Moderator Andrew Milne, Chief Revenue Officer, Field Effect (top) Panel: Jacques LaTour, CTO, CIRA (centre) Dr. Atefeh (Atty) Mashatan, Director, Cyber Security, Ryerson University (right) Natalia Stakhanova, Director, The Cyber Lab, University of Saskatchewan

Published: October 7th, 2020

In the time that it takes to floss your teeth–around 40 seconds–a new cyber attack would have occurred in 2017. That number is undoubtedly higher today.

Since COVID-19 reared its head, the U.S. FBI reported a 300 per cent increase in cybercrime. And rising in parallel with their frequency is the damage they cause.

These are just a few of the alarming trends realized, and conversations surrounding cybersecurity is one that will never cease. Yet, even with innumerable examples of its importance, organizations are still unprepared.

These worrying trends are the talking points for a panel of experts at MapleSEC. Moderated by Andrew Milne, chief revenue officer of Field Effect, experts from CIRA and Canadian universities came together to advise businesses on how to navigate the security minefield.

Who are the ones in peril? Breaches against big corporations draw the eyeballs, but many cyberattacks target small to medium-sized businesses. According to Accenture, 43 per cent of cyber attacks hit small businesses. These attacks could cost them $200,000 on average. When the company lacks a robust financial safety net, it could damage them beyond recovery.

Ransomware remains a choice attack method by threat actors. With its increased proliferation into the healthcare sector during the COVID-19 pandemic, losing access to critical infrastructure can cost lives – and in at least one case, already has.

The number of users targeted by malicious email increased in 2018. Source: Symantec Internet Security Threat Report 2019. Click to enlarge.

“It’s an old trick, And yet it still works,” said Dr. Natalia Stakhanova, director of the Cyber Lab at the University of Saskatchewan, talking about ransomware. “It’s very plain and a very basic approach yet we’re all falling into the same trap.”

Organizations aren’t ignorant of this fact, and many have robust online backups to recover operations in the event of a breach. Unfortunately, many organizations are finding out that online backups alone aren’t a good defence strategy against ransomware. As Dr. Atefeh Mashatan, director of the Cybersecurity Research Lab at Ryerson University, pointed out in her presentation, online backups can become useless in the event of an attack.

A poignant example came earlier this year when the U.K.’s cybersecurity agency updated its ransomware mitigation advice to include both online and offline backups. The reason? Attackers were getting a hold of online backs and encrypting them too.

“The bad actors are moving faster than us,” noted Jacques Latour, chief security officer of CIRA. “Within an enterprise, you can have a security policy and training for employees and everything…in the near future, you know, we should be able to keep up. But at home, that’s a different story. It’s at the mercy of the enforcement. There’s no system enforcement at home. And that’s what we need to focus on.”

And there’s much work to be done, said Latour. Admins need to actively check that employees are staying up to date on patches, be trained on recognizing threats, and help dispel fake news and deep fakes. 

“If you look at these breaches in more detail, most of them were preventable–if the companies were doing their cybersecurity hygiene 101,” said Mashatan. “You will see breaches again, and they’ll be as massive not because the attackers are becoming more sophisticated, not because we’re not prepared for the sophisticated attacks or emerging threats, but because we still are not doing a good job in maintaining our cybersecurity hygiene, making sure that we’re all on top of patching the latest patches, or awareness and training for our employees.”

Although the number of total ransomware sloped downwards, Symantec noted that the enterprises saw a 12 per cent increase in attacks. Click to enlarge. Source: Symantec.

Mashatan’s sentiment is one that’s widely supported in the industry. Attuning human intelligence to spot an attack, especially social engineering attacks, is often the first and best way to thwart them. To demonstrate its effectiveness, Cofensive described how a phishing attack against a healthcare company was stopped in just 19 minutes by a sharp-eyed employee.

Training employees is to prepare for them now, but the experts agreed that the best way to start is to start them young. The technology was already an inseparable part of education at all levels prior to the pandemic, and now it’s even more so with the rise of remote learning. To create a safer digital future, it must start with future generations.

“They’re getting our new iPads and elementary schools and the first grades. So why are we not offering them basic cyber hygiene knowledge at that time?” Questioned Stakhanova. “I think it’s primarily on us to make that happen. And there are some efforts moving in a direction in Canada and across the world, but it’s still very limited. It will probably take a good decade before we come to the point where we feel comfortable with our knowledge and how to behave ourselves on the internet to be safe.”

Although the spotlight is on ransomware, other threats are equally deadly. Attackers have caught onto the work from home trend and have begun targeting vulnerable home networks. The booming IoT market has created a succulent target for attackers as well. Symantec noted that between 2016 to 2017, attacks against IoT devices rose by 600 per cent. It didn’t stop there; F-Secure estimated that attacks against IoT devices tripled in the first half of 2019 alone.

IoT devices are a tricky subject. Mashatan highlighted the “all or nothing” approaches to IoT security. They’re either large enough to contain all the security features users come to expect, or they contain almost next to nothing.

The security state is pretty much non-existent in IoT variable devices,” Stakhanova elaborated on the topic. “It’s surprising to me how much we use these IoT devices at home, how little security is actually implemented in them. If you look at the regulations that exist these days across the world, they’re very limited.”

Without a doubt, 5G will accelerate the adoption of IoT devices, which increases the urgent need for better IoT security standards and regulations. With that said, Latour mentioned that the industry still has some work to do before they can sell IoT devices by the billions.

To prevent man-in-the-middle attacks between the innumerable IoT devices and sensors, the GSMA is developing a new standard called IoT Safe. Until it’s adopted by the industry, these devices remain a security issue.

At its current stage, the “industry’s not ready to support the 5G IoT deployment,” said Latour.



Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now