Steep rise in cybersecurity risks challenges Canadian organizations
Canada has a cybersecurity problem
Who are the possible targets? Everyone.
“The cybersecurity threat level has been on the rise for many years and today it’s probably higher than ever,” says John Hewie, national security officer for Microsoft Canada. “This was compounded when the pandemic hit. Many companies weren’t set up to allow remote work for the majority of their workforce. They had to deploy solutions quickly, often contributing to gaps in cybersecurity posture. Attackers are typically opportunistic and look to exploit the weak spots in defences.”
These vulnerabilities have a broader implication than just damage to select organizations. Nation-state actors have seized on the opportunity to pursue much larger objectives.
For example, the destructive cyberattacks that Russia launched this year against Ukrainian targets, including critical infrastructure, have put Canada and other countries on heightened alert. This year’s threat bulletin that the Canadian Centre for Cyber Security directed toward Canadian critical infrastructure operators was at a level we haven’t seen before, Mr. Hewie says.
Microsoft’s 2022 Digital Defense Report lays out the threats around everything from supply chain to devices and infrastructure.
As the report notes, today’s cybercrime industry has developed into an ecosystem of professionally run organizations, which pull massive profits from their targets through numerous schemes and scams. The most common data breaches result from phishing emails, which trick the user into entering credentials on a phony web login site.
Canadian individuals, businesses and governments are all at increasing risk, says Sami Khoury, head of the Canadian Centre for Cyber Security.
“Criminals and other malicious cyber threat actors take advantage of security gaps, low cybersecurity awareness, and technological flaws to compromise IT systems,” Mr. Khoury says. “Canada remains one of the countries most targeted by ransomware and cybercriminal groups. Even though we have continued to raise our nation’s cybersecurity baseline, we are still vulnerable to compromise.”
“These cyber threat actors are continuously improving their capabilities and their attacks are relentless,” Mr. Hewie adds. “Our Microsoft 365 defence infrastructure, called Defender for Office 365, blocked 35.5 billion phishing emails just last year.”
“Protecting data from unauthorized access is paramount and Zero Trust is an important and modern way to achieve that,” says John Hewie, national security officer for Microsoft Canada.
An organization's infrastructure, finances and reputation cannot afford to be impaired by cybercrime events. To defend themselves, Mr. Hewie says companies of all sizes should remain focused on the cybersecurity fundamentals. “Doing the basics matters more than ever,” he says.
That includes keeping systems updated and enabling multifactor authentication in addition to using strong and unique passwords on your important accounts.
Mr. Hewie also advises embracing a Zero Trust security model: assume all activity – even by trusted users – could be an attempted breach. It may seem extreme, but it’s a necessary step in a complex modern environment that includes the hybrid workplace, to protect people, devices, apps and data wherever they’re located.
“Firewalls and VPNs alone aren’t good enough anymore. With so much information being digital these days, protecting data from unauthorized access is paramount and Zero Trust is an important and modern way to achieve that,” Mr. Hewie says.
In a world filled with threats, “It is no longer a question of whether you will suffer a cyber incident, but rather when and to what degree,” Mr. Khoury says.
Professional cyber attackers will not let up. Fostering a broad culture of cybersecurity is essential. “Security can only be successful when it’s everyone’s responsibility,” says Mr. Hewie.
Beware of common cyber attacks
A deceiving email designed to trick an individual into installing malicious software or sharing sensitive information, such as usernames and passwords. Often used as the first step in an attack.
Malicious applications and code that can damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords and other information, and lock you out of your system.
These can be legitimate sites that have been compromised (to enable criminals to host malicious content), or fraudulent sites set up for the commission of a crime. A malicious domain is often used as a destination to which phishing targets are directed.
A threat actor deploys malware that encrypts a victim’s files and removes sensitive data. The attacker then requests a ransom in exchange for the decryption key and return of data, often demanding payment in cryptocurrency.
Business email compromise
A type of phishing attack that targets organizations with a view to steal money or sensitive information. The attacker attempts to dupe an employee into believing that they are interacting with a trusted entity such as a supplier or senior manager). Once deceived, the attacker proceeds to convince them to share valuable information or redirect a payment.
Could you be a target for a ransomware attack?
According to the Canadian Centre for Cyber Security’s Ransomware Playbook, organizations are more likely to be targeted if they:
Have access to sensitive data that can be directly exploited, e.g. social insurance numbers, credit card numbers, or other financial information
Have access to personal information that individuals wouldn’t want exposed, e.g. medical or religious information
Hold valuable client data, or intellectual property, e.g. trade secrets
Take part in critical infrastructure, e.g. vital medical services
Connect to another company that meets one of these criteria
Have data that’s so crucial that a disruption to their systems would halt their entire business
Do you practice good cyber hygiene?
Microsoft reports that even basic security precautions can help your organization prepare for and mitigate most modern cyber threats. In case of a breach, these four practices can also help security teams to locate the most sensitive data and determine whether it was exposed to attackers.
1. Enable multifactor authentication (MFA)
Without access to the additional factor, an attacker can’t access the account or protected resource. Enable MFA on all accounts that support it, in a way that’s easy for all users to use it. Do not approve an MFA request unless you’re trying to log in or access a system, i.e. don’t automatically click to approve any pop-up that you receive.
2. Apply least privilege access and secure the most sensitive and privileged credentials
When attackers initially breach an organization, they look for privileged credentials to gain access to sensitive information and systems. Use dedicated, hardened workstations for privileged accounts and to perform privileged or administrative tasks. Use separate accounts, i.e. for privileged access vs. general Internet and email access.
3. Keep devices up to date
Use endpoint management software to ensure the correct configuration settings are deployed and that systems are running the latest software. For devices missing critical patches, restrict them from accessing sensitive resources. Take the same approach to cloud services.
4. Adopt a Zero Trust approach to secure hybrid work
The guiding principles:
- Verify explicitly: always authenticate and authorize access requests based on all available data point.
- Use least privileged access: limit access whenever possible and implement risk-based adaptive polices.
- Assume breach: minimize damage scope with micro-segmentation, continuous monitoring and automated threat detection and response.
1KPMG 2021 Cyber Security Poll
2Canadian Centre for Cyber Security, cyber threat bulletin
3Canadian Centre for Cyber Security, cyber threat bulletin
4KPMG 2021 Cyber Security Poll
5Microsoft’s 2022 Digital Defense Report
6Insurance Bureau of Canada, cyber security survey