When Imran Ahmad got the results of his law firm’s recently-commissioned corporate cyber incidents report he was surprised.
Data showed just over half of Canadian organizations hit by ransomware last year paid cyber criminals to get decryption keys for restoring scrambled data.
The surprise? Ahmad, a partner in the cyber and privacy practice of national law firm of Blake, Cassels & Graydon, is sure more are paying.
“We believe that number [of Canadian firms paying ransom] has gone up materially since COVID-19 happened,” he said in an interview. “I thought the number would have been higher even before COVID because of the number of cases where clients call us and say, ‘We’re ready to pay. What do we do now?'”
One reason he thinks firms recently are giving in is that with more employees working from home more computers that connect remotely to the network are getting infected with malware. Consequently, some organizations believe the restoration of data will be “extremely difficult” even though they have good backups. Paying for decryption keys, management believes, will get operations back to normal faster.
Ahmad also suspects the number of ransomware incidents will increase after the pandemic crisis eases and staff return to their offices and plug their laptops back into the network.
The law firm launched the study to get more current information about cybersecurity incidents — defined as a breach of security controls — than is available now. In addition, Ahmad said, clients want answers to questions like should they pay a ransom, should they call police if they suffer a cyber incident and should they buy cyber insurance.
(Not unless they have to, yes and yes, said Ahmad — although when buying cyber insurance pay attention to the terms.)
The report is broken into three parts: A survey of cybersecurity forensic firms that responded to more than 250 cybersecurity incidents across Canada from January to October 15, 2019; a review of publicly released data by the federal, Alberta and British Columbia privacy commissioners’ offices up to November 1, 2019; and a review of various public-disclosure documents (including annual reports, annual information form, management discussion and analysis, management information circular and final long-form prospectus) of the 790 corporate issuers listed on the Toronto Stock Exchange (TSX) for cybersecurity-related disclosure statements.
Among the findings:
- 33 per cent of organizations that suffered a cyber incident had their operations disrupted.
- 25 per cent suffered primarily a financial loss.
- 21 per cent suffered an impact on their relationships with partners.
- Approximately half of organizations took over two weeks to recover from a cybersecurity incident. Almost a quarter needed more than a month.
- Only 31 per cent reported incidents to police.
Another finding that surprised Ahmad was that only 29 per cent of organizations that suffered a cyber incident had an effective incident response plan that they followed. “I thought it would be a higher number,” Ahmad said. “Aside from the fact that few had a plan, what surprised us was that among organizations that did have a cyber plan they did not have one that was really practical or user friendly. They would have very complex ones.
“You want a simple flexible plan — maybe no more than a dozen pages or so — with all the key contacts so you can deal with a situation in real-time. What we saw was organizations that had a ‘brick-type’ of response plan where everything that is possible is contemplated, and nobody consulted it because it’s so complicated — and it wasn’t tested.”
There’s a link to the full report here. Registration required.