The internet. It has completely changed how we operate as a nation, as a society and as individual businesses. It lets the smallest venture connect with people around the world in an instant, often with little more than a smartphone. But for all the connectivity it affords businesses, the modern web also leaves companies vulnerable to scams, data breaches and, in many cases, loss of revenue.
An estimated one in five businesses in Canada were hit with cyberattacks in 2017, according to the Canadian Survey of Cyber Security and Cybercrime, a report released by Statistics Canada. Even this high of a number, according to Jesse Hill at Edmonton’s Tier 3 I.T. Solutions, is probably inaccurate. The real figures are likely much, much higher.
“Numbers like that are only the reported incidents,” Hill warns, “and those numbers will likely go up now that mandatory incident reporting is in effect and people will have to talk about it.”
These unreported incidents, in many ways, lie at the heart of cybersecurity issues in Canada. Up until recently, many companies would rather not make their incidents public and simply not talk about it. Such silence breeds vulnerability and misinformation on how to protect a business. The silence is also representative of how little companies understand what is in their data banks.
“I think most businesses do not grasp the value and scope of their information,” Hill says. “A small engineering firm, for example, has proprietary information, designs, contracts, patents and other valuable data. That gets trickier for any company that handles personal information.”
The truth is that every business is sitting on valuable information. Most also do not know what they do not know, from how networks are set up to the many vulnerabilities that can leave them exposed to security breaches. They are also unlikely to know what is most valuable to people targeting them, and attacks are getting in. This all contributes to Canada’s unusually high number of cyberattack incidents, especially compared to the rest of the world and our country’s relative GDP.
Rishi Patel, partner of client relations at Keeran Networks, also points out that each industry will have different data that’s valuable. “I think every industry or sector is going to have their own unique security risks,” he explains. “A retail shop would be most concerned about PCI compliance, like the processing and storing credit cards securely, or how their customer data is protected. Alternatively, an accounting firm might be most concerned about exposing client data or getting ransomware.”
Ransomware is just one of the ways in which a company’s data is being used against them and is still prevalent today. In times past, data stolen from networks was sold to the highest bidder online, especially login information and passwords. Ransomware, however, cuts out the auctioning out of stolen data and instead heads straight to the original victim, locking them out and demanding money. If you do not comply, valuable data gets deleted or sold.
Hill says he is seeing less ransomware attacks today but that the methods and processes are getting more difficult to counter.
Patel points out that the actual technology for breaching networks is also getting more user friendly, leading to other issues. “The tools used to penetrate networks have become significantly better and much easier to use,” he says. “For example, there are sites on the internet that you can pay a small fee and they will hack someone’s network for you. Worse, if users recycle their email address and password combination on multiple sites, when one of those sites is compromised, those credentials are now available on the dark web for anyone to try to use to gain access into your network.”
Dan Wadsworth, director of operations at Helix IT Inc. points out that the mass email is still one of the most popular and effective forms of cyberattack. “Currently a lot of business are receiving targeted mass email exploits, most of which are phishing in nature and try to convince someone into clicking on an infected link or file,” he explains. “I believe there will be more and more of these, and the sophistication will rise significantly.”
Of the types of cyberattacks that we can expect to gain popularity in the future, Patel warns particularly against spear phishing. Unlike phishing, where mass emails are sent out to people in the hopes that someone will open them and grant access, spear phishing is more personalized. The emails in these schemes appear to be from trusted people or contacts, meaning they are much more difficult to discern as possible attacks.
Staying on top of the latest cybersecurity issues is often far too complex and ever-changing for the average business owner, but there are best practices that can help every business of every size stay more protected. “It’s best to take a multi-layered approach,” Patel says. “One, protect your network traffic with a commercial grade firewall with intrusion detection services that is updated daily, like Cisco. Two, protect the workstations with a top-rated anti-virus program like Webroot. Three, protect the users with a service like Cisco Umbrella that ensures they are visiting verified sites.”
Taking it a few steps further, Patel also recommends educating your employees and users about social engineering attacks and malware, and having a security expert perform monthly vulnerability assessment scans.
Wadsworth agrees, “Adequate and proactive antivirus and malware protection is the biggest [best practice],” he says. “Additional items include active gateway level intrusion prevention and appropriate IT policies to limit unneeded advanced access levels.”
Hill recommends that all employees get educated as well. He regularly hosts lunch-and-learns for his clients to teach their staff about the various security best practices they can employ. He also recommends that companies start treating their hardware more seriously. “When we hire someone and give them a company vehicle, we get a driver’s abstract,” he says. “If your truck gets in an accident, it’s inconvenient. It’s one vehicle off the road; but, if a computer gets ‘in an accident,’ it can take your entire fleet offline.”
“Most companies really don’t have any policies on what people can use their company computers for, which would be unheard of with a company vehicle,” Hill continues. “It’s not like you can move a friend with a company vehicle, yet we see people downloading and streaming pirated content on their work computers. It’s opening up their company to a lot of security issues.”
Hill also recommends regularly changing passwords, including the Wi-Fi password, and not giving that information out to non-employees. “Many people don’t understand that giving out their Wi-Fi password grants access to their network,” he says. “They need a security plan in place ahead of time so, for example, if an employee quits and leaves on bad terms, they can’t sit in the parking lot, access the network and manipulate, delete and destroy data.”
Of course, every expert recommends backups – more than one backup in more than one place on more than one medium.
Cybersecurity issues are growing in Canada. Unlike the international headlines, many attacks are quite mundane: a disgruntled former employee causing havoc or a current one opening infected emails or messages by accident. Many of the attacks are getting more sophisticated and more intense, leaving businesses locked out of their data and sometimes forced to pay large sums of money. Luckily, many of the solutions are quite accessible, including using the services of local experts who can protect your data, your investments and your reputation.