Today’s high-tech cyber criminals can easily trick their victims via a seemingly genuine email or website vulnerability to break into your infrastructure to install ransomware or steal data. Ransomware attacks lockout businesses from their data, with cybercriminals demanding large ransoms to unlock it. These attacks are becoming more frequent too. According to the 2022 Verizon Data Breach Report, there was a 13% increase in ransomware breaches from the previous year — a bigger increase than in the last five years combined.
Cybercrimes can cause irreparable financial, emotional, and reputational damage — but many businesses across Canada are not implementing the proper cybersecurity tools, processes, and practices to prevent an attack. A recent CTV News article reported that the average data breach costs Canadian businesses $5.64 million, but only 39% of Canadian businesses have implemented cybersecurity protections.
Deconstructed sat down with cybersecurity expert Sai Huda, CEO of CyberCatch, to get his insights into how businesses can protect themselves from cybercrime. Huda is a globally recognized cybersecurity expert, author of the best-selling book Next Level Cybersecurity, and recently helped author Canada’s national cybersecurity standard.
Should Canadian businesses be concerned about cybercrime?
Since almost everyone uses email and has a website, it is very easy for the bad guys, primarily criminal gangs, to use spear phishing — a customized fake email — to fool you into clicking on a link or downloading an attachment containing a virus. The virus can then do damage. Simply put, it can allow the bad guys to steal data and lock everything down. Or the bad guys can scan a website and find vulnerabilities (bad code or misconfiguration) and exploit them to break into your network, find the data, extract it, install ransomware, encrypt everything, and lock access.
How bad is the situation?
CyberCatch scanned nearly 20,000 websites in the U.S. and Canada. We discovered nearly eight out of ten Canadian businesses have vulnerabilities on their websites that bad actors can easily exploit. It is pretty bad, and we’ve got to wake up and take action.
What is an example of what can happen?
Imagine ransomware encrypting all of the computers in your business so no one can access anything unless you pay a hefty ransom. Even if you pay, there is no guarantee the bad guys will give you the decryption keys. Remember, you are dealing with a criminal gang you cannot trust. If you don’t pay, how long will it take you to retrieve your data from a backup and clean the computers of the infection? What if you cannot get back on your feet for several days or weeks? Recently, an educational institution permanently shut down from a ransomware attack because it took too long to recover and money dried out. A medical practice shut down from another ransomware attack because it took too long, and patients fled since their medical records were also stolen. A call centre business shut down permanently because it took weeks to recover, the owner ran out of money to make payroll, and all employees were laid off. Cybercrime is a risk all businesses face today.
What businesses like our members do to protect themselves?
Canada has recognized cybercrime as a national threat — particularly to small and medium businesses. They are especially vulnerable since they have limited resources and may be unable to survive a data theft and ransomware attack. To help small and medium businesses, Canada created CAN/CIOSC 104, the national cybersecurity standard. I had the honour and privilege of helping author CAN/CIOSC 104. It prescribes up to 55 cybersecurity controls for small and medium businesses to implement to stay safe from cybercrime.
What are some examples of cybersecurity controls in CAN/CIOSC 104?
One is scanning websites regularly for vulnerabilities and eliminating them quickly before attackers can find and exploit them. Another is training employees to look for red flags of fake emails. Businesses also need to have an incident response plan and test it regularly. The 55 cybersecurity controls are common sense and practical; every business should implement them to be safe.
How can our members implement cybersecurity controls without breaking the bank?
The Compliance Manager is a solution. It can quickly enable compliance with CAN/CIOSC 104 and maintain compliance and safety. It is endorsed by the Digital Governance Council (formerly CIO Strategy Council), the creator of CAN/CIOSC 104, and brought to the marketplace in partnership with CyberCatch. It is an AI-enabled continuous cyber risk mitigation solution that first helps implement all necessary cybersecurity controls, then continuously tests the controls to detect failures and helps promptly fix them. It’s an affordable solution with unlimited access to a team of cybersecurity experts for guidance and consultation at any time.
What do you say to those that don’t think they are at risk?
Would you drive a car without seat belts, thinking I am a safe driver and will not crash? The answer, I am sure, would be no. I would not drive without my seat belt because I am at risk just by driving and getting on the road. The same goes for cybersecurity. Just by using email and having a website, businesses become at risk of cybercrime. Leaders must wake up and act by complying with Canada’s national cybersecurity standard.
Visit cybercatch.com to learn more about the CAN/CIOSC 104 standards and how Compliance Manager can help.
May – June 2023
Author: Deconstructed / Sai Huda