Ransomware and more ransomware, that’s what appears to be top of mind for many IT leaders as the Cybersecurity Awareness Month campaign begins today.
It’s a month when cyber experts, governments and news media urge public and private leaders, as well as individuals, to be more careful about what they do online, and to do more to protect sensitive information.
However, 16 years after the first observance of Cybersecurity Awareness Month, it might seem the thousands of words of advice that have poured out aren’t doing very much.
Cybercriminals love following trends, and combining ransomware extortion with data theft blackmail in the last 10 months has proved to be lucrative.
Organizations face a conundrum: Refuse to pay, and stolen data gets released, perhaps fatally damaging their reputation. And their encrypted data stays scrambled.
According to a report in August by McAfee, the Netwalker ransomware gang earned US$25 million in five months this year. One gang called REvil that runs a ransomware-as-a-service operation for criminals has reportedly set aside US$1 million to attract new hacker partners.
Aside from ransomware, organizations are still worrying about other attack vectors that are also increasingly being exploited: Unpatched software, configuration errors, users clicking on malicious links, users falling for business email compromises, insider data theft and more.
Up-to-date cybercrime statistics in Canada aren’t easy to come by. The incident reporting system for the RCMP’s new National Cyber Crime Coordination Unit (NC3) won’t be running for another two years.
The Canadian Anti-Fraud Centre said that for cyber fraud alone, it received 12,676 reports from 6,930 victims totalling $30.2 million in losses. By comparison, for all of 2019, there were 16,242 reports of cyber fraud involving 8,241 victims totalling $55.4 million in losses.
The federal Office of the Privacy Commissioner said so far this year it has received 516 reports from organizations of breaches of security controls among the private sector firms obliged to report incidents where there is a real risk of serious harm to individuals. That would be the same pace as the number of breach reports for 2019 when the office was notified of 722 breaches.
Certainly, no expert believes cybercrime is going down.
In Canada, some of the more publicized incidents this year included:
- The hack of 11,000 government of Canada accounts, including 5,600 at the Canada Revenue Agency;
- The data theft and ransomware attack on the government of PEI;
- A hack at Telus’ Koodo wireless division;
- A ransomware attack of a Toronto accounting firm;
- A subscriber database left open by a Canadian-based e-learning provider;
- The data theft from the Royal Military College;
- A hack at developer Brookfield Residential Properties.
Failure to follow cyber basics
There was no shortage of vendor reports this year, again reminding the C-suite and infosec pros that stolen or compromised credentials and cloud misconfigurations were the most common causes of malicious breaches.
For example, the annual Cost of a Data Breach report by the Ponemon Institute and IBM found these factors represented nearly 40 per cent of malicious incidents investigated in the 12 month period ending in April 2020. Among them, cloud misconfigurations were involved in nearly 20 per cent of breaches, making it the third most expensive initial infection vector examined in the report.
Meanwhile, in a report this week, Microsoft said enabling multi-factor authentication to logins would have prevented the vast majority of successful attacks it studied.
“In many cases, while we’re seeing some improvements in cybersecurity we’re still seeing [lack of] basic hygiene being responsible for the vast majority of incidents,” Scott Jones, director of the federal government’s Canadian Centre for Cyber Security, said in an interview.
Often at the core of a compromise is an unpatched piece of software, he added. “It’s not that it was a sophisticated, unknown vulnerability that was exploited,” he said. Often the patches were issued 12 or 18 months before the breach. “That’s where the basics really matter: Updating your systems is a great way of improving your defence.”
Asked why many organizations still don’t meet basic cybersecurity recommendations, Jones said one problem is installing patches can mean taking systems offline, particularly for small businesses. The technology industry needs to make patching easier and more automatic for these businesses, he said.
Following the cybersecurity basics as outlined by the centre’s Baseline Security Controls for SMBs is a good start for organizations that are unsure where to begin, Jones said. Figure out “which ones of these can I start to invest in to raise my security bar. That just increases the survivability of an SMB so it can face the threats that are out there.
“Look at where small investments can make a big difference.”
‘Still have work to do’
“One of the things I always say is any business that suffers some kind of malicious cyber activity is one too many, so in that sense we still have work to do, and businesses have work to do. We are seeing some improvement, though,” Jones said. “We are seeing more businesses pick up the tips and guidance we put out. We’re seeing more conversations around cybersecurity awareness and what you can do to proactively protect yourself.
“A lot of the emphasis before was people talking about recovery from an incident. That’s now what can you do to make yourself less susceptible to one. And that’s really what the guidance is about. So, yes we’re seeing progress.”
When asked about the Canada Revenue Agency hack and whether or not that stained Canada’s reputation, Jones said it doesn’t.
“We say everybody can fall victim in cybersecurity,” he replied. “The thing is how do you recover, how do you respond to it, how do face up to it. We will face cyber incidents, and we want to demonstrate here’s how when you’re the victim you face it.
“It’s going to happen. There are only two types of organizations in the world: Those who are victims of cyber incidents and know it, and those who have been victims but don’t know it yet … it’s all about how you recover, how you respond and how you make yourself more resilient.”
Looking ahead, no matter how much an organization has invested in cybersecurity it still has to maintain vigilance, Jones said. Many have been forced into work-from-home strategies, which has meant adopting technology to maintain cybersecurity maturity. “It’s about what does the new world look like,” he said. “What threats does the organization face, what information do we have that’s valuable and then responding. Not with cybersecurity steps that look good on paper but that actually address the threats you face.
“Everything needs to be tailored to face the risks you face, not some general way of feeling good. There’s no one size fits all.”