations.
“We’re a one-stop security shop for business, and we tailor a solution based on each client’s needs,” he says. “We safeguard your network and make sure the security patches are up to date, your back-ups are reliable, and we regularly practice recovery from those backups in the event you need to restart your entire system from scratch.”
That’s what happened with the City of Saint John in New Brunswick when it was hit by a ransomware attack in November of last year. Rather than giving into demands, the city opted to rebuild its entire network from scratch, a process that will take months and allow it to take advantage of the latest innovations in cybersecurity and network design.
Practising cyber hygiene essential
When it comes to security breaches, one of the best ways to mitigate risk is by effectively training users, but this is an area where many organizations fall short, says McCarthy.
The CIRA study shows that only 41 per cent of businesses have mandatory cybersecurity awareness training for all employees, which McCarthy says is troubling as training improves employees’ ability to recognize phishing attempts and provides a clear procedure for reporting suspicious incidents.
“Email phishing is the most common way attackers launch ransomware, so even if there are security features installed on the device they’re using, it can still be compromised,” he says. “Once your systems are breached, you can’t put the genie back in the bottle.”
Protek IT is a full-service IT company that works primarily with professional services organizations. The company leverages a three-step process to ensure its clients’ systems are safeguarded from nefarious actors: educate, protect and restore.
“Training should be ongoing as the landscape of threats is continually evolving. It should also involve validating that users have absorbed the information and know what to do if they receive a suspicious link or attachment,” he says.
Protection involves having an end-to-end security framework in place, including antivirus software, firewalls and proper backups of data, to protect desktops, servers, Wi-Fi networks and mobile devices. Depending on client needs and budget, McCarthy says a range of options can be implemented to ensure robust protection.
“Sophos is one of our preferred vendors and they have different levels of security solutions, depending on the quantity and value of your network assets,” he says. “An enterprise-level solution that costs $10 million is not going to the right choice for a company that needs to protect a $1,000 network.”
McCarthy says once an organization’s systems have been breached, it’s relatively straightforward to restore files if the data has been adequately backed up.
“Backups can get corrupted, so you may have the physical media, but the information on it is useless. That’s why it’s important to regularly test your systems, including backups, to validate your security posture.”