A Cyberattack is Almost a Certainty. Are you Prepared?

We have all been exposed to personal online scams – notifications that your package has been delayed and you need to fix the address, or Revenue Canada has a refund for you, maybe your bank card has been frozen and you need to reset the password, or there’s an opportunity to invest in a fail-safe investment. Perhaps you’re seeing the latest trend of a random text appearing on your phone, asking some innocuous question to engage in conversation or that a relative is in trouble overseas and needs money right away.

The list of sinister ways of engagement has no end.  According to the U.S.Federal Trade Commission, consumers reported losing more than $10 billion to fraud in 2023, a 14% increase over reported losses in 2022. The Canadian Anti-Fraud Centre received fraud and cybercrime reports totalling a $530 million in victim losses in 2021, nearly a 40% increase from the unprecedented $380 million in losses in 2021.

These personal scams operate by casting a wide net and with fingers crossed, hopefully a small percentage of recipients will take the bait.  But the real hackers know the big money is in corporate espionage and capitalizing on the holes left open by a lack of cybersecurity preparedness in both the private and public sectors of Canadian business.

Illustration: FTC

October is Cybersecurity awareness month and data recently disclosed by CIRA, the governing body that operates the Canadian Internet Registry (.ca), comes with a dire warning that it’s not if, but when will your organization be hit by a cyberattack?

The CIRA Cybersecurity Survey asked Canadian cybersecurity decisionmakers to share their views and experiences throughout all stages of a cyber incident – from risk assessments to resources and preparedness to recovery. The survey was conducted by The Strategic Counsel in August of 2024 and collected 500 online responses from cybersecurity decision-makers across Canada.

According to Jon Ferguson, Vice President Cyber and DNS at CIRA, “this year’s survey finds that organizations in every sector are acutely aware of the risks associated with different forms of cybercrime. The top three perceived risks identified by cybersecurity professionals are malicious software (50 per cent), scams and fraud (45 per cent), and manipulation or theft of data (43 per cent).”

“Among the assortment of bad actors out there” adds Ferguson, “profit-motivated cyber criminals are most likely to be perceived as the biggest potential threat (60 per cent), followed by cyber criminals motivated by nationalist beliefs (33 per cent) and foreign state actors (32 per cent).”

The CIRA report found that ransomware remains a top threat for Canadian organizations with more than a quarter (28%) saying they’ve been the victim of a successful ransomware attack in the last 12 months, up from 17% just in one year. That’s close to one in three businesses disclosing that they have been a successful target of an attack.

Almost three quarters (73%) of those that experienced a ransomware attack say that their data was compromised. While the common mantra has been not to negotiate with hackers, a shocking 79% of Canadian organizations attacked opted to pay the attackers ransom demands. Almost 8 in ten organizations (79%) that experienced a ransomware attack paid the attackers’ ransom demands, up from 70% in the 2023 survey. For organizations that chose to pay up, the typical cost was at least $25,000.

CIRA expects the number for ransom demands targeting Canadian organizations to continue to rise, partly because many large institutions are insured for such payouts so the decision to pay is viewed as the easiest fix and the quickest way to minimize reputational damage. When Ticketmaster or Caesar’s Entertainment for example, are compromised and send out mailed letters informing customers that their personal data has been stolen, the trust in those organizations declines. CIRA’s states reputational damage to organizations has quadrupled in the past six years from disclosures from attacks.

Remember the good old days when spotting a scam was fairly easy? Words that were spelled incorrectly or a clunky sentence structure or implausible URL’s where you knew that this couldn’t possibly have come from the Royal Bank of Canada? Those tell tail signs have become far more polished in the past decade and their sophistication is only going to improve through generative AI tools.

Byron Holland President and CEO CIRA on how to save the Internet on the TEDx stage

CIRA finds that seven in 10 organizations are worried about potential cyber threats from generative AI. Organizations are most concerned about data gathered by AI tools (61%) and improved phishing emails and texts (56%). More than half (57%) say their organization has integrated AI tools into its workflow and operations, up from 44% in 2023. Among those worried about generative AI threats, AI-powered cyberattacks (52%), privacy breaches (45%) and data poisoning (43%) tend to be of greatest concern.

So how do hackers make money outside the obvious of holding your company ransom until you pay to receive a “key” to release your network? And those ransoms, while often denied by the organization can cost tens of millions.  According to Infosecurity Europe, German-headquartered electronics giant MediaMarkt suffered a ransomware attack in 2021 with a demand for $240 million that was reportedly negotiated down to $50 million, an amount the company has never admitted to paying. 

Now think of the information that we all regularly provide to hospitals, schools, local governments and corporations: your birthday, home address, emails, phone numbers, banking and tax information, social insurance numbers, credit card numbers, the list goes on. That information becomes a second-tier revenue source for hackers. According to a dark web price list published by Private Affairs, a single hacked Canadian credit card number (including CVV) currently goes for $30 USD, while an email database of 2.4 million Canadian email addresses will net its seller $100 USD. Online banking login credentials at certain banks can fetch upwards of $4,000 USD, and while estimates vary, a single medical record can be worth up to $1,000 USD on the dark web. When attackers gain access to thousands or even millions of data records, the payoff can be massive.

The message from CIRA is it’s only a matter of time before your organization is targeted. But there are still tools that can be adopted to decrease the risk. Human error is responsible for the majority of successful cyber breaches. While criminals are using AI tools to aid in their phishing, corporations too can use AI tools to sniff out suspicious communications and other threats to minimize human error.

Even the most sophisticated organizations can be disrupted. Earlier this year cybersecurity company CrowdStrike issued a faulty software update impacting 8.5 million computers that grounded airlines and impacted hospitals. Not only did this outage emphasize our reliance to computer networks but it also showed the speed in which cybercriminals operate to capitalize on disruption with many sending emails to impacted organizations known as hacker trickery, disguised as coming from CrowdStrike with the “patch” needed to fix the outage, only for the unsuspecting recipient (human error) clicking on a malicious ransomware program or handing over the keys to their network and disclosing personal information.

Aging technology is another factor that can significantly raise the cyber threat level for Canadian organizations and cybercriminals know that in certain IT environments, such as those found in the power distribution industry, critical operational systems and infrastructure, computer systems often cannot be altered, updated, or even rebooted because the costs of downtime are too great. If your operational systems cannot be replaced, adding a layer of security such as a DNS firewall that monitors incoming and outgoing traffic for known malicious threats, adds an important outer layer of security to even the most aged IT environments.

The greatest takeaway from the CIRA reporting is for organizations to create a strong culture of cyber awareness. The philosophy of “that won’t happen to us” is all but guaranteeing that your organization will be next.