Skip to main content

Israel G. Vargas/The Globe and Mail

It’s estimated that between 80% and 90% of data breaches are caused by human error. Take Sony Pictures: Back in 2014, hackers managed to trick executives into clicking on malicious emails, allowing the bad guys to plunder 100 terabytes of its data. As if that prospect weren’t frightening enough, Canadian organizations will soon face hefty fines for putting customers’ information at risk. The Digital Privacy Act comes into effect on Nov. 1. It’s just one part of Ottawa’s cybersecurity plan, which includes a new cyber centre with $155 million in funding over five years. More attention to the issue can’t come too soon for David Masson, the head of Canada for the global cyberdefence firm Darktrace. “We’re in a cyber arms race, and it’s going to get more and more complex—with AI, attacks are moving at machine speed,” he says. “So it’s not a matter of when you’ll get attacked. You’ve already been attacked.” Here’s a roundup of practical advice, easy wins and terrifying statistics that should inspire you to lock down your company (and hack-proof your employees).

Some of the biggest hacks

caused by human error

Equifax

146 million

JP Morgan Chase

83 million

eBay

145 million

Anthem, owner of blue Cross and Blue Shield

145 million

Uber

57 Million

Deep Root Analytics

198 Million

Some of the biggest hacks caused by human error

Equifax

146 million

JP Morgan Chase

83 million

eBay

145 million

Anthem, owner of BlueCross and Blue Shield

145 million

Uber

57 Million

Deep Root Analytics

198 Million

Some of the biggest hacks caused by human error

eBay

145 million

Anthem, owner

of blue Cross

and Blue Shield

145 million

JP Morgan

Chase

83 million

Uber

57 Million

Deep Root

Analytics

198 Million

Equifax

146 million

How to avoid a legal nightmare

Picture this: An absent-minded employee leaves a laptop containing unencrypted health information of 33,000 patients in his car. The laptop is stolen (this actually happened to a Northwest Territories health official in May). While the employee might be tempted to keep mum, starting this November, that could cost you up to $100,000. The Digital Privacy Act is an amendment to the Personal Information Protection and Electronic Documents Act, which governs how private organizations handle Canadians’ personal information. And it requires companies to immediately report any unauthorized breach involving personal information to the Privacy Commissioner of Canada and to the affected individuals.

“It’s a vast improvement on what we’ve got now,” says David Masson, head of Canada for the global cyberdefence firm Darktrace. “We have stringent privacy laws, but no real protections when it comes to reporting cyber breaches.” However, there are gaps in the new regulations, which relate solely to the privacy of personal information. “If you’ve lost $90 million to a bad guy but no personal information has been revealed, you don’t have to report it,” says Masson. And the divulged personal information must pose a “real risk of significant harm,” such as humiliation, or damage to reputation or relationships, for identity theft to be deemed reportable, says Wendy Mee, a partner at the Toronto law firm Blakes who specializes in privacy issues.

Story continues below advertisement

The act does require organizations to maintain a record of all privacy-related breaches—even those that don’t meet the standard for disclosure. That paper trail, says Mee, “is going to be the first thing litigation counsel asks for if you have a mega breach down the road.”

The new digital privacy rules bring Canada into line with Europe’s General Data Protection Regulation, which has applied to Canadian companies with European clients since it came into force last May. In 2010, Alberta became the first province to pass similar legislation, and its Privacy Commissioner revealed a record 162 breaches in 2017. Many cases involved hacking and malware. Other typical security failures relate to reusing hacked or common passwords, phishing scams and employees sharing personal information with unauthorized parties.

How to avoid getting reeled in by phishing scams

Israel G. Vargas/The Globe and Mail

The first mention of the term “phishing” came in January 1996, in a Usenet group called AOHell. More than two decades later, phishing scams—messages that entice recipients to click on links or attachments, thereby downloading malicious software—have become infinitely more sophisticated. Classic phishing scams are scattershot—say, an email from Apple asking you to reset your password (“just click the link!”). In a spearphishing scam, the perpetrator includes specific information about you or your organization. For instance, you could get an email supposedly from your boss asking you to wire $125,000 to an overseas client. “People fall for those regularly,” says Robin Fowler, a certified forensic examiner at TCS Forensics in Richmond, B.C. “You were late getting in, you don’t want the boss to be pissed at you, and it’s not uncommon for you to be asked to do something like this. You just don’t want to rock the boat.” In another variation on spearphishing, TCS recently worked with a high-level executive who received an email saying his webcam had been hacked and he’d been recorded watching porn; if he didn’t pay up, the footage would be released. “This man was an inch away from either sending the money or resigning from his job,” says Fowler. “It’s a pretty popular scam—if you have a guilty conscience, you’ll fall victim to it.” Luckily, the man swallowed his pride and sought TCS’s services. It turns out he hadn’t actually been hacked.

The executive was one of the lucky ones. Four per cent of people will fall for any given phishing campaign. And since hackers need just one victim to gain access to your organization’s network, these scams are the source of 93% of all data breaches, according to Verizon’s latest annual Data Breach Investigations Report (which analyzed 53,000-plus incidents and 2,216 breaches over the course of one year).

Even cyber experts aren’t immune to today’s phishing scams. “We have an ongoing phishing test we do across our own employees, trying to get them to click on it,” says Eldon Sprickerhoff, founder and chief security strategist of eSentire, a cybersecurity firm based in Cambridge, Ontario. “We think of it as inoculating with skepticism. You have to do it on a regular basis.”

How does spearphishing work?

Hacker gathers

information about an

individual, often from

social media

Hacker sends a

personalized email

to the victim, posing

as a trusted entity,

like a bank

Email invites

victim to open

an attachment

or download a

document

Email invites

victim tot

click on link to

a spoofed

website

Attachment contains

malware that infects

the computer and

infiltrates the broader

network to harvest

confidential

information or to

encrypt it and

demand

ransom payments

Victim logs in

to spoofed website,

providing

password, account

number, PINs or

access codes

Hacker

drains bank

account

Hacker logs in and

harvests victim’s

sensitive information

from the real website,

creating a mirror identity

to apply for bank

accounts, loans, etc.

Existential

dread

How does spearphishing work?

Hacker gathers

information about an

individual, often from

social media

Hacker sends a

personalized email

to the victim, posing

as a trusted entity,

like a bank

Email invites

victim to open

an attachment

or download a

document

Email invites

victim to

click on link to

a spoofed

website

Attachment contains

malware that infects

the computer and

infiltrates the broader

network to harvest

confidential

information or to

encrypt it and demand

ransom payments

Victim logs in to

spoofed website,

providing

password, account

number, PINs or

access codes

Hacker

drains bank

account

Hacker logs in and

harvests victim’s

sensitive information

from the real website,

creating a mirror identity

to apply for bank

accounts, loans, etc.

Existential

dread

How does spearphishing work?

Hacker gathers

information about an

individual, often from

social media

Email invites

victim to open

an attachment

or download a

document

Hacker sends a

personalized email

to the victim, posing

as a trusted entity,

like a bank

Email invites

victim to

click on link to

a spoofed

website

Victim logs in to

spoofed website,

providing

password, account

number, PINs or

access codes

Attachment contains

malware that infects the

computer and infiltrates

the broader network to

harvest confidential

information or to

encrypt it and demand

ransom payments

Hacker logs in and

harvests victim’s

sensitive information

from the real

website, creating a

mirror identity to

apply for bank

accounts, loans, etc.

Hacker

drains bank

account

Existential

dread

The evolution of ransomware: from floppy disks to organized crime

In 1989, at the height of the AIDS epidemic, evolutionary biologist Joseph Popp distributed 20,000 floppy disks to fellow scientists containing a survey that could help determine a patient’s likelihood of contracting the virus. The disks also contained malware that eventually froze the computers and demanded either $189 or $379 (U.S.) to be paid via a cashier’s cheque or money order to release them.

Fast-forward to 2018, when WannaCry ransomware infected 230,000 computers in 150 countries within a day, demanding $300 (U.S.) in bitcoin to unlock infected computers. It targeted machines running an older version of the Windows OS through an unpatched exploit, or vulnerability, in the software. Estimates of the damage caused range from the hundreds of millions to $4 billion.

Story continues below advertisement

These days, most “bad guys” are even building custom ransomware. Hackers have operationalized the process. For, say, 150 euros a month, they’ll give nefarious organizations access to 200,000 email addresses to target. “You no longer have to know anything about tech,” says Eldon Sprickerhoff of eSentire. The Ontario town of Wasaga Beach had its computers locked down for seven weeks by hackers this past spring and ended up paying $35,000 to recover its data, plus more than $50,000 for consultants to help decrypt it. It’s estimated the hack cost another $160,000 in lost productivity.

Israel G. Vargas/The Globe and Mail

How to choose a secure password

Hint: Don’t. Low password security is a major vector (cyberspeak for how a hacker gets into a system) for data breaches. In other words, it’s all those people who use the same password across multiple sites or plain old easy-to-crack codes and companies that allow employees to keep the same passwords for years. “Treat passwords like your underwear,” says Kemar Wilks, a forensics examiner with cybersecurity consultancy TCS Forensics in Richmond, B.C. “Change them regularly, and never share them with anyone.”

But remembering 20-odd passwords along the lines of “h5&bTo7%19” is virtually impossible (and no, it’s not a good idea to write them down). Talk to any remotely savvy IT person, and they’ll recommend using a password manager—a plug-in or app that a generates strong, unique password for each protected site you visit and stores them in an encrypted database accessible through a master password. “It takes passwords to the next level,” says Wilks.

Here are two password managers to try:

LastPass: Users create a master “passphrase” of 20 to 30 characters—a combination of words or phrases that makes sense to you but is tough to crack (think “mysonsfirstword-doggie”). Individual From $2 (U.S.)/month | Enterprise $4 (U.S.)/user/month

1Password: This Canadian-made app also allows users to store credit card data, banking information and financial documents using their master password. Individual $2.99 (U.S.)/month | Enterprise $7.99 (U.S.)/user/month

Story continues below advertisement

How long will it take to

hack your password?

8 characters, all lowercase

7 HOURS

8 characters, lower

and uppercase

83 DAYS

16 characters, all lowercase

189 million years

16 characters, lower and uppercase

12 trillion years

How long will it take to hack your password?

8 characters, all lowercase

7 HOURS

8 characters, lower

and uppercase

83 DAYS

16 characters, all lowercase

189 million years

16 characters, lower and uppercase

12 trillion years

How long will it take to hack your password?

16 characters, all

lowercase

189 million years

16 characters, lower

and uppercase

12 trillion years

8 characters,

lower and

uppercase

83 DAYS

8 characters,

all lowercase

7 HOURS

How to not be dumb about smart devices

The Internet of Things promises to make our lives more convenient, thanks to networked appliances, vehicles and other devices. But anything that connects to the Internet is a target. But does your office really need a WiFi-enabled coffee pot or fish tank? A casino in Europe was hacked via the WiFi-enabled thermometer in its lobby aquarium, and hackers gained access to five Russian banks’ networks through unsecured CCTV cameras. In 2016, a European manufacturing company restricted access to its plant by installing biometric thumbprint scanners. Unfortunately, the scanners were poorly configured, says David Masson, the Canadian head of Darktrace. “Bad guys were constantly scanning the network, looking for open ports. In addition to accessing the network, they found a thumbprint reader and loaded up their own prints in preparation for a massive burglary.” Darktrace’s AI, which scans networks in real time for anomalies, spotted the irregular activity and managed to shut down the operation.

How to protect your company’s data

  • Create secure backups of all your company’s data—if you fall victim to a ransomware attack, you’ll have copies. And keep the most sensitive information “air-gapped”—that is, off the Internet or any networked computers.
  • Make sure you segment your company’s data so only critical people have access to sensitive info.
  • Ensure every computer goes to sleep when the user steps away and requires a password to log back in.
  • Ban USB flash drives and external hard drives unless they can be password protected.
  • Use multifactor authentication, where two or more credentials are required to log on to the system—for instance, a passcode sent to your mobile device or generated by an app like RSA. 

It’s not you—it’s your third-party suppliers

Back in 2014, Target announced that the personal and financial information of approximately 110 million shoppers had been compromised in a data breach. But hackers didn’t gain access directly to the retailer’s system. Instead, they targeted one of its subcontractors—Fazio Mechanical Services, an HVAC company based in Sharpsburg, Pennsylvania—that had worked at several Target locations. One of Fazio’s employees fell prey to a phishing scam. The lesson: Your company can be locked down tighter than the NSA, but you might as well invite the bad guys in if your third-party suppliers aren’t similarly cybersavvy. “We’ve seen financial institutions starting to spend a lot of time on third-party due diligence,” says Eldon Sprickerhoff of eSentire. Similarly, law firms, particularly in Canada, are ramping up cybersecurity protocols in the wake of the Panama and Paradise papers leaks. “Clients are demanding it, and partner companies are being deeply vetted,” says Sprickerhoff.

Who’s doing the hacking?

4%

involved

partners

12%

Perpetrated by

nation states or

state-affiliated

groups

28%

Involved

internal actors

(such as

employees)

50%

Perpetrated

by organized

crime

Who’s doing the hacking?

4%

involved

partners

12%

Perpetrated by

nation states or

state-affiliated

groups

28%

Involved

internal actors

(such as

employees)

50%

Perpetrated

by organized

crime

Who’s doing the hacking?

28%

Involved internal actors

(such as employees)

12%

Perpetrated by

nation states or

state-affiliated

groups

50%

Perpetrated

by organized

crime

4%

involved

partners

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.