It’s probably safe to say most organizations in Canada know a little about cyber security. There have been regular reports of major data breaches in the mainstream media for at least two decades, and most firms have at least rudimentary IT controls.
More firms regularly remind staff of dos and don’ts. Bigger firms — governments, banks, large retailers, telcos — are investing more in cyber defences. Ottawa regularly reminds the top 10 infrastructure sector of their responsibilities. To make things easier just over a year ago it consolidated much of its public advisory resources into the Canadian Centre for Cyber Security.
Yet as the annual October observation of cyber security awareness month begins today it seems little progress is being made. One expert (see below) believes the reason is simple: Threat actors are more motivated to attack than organizations are to defend.
Federal privacy commissioner Daniel Therrien says Cyber Security Awareness Month is an opportunity for organizations to review their security measures and look for ways to improve upon them.
“In our investigations work, we see that organizations generally manage their cybersecurity preparedness by identifying issues and putting in place structures and processes to bolster security. This is a positive first step. However, ensuring those processes are fully implemented on an ongoing basis is also critically important. Too often, we find issues arise when organizations have not checked back to monitor the ongoing effectiveness of their security measures.
“We encourage organizations to continually monitor and refine their structures and processes for safeguarding personal information. This includes, for example, ongoing employee training on personal information handling processes as well as the importance of remaining vigilant to evolving attack threats such as malware and phishing.”
This month IT World Canada will be running a series of articles to help infosec pros improve the cyber security awareness of their organization. Meanwhile, consider that
- the federal privacy commissioner estimates 19 million Canadians were affected by data breaches between November 2018 — when reporting serious breaches of organizations’ security controls became mandatory — and June;
- although Canadian financial institutions are considered among the security leaders in the country, in June a staffer at Quebec based credit union Desjardins Group was fired for allegedly sharing personal information of more than 2.7 million individual members and 173,000 businesses with a person or persons outside the institution;
- although Canadian financial institutions are considered among the security leaders in the country, last month a researcher found Scotiabank application source code and private login keys to backend systems lying open on GitHub repositories;
- in August two people were arrested after a data breach at Quebec’s tax collection agency affecting 23,000 past and present employees at Revenu Québec. Most of the data were names and social insurance numbers. The province said an internal investigation showed the data wasn’t used for malicious purposes or sold to third parties.;
- a number of Canadian municipalities have been victims of ransomware this year, despite long warnings of the need to have a backup strategy. Recently the city of Stratford, Ont., acknowledged paying the equivalent of $75,000 in bitcoin following an attack in April;
- municipalities are also being stung by what’s called business email compromise scams, where an employee is convinced to change the bank account to where money for invoices is usually sent. Organizations should have business controls over changes in payment procedure to prevent this In August the city of Saskatoon admitted it was victimized for just over $1 million. In May the city of Burlington, Ont. acknowledged it was hit the same way;
- no size of organization is immune. That lesson came through with news the University of Ottawa’s online student news site was temporarily stripped of copy after the site was hacked;
- Verizon’s annual Data Breach Investigations Report, which looks at thousands of incidents around the world, notes that 21 per cent of data breaches are caused by errors, either by employees or third parties. For example, Freedom Mobile blamed a third party for hosting an unprotected database with personal and credit card information on thousands of the wireless carrier’s subscribers on the Internet;
- think small businesses won’t be attacked? Consider our report on a Halifax vegan restaurant whose Facebook page was defaced.
This truly is the golden age of financial crime, with attackers having seemingly unlimited financial resources (thanks to their heists) — and skill — to evade cyber defences.
Thanks to automation and the availability of tools on the dark web, one security vendor estimates The cost of developing a package of tools for an advanced persistent threat (APT) attack could be as little as US$15,000.
Experts keep repeating that the risk of data breaches can be significantly lowered by following the basics of cyber hygiene.
Verizon’s annual Data Breach Investigations Report, which looks at thousands of incidents around the world, notes that 21 per cent of data breaches last year were caused by errors. More worrying, system administrators as a source of accidental breaches are creeping up.
According to Ed Dubrovsky, managing director for cyber breach response at the Toronto-based consulting firm Cytelligence, the number of breaches in Canada is rising because threat actors are more motivated to attack than organizations are to protect themselves. “Over the last year, ransom demands have spiked by almost 300 per cent on average,” he noted in an email interview, “and in some cases (and specific industries) multi-million dollar demands are the norm. These payouts are increasing the motivation of cyber criminals to successfully attack and cripple organizations.”
Businesses are only now starting to realize that cyber security budgets should be increased and additional focus is needed, he wrote. “However, there is a disconnect between what organizations are willing to invest in security programs versus what it will take to provide minimal acceptable level of security services to protect data and jobs. Organizations of all sizes are still failing to invest strategically in their security programs. How do you introduce a fundamental shift in thinking from purely operations to allowing security and cyber-risk a seat at the table?”
He urges organizations to develop what he calls a modular approach to mitigate or reduce risks. “By modular I mean that the whole plan does not need to be thrown out the window every time there is a change. Strive for incremental improvements, this is not a sprint.”
In brief, his advice is “protect perimeters (plural), protect data, reduce permissions and manage credentials, and patch systems.”
Organizations need to understand the specific risks associated to them, not generic risks, he says. Then shift risk management processes to include these specific cyber risks. Regularly critically assess the firm and re-evaluate risks — don’t focus on one-time products or activities.
As for security awareness training, make sure it relates to the risks the organization faces.