Ransomware attacks represent almost 70 percent of all incidents
At first blush, readers of Blake, Cassels & Graydon LLP’s Canadian Cybersecurity Trends Study 2023 might take heart in discovering that 2022 did not see steady growth in the number of cyberattacks.
“The number of attacks in 2022 were roughly the same to slightly less than in 2021,” says Sunny Handa, a Montreal-based member of Blakes’ cybersecurity practice who leads the firm’s national technology and communications group.
But, perused more critically, the news isn’t really all that good.
“Growth paused because there were periods of successive months in 2022 where there were very few attacks being perpetrated,” Handa said. “The likely reason for disruption in the smooth growth trend experience over the previous years, however, was the war in Ukraine. Towards the end of 2022, things seemed to get back on track and the ‘volatility’ noticed in 2022 seems to have reduced to a relatively indiscernible level.”
Indeed, there’s little basis for optimism at this point.
“Things are getting worse and more complex,” Handa says.
Here are some of the concerning details:
- Ransomware attacks represent almost 70 percent of all incidents;
- Attackers accessed data in 77 percent of cases, up from 69 percent in 2021 and 52 percent in 2020;
- Attackers exfiltrated data in 68 percent of cases, up from 51 percent last year;
- Two-thirds of target organizations paid a ransom, up from 56 percent last year;
- The median ransom is up 170 percent in the last two years, to C$546,000; and
- Software vulnerabilities are to blame for 45 percent of incidents.
The top six target sectors were manufacturing (19 percent); banking and financial services (14); food, beverage, tobacco and cannabis (14); energy and natural resources (11); non-profit and education (11); and the public sector (9).
David Craig, formerly a partner in PwC’s cybersecurity and privacy practice and now a Toronto-based consultant who serves as an interim chief information security officer and head of security for companies bridging their CISOs including CN Rail, BDC Bank, Suncor Energy, OLG and Celestica, finds the sector statistics somewhat surprising.
“I thought financial services would have had a higher incidence, but I’m not surprised that manufacturing is a common target. Manufacturers are known globally for their vulnerability to cybersecurity attacks because they are thin margin businesses who tend to be protected by small budgets and a known overwhelming willingness to pay ransom by way of avoiding downtime for their facilities.”
Defending against these threats, according to Handa, isn’t getting any easier for anyone.
“The criminal community has realized that cyberattacks are a viable, remunerative business. They’re getting craftier and smarter, and the ways in which they get into systems is constantly evolving and amazing to watch in real time.”
Handa likens the cybersecurity environment to an “arms race.”
“There’s stuff happening that we don’t know anything about so we have no idea how to deal with it.”
So much so that organizations previously hit, who likely mended the vulnerabilities the initial attacks exposed, are now experiencing further attacks.
“It’s naive to believe that you won’t get hit again,” Handa says. “And the chances are good that you will.”
While Handa is no advocate of paying ransom, the consequences can be grave.
“In one case, the attackers sent chunks of data to a reporter,” Handa explains. “They may also spread the word to people whose personal data was taken in the hope of creating panic.”
The operational and reputational damage can be enormous, as Indigo discovered recently when it refused to pay ransom.
Some optimism does emanate from Blakes’ finding that cooperation with law enforcement is increasing.
“For many years, targets would not contact law enforcement on the theory that the fewer people who knew about an attack the better,” Craig says. “There was also a common view that the criminals involved were not in a jurisdiction where contacting the police would be of help. I think that’s changing, especially in terms of police assistance for small and medium businesses.”
From a regulatory perspective, however, the landscape remains a difficult and ever-changing patchwork.
“There are a whole lot of regulated industries, from health care to transportation to securities, and each of the regulators are left to their own devices to come up with a cybersecurity reporting regime,” Handa says.
While no preventative measures are foolproof, Handa recommends that companies look beyond their internal parameters.
“Hackers, for example, are getting into financial institutions by attacking the industry’s vendors. And not enough companies are monitoring their vendors or getting deep enough into their business.”
Organizations are also making things more difficult for themselves by holding onto information they really don’t need.
“Everyone wants to keep everything, like the records of employees who left 20 years ago,” Handa says. “Well, if those records are breached, the employer then has to find those people in order to satisfy its obligation to notify them.”
Otherwise, Handa recommends that companies segment their networks, perhaps keeping operational data and administrative data on separate systems, review their organization’s policies, provide regular cyber-awareness training, and investigate insurance coverage.
Pre-breach preparation is also critical.
“You’ve got to make sure that you have well-prepared management and recovery teams who know what they’re doing, perhaps by role-playing in advance instead of learning on the fly,” Handa says. “This will limit the amount of damage, keep the costs down, and may even make an attack less likely because hackers prefer the low-hanging fruit.”
Unfortunately, internal politics can aggravate the consequences of a breach.
“You’ve got the CEO, the CFO, the security head and others, all with interests to protect, as well as an IT team that’s likely to be defensive because the breach happened on their watch,” Handa says. “So it’s important to embed a culture that is good for the enterprise, especially taking experts’ advice, because not listening to them can pull you down.”
Even more dangerously myopic is believing that cybersecurity is primarily an IT issue.
“That’s missing the point because this is an enterprise risk that must be a management priority – the next thing after COVID,” Handa says. “This is not a far-fetched risk but something that a prudent director needs be concerned about. If you have an electronic footprint, and everyone does, start thinking about it now.”
Reading the study, it turns out, could be a good way to start.
“This is one of the most informative reports on cybersecurity insights that I’ve read this year, and the emphasis on Canadian data is particularly detailed and helpful,” Craig says. “So are the sections on privacy law, litigation trends and incident preparation trends."