Written By: Jay H.
Ransomware and business email compromise are the leading cybersecurity threats to Canadian organizations, according to a new report.
In its annual Canadian Cybersecurity Trends Study, law firm Blakes notes tactics that rely on human error are on the rise.
“We have observed that more sophisticated ransomware variants are emerging at an accelerated rate,” said the report’s authors. “Interestingly, business email compromise has also emerged as a major threat to organizations.”
Hackers mainly targeted industries with access to large amounts of personal or sensitive data, including finance, health, and professional services. Alarmingly, over half (59%) of the hackers accessed sensitive corporate or personal (employee or customer) data, some of which they used to commit financial fraud.
Organizations are divided on paying the ransom hackers demand. Fifty-three percent decided to pay the ransom; forty-seven percent did not. However, the decision to pay was often related to the type of ransomware. “Ransomware attacks involving sophisticated variants such as Ryuk and Bitpaymer often resulted in organizations opting to make a ransom payment,” the report explained.
In scenarios where the ransom was paid, most (69%) of payments were less than $100,000. The payments were usually made via Bitcoin, allowing the hackers to remain anonymous. In many instances, after negotiations with the hackers, organizations were able to lower the ransom.
Impacts of cybersecurity incidents on organizations
- The primary impact of the cybersecurity incident on organizations was operational disruption, meaning that firms cannot carry out their day-to-day tasks. Unsurprisingly, financial loss followed, which depends on an organization’s operational capabilities. Another major effect was the impact on B2B relationships since the victim organization will often need to disclose the cybersecurity incident to business partners.
- Close to half of organizations affected by a cybersecurity incident took over two weeks to recover. Even worse, roughly a quarter required over a month. The biggest factors that impacted the recovery time included the need to conduct a forensic investigation, secure all affected systems, and bring systems back online in a manner that ensured network stability.
- Hackers had access to various data, namely personal (employee and customer) information and sensitive corporate data. Also, hackers often used the latter category to commit financial fraud.
- Most organizations (69%) did not report the incident to law enforcement. Furthermore, 86 percent of firms did not have standalone cyber insurance in place. This type of insurance has been growing in Canada and generally covers the cost of legal, forensics, crisis communications, and cyber extortion.
- 71 percent of organizations did not rely on a Cybersecurity Incident Response Plan (CIRP) when responding to the cybersecurity incident. The absence of an effective CIRP led to undue delays, confusion, and ineffective response to the ordeal overall.
Recommendations for Handling a Data Breach
The report gives the following recommendations for immediate actions to take in the event of a data breach:
- Activate/assemble the cyber incident response team. This group will consist of representatives from legal, business, and IT, managing the cybersecurity incident in real-time and reporting updates to the senior leadership team. This should be a small group and should surround itself with any external experts required to make informed decisions.
- Triage the incident. Internally assess the severity of the incident and determine whether external third parties need to be retained to assist with containment, remediation, and forensics. Dealing with a cybersecurity incident often requires special tools and expertise that may not be readily available within the organization.
- Notify your insurer. If you have cyber insurance, notify your insurer as soon as possible. Also, understand what costs related to the management of the incident will be covered by the insurer and whether there are any conditions in the insurance policy to be aware of (e.g. seeking prior approval from the insurer before retaining third-party experts).
- Retain third-party experts. Where required, ensure that legal counsel retains all third-party experts (e.g. digital forensics, crisis communication, etc.) to ensure that appropriate legal privilege can be asserted on work product.
- Contain, remediate, and investigate. Third-party IT experts should focus their efforts on ensuring that the IT environment is fully secure, work to bring systems back online in a secure manner, and conduct a forensic investigation to identify “patient zero”.
- Keep a record. Have legal counsel maintain a detailed record of the steps taken to deal with the cyber incident (from discovery and throughout the investigation). Also, work with finance to keep track of any costs (e.g. vendor costs, overtime, business interruption costs, etc.) related to the incident that may be subsequently submitted to insurance.
- Understand Notification Requirements. Depending on the type of cyber incident, the organization may have to notify business partners, customers, and regulators. So there will be a need to determine who should be notified and when quickly.
- Have a Communication Strategy. Prepare messages communicable to internal and external stakeholders that can include front line staff and business partners. Also, prepare holding statements in the first 24 – 48 hours of the incident if possible.
- Identify “Patient Zero.” Through the forensic investigation, determine how the threat actor (the “hacker”) was able to enter the organization’s environment. So, by identifying the point of entry, the organization mitigates the risk of hackers exploiting the same vulnerability in the future.
- Notify Law Enforcement. Depending on the type of cybersecurity incident, organizations should consider notifying law enforcement. So this could mean notifying the digital crimes department or the local police department, RCMP, or other law enforcement agencies.
Access the full report here. Registration required.
Work With Cybersecurity Experts
Keep your organization safe from threat actors. So, work with us to keep your networks secure from hackers, malware, and viruses and protect your invaluable data. Included in our services are security scanning, vulnerability testing, security policy design, and security architecture. We also provide comprehensive disaster recovery (DR) options.
Click here to learn more about cybersecurity topics.
Comments are closed.