Commentary: It’s Time for Atlantic Canadian Businesses to Think About Cybersecurity
Huddle publishes commentaries from groups and individuals on important business issues facing the Maritimes. These commentaries do not necessarily reflect the opinion of Huddle.
By David Shipley
Firms of all sizes throughout Atlantic Canada are woefully unaware and unprepared to deal with one of the fastest growing threats to their organizations.
The global cost of cybercrime and cyber conflict hit $400 billion US in 2015, with businesses around the world reeling from financial and productivity losses as result of data breaches, extortion attacks, fraud and theft of intellectual property or commercial secrets.
And it’s only going to get worse, with one security firm predicting global losses as a result of cybercrime and cyber conflict are expected to rise to $2.1 trillion by 2020.
That’s roughly the entire value of all goods and services produced in Canada last year.
The costs to each business affected by a cybersecurity incident are significant.
Across Canada, the average per-capita cost of a data breach in Canada in 2015 was $250 with the average total organization cost rising to $5.32 million.
Understanding the top risks
The first step in fixing your organization’s cybersecurity posture is recognizing that you are a target for cybercriminals and that it’s a matter of when, not if, you’ll be attacked. Once attacked, it’s also a matter of how prepared you are to react, repair and resume business.
Ransomware
For professional services organizations in Atlantic Canada such as law firms, accounting, consultancies and more, one of the single largest risks comes from a rising class of malicious software called ransomware.
Ransomware works by encrypting or scrambling your firms’ vital digital files with an unbreakable code that can only be opened with a key your firm will have to pay for via a ransom. The criminals behind this scam collect the ransom in the form of digital currency such as Bitcoin, making it impossible for police to catch them (even if they could sort out the international jurisdictional nightmare). Ransomware attacks have caused havoc for firms of all sizes around the world, with the criminal group behind the popular CryptoWall ransomware netting an estimated more than $325 million USD from victims in the past year.
Ransomware can be installed on your firms’ devices through a variety of means such as malicious attachments to e-mails or phishing scams as well as by your employees visiting websites that have been infected with malicious code. Infecting websites with malicious code, often via ads (so called malvertising), is an increasingly common attack with sites such as CBC, the Globe and Mail and Forbes all failing victim in the past few years. These attacks take advantage of outdated software such as Adobe Reader and Flash, which have plug-ins that can be exploited via your web browser when an infected website is accessed.
Defending against ransomware and other malware requires a robust and audited plan by your IT support staff for patching your computers and mobile devices as well as deploying adequate defensive software.
Fraud
Businesses throughout North America have lost more than $1.2 billion in recent years due to e-mail based scams where criminals impersonate CEOs, CFOs and other executives and convince their staff to wire money for a payment transaction. These attacks have become so popular and have netted criminals so much money that they’ve earned the nickname whaling attacks (because they’re targeting the big targets in your organization).
One European aerospace firm lost $50 million euros in a recent cybercrime attack.
Defending against these attacks takes both improved financial controls as well as increased employee security awareness.
Denial-of-Service Extortion
Businesses in Atlantic Canada that rely on their online presence to sustain, run or grow their enterprises are highly susceptible to a new class of extortion crime. So called Denial-of-Service extortion involves overwhelming your online presence with malicious traffic, preventing legitimate customers, employees and others from accessing your sites. These attacks can cripple even the largest firms, with both Microsoft and Sony suffering crippling denial of service attacks on their gaming services during the key Christmas period. It can cost 10 to 100 times more to defend against an denial of service attack than to launch one, making giving into extortion demands an all-too-tempting choice.
Defending against DDoS extortion requires planning and discussion with your online presence providers, IT teams and with firms that specialize in protection from such attacks. You may not need to actively defend against an attack, but if your business depends on being online, you definitely need a plan.
Data breaches
Every business has sensitive information. Whether it’s customer information, payment card information, health information, commercial confidential business plans and secrets or intellectual property. And all that data has a price on the black market.
The thriving trade in stolen data will only grow in 2016 and businesses need to spend time wrestling with the non-technology based problems that have been largely ignored such as privacy policy, data retention and governance policy and incident response plans.
According to Deloitte, only half of Canadian firms have documented incident response procedures that are followed and tested.
Critical infrastructure and control networks
Whether you’re a manufacturing plant with specialized assembly line equipment, a farm with an automated system for controlling the feeding of your animals or a commercial landlord with systems for regulating heating and ventilation, the risks to your business are increasing.
Many of these systems were never designed to be secure yet increasingly are exposed to the Internet either intentionally to improve productivity or convenience or accidentally due to poor auditing practices. Defending your businesses critical infrastructure takes patience, well-documented procedures for regular security testing, careful selection of products and regular auditing.
It all adds up
Securing your business or organization from cyber threats isn’t cheap. It’s also not about running out and buying a bunch of security technologies that claim to be a silver bullet that’ll completely remove your risk. It’s about investing the time and money in the people, processes, policies and technology you need to be safe.
Companies that fail to invest in security will continue to lose customers, face costly lawsuits and forthcoming fines from the federal government as well as lost productivity.
Organizations that invest in security will create resilient, sustainable enterprises that have a competitive advantage over many of their peers who are not investing properly in security.
David Shipley is the Director of Strategic Initiatives at the University of New Brunswick. He is part of its Cybersecurity team and responsible for security awareness and strategy. He has spoken at higher education conferences and IT security conferences across North America. He also teaches about cybersecurity strategy through UNB’s College of Extended Learning
____
Want to submit a commentary to Huddle? Contact us at [email protected]