A few months ago Peter Mate from Planit Canada shared his story of being “duped” by a cyber scam. This story illustrated that no matter how tech you are, everyone is vulnerable these days and the scammers are getting more clever by the day. Some of you may have read a recent article about the downfall of Nortel in Ottawa, a very advanced tech company that suddenly fell apart in the 90’s much to the surprise of it’s workers and shareholders. The theories of foreign cyber infiltration and access to critical research within the company present a shocking picture of how the mighty can fall.
COVID-19 has exacerbated a drive to use more technology, we have heard this from our members countless times these past few months and with that scammers are no doubt drooling over the possibilities. While we would all like to see justice for these people, the harsh truth is that the cyber threat industry is alive and well.
Just recently I went on to my personal CRA account and had to go through not one, but three Captchas in order to log in. A sign of just how bad things are when there is layer upon layer of security.
In my search for trends and data, I came across the Canadian Cyber Threat Exchange
(www.cctx.ca). A Canadian organization created to bring cyber security discussions together into a “hub” to share experiences and best practices. Whether you’re a big tech company or a kitchen cabinet manufacturer with a team of two, this organization offers much value and advice and it’s also why we’ve invited them to give a CKCA national discussion October 15 at 1 p.m. (EST), watch for more details soon.
Becoming a member of CCTX gives you access to all their up to date advice and no it’s not just geared to tech people, it’s for anyone who wants to protect their business.
According to CCTX, about 70% of Canadian businesses have been victims of cyber attacks with each incident costing around $15K. I confess that I also got “duped” a few weeks ago with a rather clever email. I’ve prided myself on navigating around such things, but this email came from a member and while I even questioned the member on the validity of the email, their response was a “no it’s not spam, please go ahead” only for me to then get another email from them only 10 minutes later saying “yes it is spam.” By then it was too late, I had already inserted a password for the scammers to see. Quickly my IT guy had me change my passwords, we were fortunate. But I lost a morning of work over that one.
That’s what this really boils down to, what are you prepared to lose? I’m guessing you don’t want to lose anything, especially given the additional strains COVID-19 has placed on business. So that’s why CKCA wants to share this information with you now and why we hope you’ll join us on Oct. 15.
CKCA interviewed Bob Gordon, executive director of CCTX. Bob’s work background includes time with RCMP and Canadian Security Intelligence Service. Bob explains what’s happening and why companies should connect with CCTX.
What are some of the startling statistics you see these days on cyber-attacks and their impact on business?
Cyber criminals are taking advantage of the Covid-19
pandemic. Healthcare professionals are on the front lines defending us from the pandemic. At the same time, they have had to deal with a 400% growth of phishing attacks in the last two months. Reporting by VmWare Carbon Black indicated that there was a 238% increase in cyber-attacks against the financial sector from February to April this year. Business email compromises are becoming very sophisticated. Attackers are now not only encrypting businesses data during ransomware attacks, they are taking the data and publicly releasing some of it as a way of adding pressure to make companies pay the ransom. Unfortunately, the criminal’s strategies are working – they’re making money.
Why was the Cyber
Threat Exchange created
and how are you
addressing the threat?
The CCTX was created by the private sector to provide a collaboration mechanism for organizations to work together to mitigate the risk of cyber threats. We do this by sharing information about cyber
threats and sharing best
practices and ideas on how to deal with the increasing threats. Organizations realized that none of them could do this on their own. This is particularly relevant for small businesses.
The CCTX provides actionable information on cyber threats in order to assist companies increase their cyber resilience. We host weekly threat analyst calls to discuss current threats. Technology webinars are held where members hear from industry experts discussing the latest technologies, cyber solutions and best practices. For example, at the start of the pandemic lock-down, we ran daily calls where members discussed the challenges of employees working from home and shared the solutions they were adopting. When not in a pandemic situation, we hold in-person collaboration events.
Just how clever are
these attacks becoming,
i.e. who’s vulnerable?
Attackers are becoming very sophisticated. Unfortunately, quite often they don’t need to use their best attack tools because organizations haven’t deployed some of the basic cyber defence tools such as updating operating systems. One of the challenges for companies of all sizes is ransomware. In the past, if you didn’t have trade secrets or intellectual property to steal, owners felt that they were immune to cyber attackers – there wasn’t anything worth stealing. Ransom ware has fundamentally changed the risk. Now, all businesses are susceptible. Attackers are no longer only focusing on stealing from you, they want to deny you access to your information. If you have something that is only of value to you, like your inventory, customer list, contract information, it’s worth someone
denying you access to it. This is a significant business risk. Without access to the data you can be shut down.
Bottom line, every business, regardless of its size or type is vulnerable to cyber-attacks.
Can you provide a few tips
on how a company (small or large) should protect itself
from cyber-attacks?
The government’s recently established Canadian Centre for Cyber Security (CCCS) provides excellent advice for companies of all sizes. For example, during the early days of the COVID-19 pandemic, they provided practical suggestions for companies whose employees had to work from home. They have also issued warnings to some organizations that are particularly under attack such as the healthcare sector.
I draw on the recommendations from the CCCS’s experts which include: automatically patch operating systems, backup and encrypt your data regularly to an external location, enable security software, use strong user authentication, provide employee awareness training, and develop an incident response plan. These steps
are well within the technical capability of all businesses.
The complete list is available at the CCCS website: https://cyber.gc.ca/sites/default/files/publications/Baseline.Controls.SMO1_.2-e%20.pdf
As the manufacturing sector becomes more automated
and dependent on automation, where do you see vulnerabilities for the kitchen cabinet manufacturing sector?
The kitchen cabinet manufacturing sector will increasingly be vulnerable to cyber-attacks. Anything connected to the Internet is a potential target. The automation tools can either be a target themselves or be used as a platform to launch an attack to other parts of the business, e.g. financial information, business information, and employee information. Frequently Internet of Things (IoT) devices are developed with little or no consideration for cyber security, or they are all manufactured with the same password. These attacks can shut down equipment or be used to gain access to the businesses information where they will launch a ransomware attack.
What kinds of considerations should a company consider when purchasing Cyber Insurance, i.e. determining if its worth it or not?
Cyber insurance should be considered from a couple of perspectives. Cyber insurance is increasingly becoming part of business contracts. Companies are demanding their suppliers have cyber insurance as a way to reduce their risk should a supplier suffer a cyber-attack that makes them unable to fulfill the contract. In addition, most organizations will become the victim of a cyber-attack. The Insurance Bureau of Canada reported last year that nearly one in five business they polled have been affected by a cyber-attack or data breach in the last two years. The question businesses need to
ask themselves is when that attack occurs and they do not have cyber insurance, will they have the resources to recover?
Any final message to companies about safeguarding their business?
The cyber threat is real, it’s growing
and every business is vulnerable.
The consequences of a cyber- attack constitute a business risk and need to be addressed accordingly. This is a business issue and not just an IT issue.