When I wrote last year about the risks posed by cybersecurity threats such as malware or ransomware, it was with an expectation that the situation might improve as risk awareness rose. But that hasn’t been the case. Quite the contrary, in fact. The reality is that cybersecurity risk is as great a threat to your organization’s success as ever—and likely more so.
According to the Canadian Internet Registration Authority’s 2019 cybersecurity report, some 71 per cent of organizations surveyed had been the victim of at least one cyberattack over the previous year. For most, dealing with the issue involved either paying out some form of ransom, redirecting staff to manage the fallout from the attack or devoting extensive amounts of time to its resolution. All three are costly consequences for any organization to manage.
As the report notes, “… only 41 per cent of respondents have mandatory cybersecurity awareness training for all employees,” and “… only 22 percent conducted the training monthly or better.” Thirteen per cent of organizations said their brand reputation had been impacted by a cyberattack, while 96 per cent said that cybersecurity awareness training did help to reduce incidents. But here’s the greater problem: a whopping 43 per cent said they didn’t have IT or security personnel dedicated to managing cyber incidents because they lacked financial resources.
In many cases even organizations that do have the resources aren’t prepared to spend on mitigating what they see as an existential—and unlikely—threat. That’s a decision they make at their own peril.
Just last month three Ontario hospitals—organizations that almost always have in-house IT staff with at least a reasonable level of cybersecurity awareness and training—were affected by ransomware attacks. Over the past year various municipalities have found their data held hostage by hackers who demanded sums typically in the hundreds of thousands of dollars before they were willing to release the information. This is not a phenomenon limited to this province, either. Municipalities, government organizations and mid- to enterprise-sized firms across North America have felt the sting of a cyber malfeasant’s handiwork over the past year.
This is no longer merely an IT issue. Cybersecurity is now a matter for your finance, HR, operations, sales and marketing departments to take up. In fact, it’s a conversation that should be occurring in the C-suite right now. Each department has a stake in preventing malware, ransomware or phishing attacks because hacking is very much a people problem. In other words, it affects everyone, everywhere. How?
Unlike in the past, cyber criminals can now acquire malware on the dark web cheaply and with ease. The real skill today is in planting malware on a network, observing human behaviour, tracking behavioural patterns and then pouncing when the right opportunity emerges to cripple an organization. Hackers are infiltrating even the most heavily-guarded networks because employees allow them. Not wittingly, of course, but because they don’t know when not to open an email attachment, click on a link or provide passwords, proprietary or confidential client information to an individual (probably based offshore, but not always) phishing for an easy access point to your network.
The costs of these attacks can be staggering. As a recent CBC article noted, the Ryuk virus likely delivered about $3.7 million US in ill-gotten revenue to hackers in 2018. And that’s only one piece of software. Attacks typically cost companies anywhere from less than $10,000 to $1 million or more. The sum demanded usually depends on the size of the organization. Simply put, hackers are clever. The more experienced (and dare I say, ‘reasonable’) ones will request a ransom that’s congruent with a victim’s probably ability to pay.
In October, for example, a Toronto-area dentist was asked to fork over the equivalent of $165,000 in bitcoins for the release of encrypted patient files. He refused, but eventually managed to get his files back. The good news is that several non-profit organizations now offer free software to thwart these attacks. But not everyone knows about them, and in the time it takes to become educated, a company or government agency could be completely paralyzed for a protracted period that no organization can afford.
While the specific dollar amounts in play are undeniably relevant, what’s more important is an awareness of risk levels and a willingness on the part of organizations to proactively address vulnerabilities. It’s getting so bad that it would be reasonable for companies to factor the management of cybercrimes into their annual financial projections. Being hit is less a matter of if but when—and this needn’t be the case.
Maintaining a strong cybersecurity infrastructure is a company-wide challenge. Employees need to be educated, policies need to be personalized to address operational realities and workplace culture, while systems need to be implemented methodically and maintained diligently over time. The days of grasping on to a ‘no-one-would-bother-hacking-us’ mentality are long gone. If you have data of any kind, you are a target for a phishing or ransomware attack. More so if you deal in information such as financial or credit card information. Worse, you may have already been hit and not know it.
No business can afford to squander tens or hundreds of thousands of dollars to pay off a hacker. Invest proactively in cybersecurity and your balance sheet will benefit. Don’t, and be prepared to pay the (very hefty) price.
Jenny Lian, Partner