I’m going to start this out with some statistics;
The Canadian Survey of Cyber Security and Cybercrime was conducted for the first time to measure the impact of cybercrime on Canadian businesses. This release coincides with Cyber Security Awareness Month, which is an internationally recognized campaign held each October to inform the public of the importance of cyber security.
In 2017, just over one-fifth (21%) of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations. Large businesses (41%) were more than twice as likely as small businesses (19%) to have identified an impactful incident.
Canadian businesses reported spending $14 billion to prevent, detect and recover from cyber security incidents in 2017, which represented less than 1% of their total revenues. Approximately $8 billion was spent on salaries for employees, consultants and contractors who worked on cyber security, while $4 billion was invested in cyber security software and related hardware. Several other prevention and recovery measures accounted for the remaining $2 billion of the total expenditure.
Annual average expenditures on cyber security differed greatly based on size of business in 2017. Large businesses (250 employees or more) spent $948,000, medium-sized businesses (50 to 249 employees) spent $113,000 and small businesses (10 to 49 employees) spent $46,000.
In 2017, just over one-fifth (21%) of Canadian businesses reported that they were impacted by a cyber security incident which affected their operations. Large businesses (41%) were more than twice as likely as small businesses (19%) to have identified an impactful incident.
Of those businesses that were impacted by a cyber security incident, 39% could not identify the motive of the attack, while 38% identified the motive as an attempt to steal money or demand a ransom payment. Just over one-quarter (26%) of businesses experienced incidents where perpetrators attempted to access unauthorized or privileged areas, while 23% faced an incident where there was an attempt to steal personal or financial information.
On July 12, 2018, the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) issued a public service announcement (PSA) regarding the continued increase of Business Email Compromise (BEC)/Email Account Compromise (EAC) scams, especially in the real estate sector. The agency updated its statistical data derived from numerous sources including international law enforcement, logging a 136 percent increase in identified global exposed losses between December 2016 and May 2018. The dramatic increase brings the total domestic and international exposed dollar losses to US$12.5 billion
Lot’s of statistics, lot’s of scary numbers… Unfortunately, many Canadian Business owners do not take any of this seriously enough to take action. We have seen a prevalent belief by lot’s of Business Owners that “ Oh were in Canada, were small potatoes, those guys don’t care about us…”
Since April of this year, my Company has been involved with remediating 3 Cyber Crime incidents that seriously impacted local Canadian Businesses. I can state that it is no longer relevant how big you are, YOU ARE A TARGET.
The Cyber Criminals are big business, they are no longer the disgruntled teen or strange neighbor who never comes out of the basement and when he does, wears a hoody covering his head and face and barely grunts at people. They are an organized business, with massive floors in undisclosed offices in offshore countries and even some are located here in good old Maple Leaf Country.
The damage caused by these Criminals is extensive, in some cases putting the business in such financial stress they are unable to recover and end up closing their doors, placing people out of work.
In the 3 cases we have been involved in the work effort to recover these systems was, some days overwhelming. The cost to the organizations was not insubstantial, lost business, employees unable to work, cost of the remediation services, the loss of goodwill with their clients, the stress the entire organization was placed under. Not pretty…
Another spinoff from the Cyber Criminal activities are the organizations who profess to be able to be able to take care of this for you, I’m sure they are legitimate organizations who have built a business plan around dealing with the results of a Cyber Crime Attacks. Interestingly, I personally had a conversation with a few of these types of organizations, mostly based in the USA and couple of these entities had Canadian Branch Offices. The pricing they would charge was all over the map, from as low as $2,000.00 to as high in one conversation $350,000.00 USD. One of the organizations I spoke with took the approach of. “Let us take over and don’t worry, we’ll deal with the hackers, we’ll get your decryption keys and we’ll take care of paying the ransom on your behalf, we have a large pool of Bitcoin’s and we also have a some resources who can reach into the Hacker community and help with decrypting your files, all for a cost of course. Most of these organizations were also offering a soft guarantee, if they could not get your files decrypted there would be no costs other than a modest assessment fee.
A “Conspiracy Theorists” might almost believe they are in league with the hackers, but as I said that is a conspiracy. If you decide to work with one of these organizations should you have been compromised, research a few of them before deciding on who to go with.
Regardless of how prepared you are, or think you are, the risk continues to grow exponentially. Cyber Criminals are as previously mentioned, big business, they research their targets once they find a potential vulnerability, they get a feel for the size of the organization and they base their extortion numbers on that, asking in some cases hundreds of thousands of dollars for the decryption keys to release the data held hostage. The latest gambit is to not ask for any Ransom until after you have sent back a few simple files for decryption, they gain the companies profile by using the domain name associated to the email.
A couple of tips here, do not use your company email to communicate with them, use a public email account so you preserve the anonymity of the company, it does not always work, but it can help. The Cyber Criminals tend to use the anonymous encrypted email services out there, if you are ever compromised and do not want to deal with them, contact the abuse desk of these organizations and provide them copies of the emails, they will shut down the accounts, however, the Criminals just open up new accounts under other anonymous email addresses with fake personal information.
When having to attempt a negotiation strategy with one such group of Cyber Criminals, it was almost like dealing with an old school car dealership, the person being communicated to would take my offer to someone else then come back with a counter offer, in one of the cases the extortion amount started at 37 Bitcoins and was negotiated down to 2, pretty ridiculous when you think about it. But they had the client’s data encrypted and held hostage…
In all cases we were able to recover from Backup, however, like I previously stated the work effort was enormous, causing a major outage in all cases.
So what can you do…
If you are a Business owner, regardless of size review your security posture, review your recovery capabilities, and most of all don’t take anyone’s word you are perfectly secure… There is no such thing! This is a war that is escalating daily.
Take the time to invest in great Data Protection devices, software and processes, layer your Anti-Malware and Anti-Ransomware products. Ensure your Firewalls are a high-quality commercial grade product that have capabilities to monitor and integrate with the End Point Protection Software so that you have a comprehensive response capability. Don’t forget about your staff who work from home and access the company systems remotely, make sure their systems are secure with the same End-Point Protection Products you use at home and rely of SSL Encrypted VPN to connect.
Make sure the computers in your organization are properly patched and updated on a regular basis. Plus, you should also have a Vulnerability Scan conducted both internally and externally to identify areas that require remediation.
Education is a large part of successfully combating Cyber-Crime, making sure your employees know what to look for in the way of Phishing emails, making certain they understand how social engineering can get them to reveal sensitive information. Does not hurt to instill a behaviour of always question anything that looks suspicious.
There are many strategies that can help you prepare, however, never think you are 100% guaranteed to be safe, the only way that could happen is you completely take your computers off the Internet and not allow anyone to install anything on them. Of course, that does not work in todays connected world.
Take
attitude that “It Is When” you will be attacked “Not If”.
OPUS Consulting Group Ltd, can help organizations address many of the vulnerabilities with services to identify, remediate and educate. As well as products and solutions to add layers of protection to prevent unwanted access, and of course, Data Protection and Recovery Solutions which will allow you to recover your Data without paying extortion fees.
Leave a Reply
Your email is safe with us.