On average, Canadian organizations experienced three ransomware incidents in a 12-month period.istock.com
In March 2021, tech firm Acer was faced with paying one of the largest ransomware demands known to date: a price tag of US$50 million for the return of the global computer manufacturer’s stolen data.
The dramatic extortion by cybercriminals captured headlines. But ransomware attacks happen every day to every size of company.
In fact, 83 per cent of Canadian businesses reported attempted ransomware attacks and 67 per cent have experienced one, according to the 2022 TELUS Canadian Ransomware Study. Businesses have to protect themselves because cyberattacks are increasing in frequency and severity.
“As the study shows, Canadian companies can no longer avoid the threat of ransomware,” says Leita Ouellette, General Manager of Cybersecurity at TELUS. “Unfortunately, it’s no longer a question of if, but when you’ll experience an attack.”
Ransomware is a type of malware that cybercriminals use to deny access to an organization’s data or files. It happens through data encryption or removal. A ransom is then demanded to get all or some of the information back.
To get a sense of the threat and response, the TELUS Cybersecurity team partnered with International Data Corporation (IDC) Canada to survey more than 450 Canadian organizations.
According to the findings, the average ransom paid by Canadian organizations is $140,000. However, the real cost of a ransomware breach can be much higher.
“The data shows that while the ransom payment often gets a lot of attention, it accounts for only 16 per cent of the direct costs of an attack,” Ms. Ouellette says. “The total costs can exceed $1 million, which includes downtime for the company, the cost of mitigation and recovery, and regulatory fines.”
Even that doesn’t paint the entire picture of damage.
To see it, organizations need to consider multiple layers, like the impact on those whose data may have been compromised, and indirect costs that depend on the nature of the organization.
“An attacked organization whose brand is built on trust and security – for instance, a financial services company or a healthcare institution – would suffer more significant, long-term financial impacts from a breach,” says Ms. Ouellette.
Bad publicity, lost contracts and reputational damage are costly repercussions of ransomware attacks. The desire to avoid that fallout is one reason why 22 per cent of organizations, TELUS found, don’t report these attacks to government or the authorities.
That’s no guarantee that a ransomware attack will remain under the radar. The TELUS survey revealed that 31 per cent of such attacks are first reported or detected by a company’s customer or a partner.
“That’s not something any organization would want,” says Ms. Ouellette.
Paying up can be painful
More than 60 per cent of the companies TELUS surveyed said they would resist ransomware demands, but that’s easier said than done.
“Generally, for organizations who’ve yet to experience an incident, the feeling is ‘we won’t pay’. But the data shows that when a breach happens, organizations are much more likely to pay the ransom,” says Ms. Ouellette.
However, doing so doesn’t always get what you want. Of those that paid the ransom, only 42 per cent told the TELUS survey that they had their data fully restored. Even if it is, it can be tough to trust it.
There’s also the continued threat of multiple extortion attempts, even if the ransom was paid the first time. For example, Acer had another ransomware attack last October, just a few months after the first one. TELUS reports that 15 per cent of Canadian organizations that suffered a ransomware incident were reinfected by the same ransomware after recovery.
So, is there anything that Canadian organizations can do to protect themselves from cybercriminals?
Endpoint devices, on-premise IT systems and cloud-based systems can all bear the brunt of ransomware attacks. While there’s “no silver bullet” to prevent threat actors from breaching your systems, says Ms. Ouellette, organizations can leverage prudent and proactive strategies. These include cybersecurity defences that can be coupled with 24/7 monitoring, to detect threats that might bypass security controls.
The ransomware study includes best practices from the TELUS Cyber Defence Centre, a hub for the teams that work collaboratively to protect customers as well as TELUS data and systems.
Every company, from small businesses to multinationals, needs an up-to-date incident response playbook, says Ms. Ouellette. Yet only half of Canadian organizations have planned ahead. Even among those who have an incident response plan, says TELUS, only 57 per cent test and update it regularly.
“The tactics of threat actors are becoming more sophisticated, making it easier for them to trick unsuspecting users into opening a malicious email,” Ms. Ouellette says. “For this reason, building a culture of security and providing cybersecurity education is of huge importance. This is no longer only a problem for large organizations; it’s now everybody’s problem.”
Advertising feature produced by Globe Content Studio with TELUS Cybersecurity. The Globe’s editorial department was not involved.