Ontario’s cybersecurity advisory panel believes the threat of ransomware is so serious it wants the province’s broader public sector – including hospitals, utilities, Children’s Aid Societies, school boards and municipalities – to take it more seriously.
“The game has changed,” Robert Wong, chair of the Ontario Cybersecurity Expert Panel for the Broader Public Sector (BPS) said in an interview on Tuesday, “so we wanted to put a call for action out there to BPS organizations to really look at this threat from a different lens and be proactive and try to manage and mitigate and prevent this risk from manifesting, and have plans in place to deal with it.”
Several weeks ago, the panel sent a letter asking Government and Consumer Services Minister Ross Romano to give direction to organizations in the broader public sector on ransomware, Wong added.
So far, to Wong’s knowledge, the minister has not yet done so.
When ITWorldCanada.com asked Romano’s office for comment on what happened with the request for action by the panel, a spokesperson didn’t directly answer. Instead, in an email, the spokesperson said the government “is making great strides in protecting Ontarian’s privacy and security online, while advancing a bold agenda to improve digital access to more services. We are committed to safeguarding the data of the people and businesses of Ontario and enhancing our current cyber practices, including to better protect us from the threat of ransomware. We continue to work closely with our partners in the broader public sector (BPS), such as the hospital and education sectors, on ensuring that we strengthen cyber resiliency and secure Ontario public services and programs for the people of Ontario.”
“Minister Romano works closely with the Expert Panel to advance initiatives that enable Ontarians to be safe and secure in the current, digital, modern economy and looks forward to reviewing the final report.”
Wong, the former CIO of Toronto Hydro, was interviewed after giving an online presentation to the annual conference of the Ontario chapter of the Municipal Information Systems Association (MISA). Its members are infosec pros in towns, counties and municipalities across the province.
The 10-person expert panel, created just over a year ago, is expected to issue a final report in March, 2022. That report will make recommendations for improving the cybersecurity posture for the broader public sector, which, in addition to the expected organizations includes any agency that gets more than $10 million a year from the province – including the provincial Liquor Control Board (LCBO) and the provincial lottery and gaming commission.
The ransomware letter was the second alert sent to the province.
Expert panel interim recommendations
After five months of consultations and interviews with just some of the sector, the panel was so concerned about the lack of readiness of some BPS providers that in April it issued an interim report.
It urged the government to immediately tell BPS members to
–start standardizing their approach to managing cybersecurity by following the U.S. National Institute for Standards in Technology (NIST) cybersecurity framework;
–to step up cybersecurity education and awareness training among employees.
This last was to get a “quick win,” Wong explained.
The report was approved by the government and is available only to BPS organizations.
Awareness training “is relatively inexpensive,” he said, but vital particularly in management.
“In my mind it’s even more critical that the key decision-makers in the organization are aware of this risk, that cybersecurity risk is real and it’s critical and affects every organization.
There has to be “a concerted effort from the top down to make it clear in the organization this is a priority and we need to act on it and be aware of it and take steps,” he said.
But, he added, there are worries. “I learned more intimately [so far] how the very small organizations lack the capabilities and resources to be effective. More disappointing is I find many of the larger BPS organizations in some ways are still lagging from what I would have expected. Even some of the larger organizations are not as advanced as you would expect them to be.”
“For many organizations it [cybersecurity] doesn’t become a priority until they get hacked … That’s not the right approach. You need to be proactive about it, you need to get ahead of it and be prepared for it.”
Among the solutions the panel is looking at is recommending organizations share resources where possible, he said. This could include sharing a security operations centre, group cyber insurance coverage, security audits, penetration tests, threat intelligence sharing and technical support.”
Wong didn’t mention it, but one model could be the Ontario Cybersecurity Higher Education Consortium, a group of universities that share a CISO.
The goal is to help the BPS understand how to create controls to reduce cyber risk and to increase resilience.
He agreed it will take significant government funding to help the BPS improve their cybersecurity maturity. “Based on the current funding levels I don’t think we can assume [the sector] can absorb these costs … We’re going to propose the most cost-effective way of addressing this.”