'Cyberpirates launch mass attacks, especially on small- and medium-sized businesses because many don’t take the necessary steps to protect themselves'. (Getty Images/Sarinya Pinngam/EyeEm)
The fallout from a cyberattack is difficult to quantify. “It can lead to a vast array of consequences, including a complete shutdown, a demand for ransom or damage to your company’s reputation,” says Simon Fontaine, president of cybersecurity firm ARS Solutions.
The average cost of cybercrime surged 29 per cent in the U.S. between 2017 and 2018, reaching US$27.4 million per organization, according to an Accenture Security and Ponemon Institute study, which was based on interviews with more 2,600 senior security professionals at 355 companies in 11 countries (including Canada). Here in Canada, the average annual cost was US$9.25 million in 2018, compared to an average of US$13 million among all respondents.
One thing is certain: the threat is growing. “Cyberpirates launch mass attacks, especially on small- and medium-sized businesses because many don’t take the necessary steps to protect themselves,” Fontaine says. Canada has close to 1.17 million SMEs. “The most vulnerable are the first to go down, and they don’t recover,” he adds.
NO ONE IS SAFE
In 2019, companies and cities in the U.S. were hit one after the other. According to Coveware, a security consulting firm, in the last quarter of 2019, the average ransom payment reached US$84,116, double that of the previous quarter. In December, this amount peaked at US$190,946, with many organizations facing seven-figure payouts.
Back in 2016, the average cost was $15,000 per incident for Canadian businesses. But in 2019, ransom demands were between $64,989,540 and $259,958,160 (for a total of 4,689 submissions). Some organizations try to negotiate with hackers. However, the RCMP advises against paying ransoms since there is no guarantee the hackers will restore data.
“The longer the negotiations, the more hackers realize how much leverage they have. So companies need to move fast,” says Fontaine. “Some organizations think their insurance will cover the costs, but there’s no such guarantee.”
Pharmaceutical giant Merck found this out the hard way. In 2017, when the ransomware dubbed NotPetya attacked the company, Merck expected total compensation of US$1.3 billion. Unfortunately, certain insurers refused to pay, claiming the attack was an act of war because the United States had put the blame, at least in part, on Russia.
“Every business should carry out a threat and risk assessment to identify what’s essential to the company’s survival and how to protect it,” says Steve Waterhouse, a cybersecurity specialist and former Information Systems Security Officer with the Department of National Defence in Canada.
“Unfortunately, most small-, medium-sized and even large businesses have not classified their data and try to take a one-size-fits-all approach, but if a security breach occurs at the most basic level, the whole company could be jeopardized.”
Both Fontaine and Waterhouse point to Desjardins as an example, where a marketing employee was easily able to steal more than six million Canadians’ sensitive data.
A January 2020 survey by IT solutions firm Novipro and Léger Marketing confirms that data security and protection is still not a priority for numerous Canadian companies. In fact, fewer than one in two (48 per cent) of the companies reviewed their data protection practices in 2019. And this, despite the fact that 37 per cent of respondents said they were attacked in the past year, compared with 28 per cent the year before.
A SLOW SHIFT IN ATTITUDES
This doesn’t come as a surprise to Fontaine, who believes that cybersecurity is management’s responsibility.
“Companies need to see it as an investment in risk management, one with a huge return,” he says. “Management also needs to raise employees’ awareness, and employment contracts need to spell out what’s permitted and what isn’t, as well as the possible disciplinary measures.”
Waterhouse agrees: “Employees are the weakest link in the security chain. They’re often unaware of the most effective protective measures.” But, he adds, with whom does the blame lie? For example, some large companies are still using Windows 7, which Microsoft no longer supports. And while password managers should be the norm in 2020, not many are in the habit of using them.
“Companies still don’t have a standard process for approving cybersecurity budgets,” notes Waterhouse. “It often depends on one person, like the IT security manager, who reports to someone else, such as the vice-president of finance or operations, and so on. And yet, cybersecurity should be a priority—the entire company depends on it.”
So what’s the solution? “Plan a budget for cybersecurity, even a small one at first,” recommends Fontaine. “Keep it separate from the overall IT budget and increase it annually. That would be the bare minimum, given the risks involved.”
Waterhouse, who teaches information security prevention at Université de Sherbrooke in Quebec, advises that IT employees should also receive training on best practices—even though it is expensive. “It costs nothing compared to the losses from an attack,” he says. “Employers who choose to train IT personnel with $500 online videos instead of sending them to $5,000 in-class courses are taking a major risk.”
SANCTIONS ON THE HORIZON?
Both experts stress that companies rarely have the necessary equipment, skills and experience in-house to keep pace with hackers. In addition, they point out that Canada doesn’t yet have legislation like the European Union’s General Data Protection Regulation (GDPR).
“Certain provinces are working on their own bills, like Quebec, British Columbia and Saskatchewan, but there’s nothing at the federal level,” explains Waterhouse. “We’re 20 to 30 years behind.” The maximum fine is still $100,000, a far cry from the millions imposed elsewhere. For example, last year, the US Federal Trade Commission ordered Facebook to pay a fine of US$5 billion.
Canada adopted a Digital Charter in May 2019, however, it doesn’t clearly set out any penalties. In December, Daniel Therrien, Privacy Commissioner of Canada, roundly criticized the measure, calling it unsuited to protect Canadians’ privacy. And yet, the matter is urgent: the Office of the Privacy Commissioner reported that a data breach affected more than 28 million Canadians in 2019.
The goal, insists Waterhouse, is not to “financially penalize affected companies, but to push entrepreneurial culture to evolve. People no longer have a choice but to share personal information, so companies need to do better to protect it.”
“If Canada had legislation like the GDPR,” says Waterhouse, “Desjardins Group, based on operating income of $16,576 million in 2018, could have been slapped with a fine of more than $600 million after its massive data breach in 2019. Instead, it only paid $10,000.” (In Quebec, the law provides for fines ranging from $10,000 to $50,000, depending on the violation, which are doubled in the event of a second offence.)
LifeLabs, also a Canadian company, is in hot water since a data breach exposed the personal information of 15 million of its customers. Three class-action lawsuits have already been launched, in British Columbia, Yukon and Ontario, with the biggest seeking $1.13 billion in damages. This case clearly supports Waterhouse’s concern: as he points out, this is the second time LifeLabs has “lost data” in six years—in 2013, a hard drive containing the medical results of 16,000 patients disappeared. “The company doesn’t seem to be addressing its poor practices, and it’s not the only one,” he says.
According to the Novipro/Léger survey, 61 per cent of the Canadian companies surveyed hold sensitive data on their customers, but less than half consider whether they are well protected against data loss (46 per cent), intrusion (44 per cent) and viruses (45 per cent). Even worse, just 38 per cent of respondents said they would communicate with their customers in the event of a cyberattack, a significant decrease compared with 2018 (49 per cent).
In the meantime, Fontaine reminds us that many individuals are paying the price. “The data on Desjardins’ members will be sold and resold countless times on the dark web, until it’s no longer worth anything. Some financial institutions are even turning away these customers, because their profile is so risky.
“This only goes to show that an ounce of prevention is worth a pound of cure,” Fontaine says.
BE IN THE KNOW
When a company doesn’t protect its data, the consequences can be dire. All the more reason to watch out for certain scams that are making the rounds in 2020.