Cyberattacks have existed since the dawn of the modern-day internet, when hackers unleashed viruses and worms as pranks or experiments. While cyberattacks have become more sophisticated and nefarious over the years, the COVID-19 pandemic ushered in a new era of cybercrime, as adoption of digital technology accelerated, workplaces went remote and costly cyberattacks surged.
Ransomware attacks – one of the top threats today – increased by 151 per cent globally in the first half of 2021 compared with 2020, according to the Government of Canada’s Communications Security Establishment (CSE). In a ransomware attack, malicious software blocks access to a computer or network, or encrypts its data. Cybercriminals then demand ransom money in exchange for releasing the data, resulting in financial losses and business disruption.
In Canada, the estimated average cost of a data breach, which includes but is not limited to ransomware, is $6.35-million, according to CSE, which recently warned that ransomware operators are set to become increasingly aggressive. According to research firm Cybersecurity Ventures, cyberattacks globally resulted in US$6-trillion in damages in 2021 alone. The World Economic Forum has identified cyber risk, which includes the financial loss, business disruption or reputational damage caused by a failure to protect a computer system, as one of the greatest risks facing the world in the next 10 years.
“From ransomware attacks on companies to entire healthcare systems getting hit, nobody is immune to this issue,” says Greg Markell, FCIP, president and chief executive officer of Ridge Canada Cyber Solutions Inc. “As Canada is losing billions of hard-earned dollars, cyberthreats are a major problem we can no longer ignore.”
While high-profile attacks typically make the headlines, criminals aren’t just targeting large organizations that have valuable data.
“Every individual and organization has a certain level of cyber risk,” says Angela Feudo, FCIP, an Insurance Institute of Canada instructor. Feudo teaches the institute’s C20: Cyber Risk course as part of its Chartered Insurance Professional (CIP) program. “As Canadians spend more time online and become more connected, this threat increases. The challenge is that threat actors are discovering new ways to breach computer systems and to use social engineering to convince individuals to give them their financial information or send them money.”
For example, Feudo notes that, at the beginning of the pandemic, cybercriminals created new phishing scams related to the global crisis. In emails and texts, the perpetrators claimed to be health or government organizations that were providing Canadians COVID-19 testing information, offering relief funds or soliciting donations.
“Threat actors will continue to engage in social engineering, which exploits the human element of cybersecurity. They will just change the premise to what is currently relevant,” Feudo says. “So, it is important for Canadians to stay vigilant. As remote work becomes more common for companies, threat actors will continue to take advantage of less secure home devices and networks.”
How to mitigate cyber risks
While the sophistication and severity of threats continue to evolve, it is possible for organizations to prevent and protect against cyberattacks. As part of a comprehensive cybersecurity strategy, here are some key steps in cybersecurity hygiene that organizations should take:
Determine cyber risk: The first step is to identify your assets, look at how you’re protecting them and determine the impact of potential lost or inaccessible assets. Assets can include hardware, systems, laptops, data and intellectual property.
“Identification of cyberthreats and analyzing the controls that are in place are crucial steps to help combat threats,” Feudo says. “If you find gaps, you can then prioritize implementing the controls by criticality.”
Markell adds that cyber risk isn’t just an IT issue; it is governance based. “You need buy-in from all levels of the organization and you need to create a culture where people aren’t afraid of raising their hands when they notice something is wrong,” he says.
Train employees: Employee awareness training is vital to safeguarding an organization’s systems. “When people aren’t trained on what to look out for, that creates vulnerabilities,” Markell says.
Employees should be made aware of the different types of cyberattacks and be trained on how to detect them. They should also be trained on what to do if they think they opened a suspicious link or attachment, or visited a compromised website.
Shore up security: There are a number of cybersecurity measures and best practices you can implement to protect your networks and data. These include using multifactor authentication; ensuring your systems are up to date with the latest patches and security features; understanding what type of information you collect and where it’s stored; encrypting sensitive information; and maintaining data backups.
Any security measure should take into account new and emerging threats. For example, Markell notes that even backups are being targeted now, so it’s important for organizations to have multiple copies of backups in various locations.
Consider cyberinsurance: Another line of defence can be cyber insurance, which may cover such costs as damages related to security breaches. Carefully weigh what’s available to you in your market. Feudo says that cyberinsurance has also helped to create more awareness about cybersecurity among organizations.
“As the number of breaches has increased in recent years, insurance companies have spent more resources training and educating companies, seeking outside vendor support and setting minimum security standards,” she says. “Just like a property insurer requires you to have smoke detectors in your building in case of a fire, cyberinsurers require minimum security standards to provide insurance coverage. Helping to educate insurance consumers in best cyber practices will hopefully result in Canadians being more cybersecure.”