The cyberattack that took down Canadian medical-testing company LifeLabs last October was close to a worst-case scenario for any company: hackers accessed data on 15 million customers, demanded a sum (which the company paid, but has not disclosed) and were ultimately able to walk off scot-free. LifeLabs, meanwhile, now faces a class-action lawsuit seeking more than $1 billion from customers whose data was compromised. All because of one overlooked security flaw.
In some ways, it could have been much worse. Take the disaster that befell a medical practice in Michigan last year, which became the first clinic ever to close due to a cyberattack that wiped out billing information, patient data and other records.
Today, as COVID-19 surges around the world, opportunities for these kinds of attacks — already growing in recent years — are set to explode. The millions of employees who this past month have begun logging into work remotely are creating untold new entry points for cybercriminals: poorly secured internet connections, vulnerable personal devices and unprotected cloud storage setups.
This is a prime circumstance for increased cyberattacks, says Tyler Moffitt, security analyst at Webroot, an OpenText company and leader in cyber resilience.
Authorities have already reported dramatic increases in cybercrime in the past several weeks, much of it opportunistically preying on fears around the virus itself. The Canadian Centre for Cyber Security has issued a warning on the topic, and U.S. and U.K. government agencies recently issued a joint statement to the same effect. Some Canadians have received text messages claiming to be from government authorities, offering emergency benefits and requesting personal information in exchange. Scammers have even created a counterfeit version of Johns Hopkins University’s widely used coronavirus tracking map — the fake version, once downloaded, installs password-stealing malware on the user’s computer.
Ali Ghorbani, director of the Canadian Institute for Cybersecurity at the University of New Brunswick, says cybercriminals are seeking to exploit three elements: the human, the technological and the broader environment (i.e., the globe-spanning viral outbreak). “People are under more stress, they’re more scared, and in that situation the human element is weaker,” says Ghorbani. “So, cybercriminals have found a new target.”
And with many employees using their own personal devices at home, rather than company-issued machines, the human and technological risks are amplified. For companies already struggling in a tough economic climate, the added costs of dealing with a data breach could be especially crippling. Last year, a report by cybersecurity provider Datto found that among small- and medium-sized businesses globally, Canada’s suffered the world’s highest ransoms, and highest costs to recover from ransomware attacks, at nearly $9,000 and $65,000 respectively.
Fortunately, even SMEs with modest resources can take quick steps to dramatically reduce their vulnerability on those fronts, fortifying their technology and educating employees.
Now is the time to make sure employees have all the basics covered, says Nicholas Johnston, professor of cybersecurity at Oakville’s Sheridan College. Make it company policy for employees to enable two-factor authentication on all logins (both work-related and personal) install password managers (ditto), update antivirus and anti-malware software and use encryption products such as Microsoft Bitlocker.
For companies on limited budgets, a number of security vendors have started offering free or inexpensive product trials for the next several months.
“Phishing explodes every year,” says Moffitt. In fact, last year, a study at Webroot found a 600 percent increase over 2018. “Now with criminals capitalizing on COVID-19,” he says, “it’s getting that much worse.” If employees are using personal devices, the risk is even greater, with those devices more exposed to personal email and social media.
Moffitt says that according to Webroot’s data, 37 percent of employees click on phishing emails, even with annual anti-phishing training. But that drops to 13 percent with twice-monthly anti-phishing training, which involves simulating phishing emails. (Webroot offers one as part of its Security Awareness Training product). “See who falls for it,” says Moffitt, “implement more training for those employees to make sure their likelihood of clicking decreases over time.”
And don’t leave out the c-suite: Some cybersecurity experts are also warning of an increase in so-called “whale phishing,” targeting senior staff who are suddenly just as vulnerable at home as any rank-and-file employee.
In the best-case scenario, employees will use company-issued devices, imaged and encrypted by company IT. But if employees have to use their own machines, they should ensure they’re not exposed to an entire household. As much as possible, says Johnston, turn your personal device into a defacto company device. No matter how careful you are, other household members’ less-than-scrupulous browsing habits may unwittingly expose devices to viruses, malware and other threats.
As well, adds Johnston, it doesn’t hurt to set up two different wi-fi networks, with separate passwords. Put work on one, and everything else — the kids’ gaming machines, grandma’s iPad, TVs — on the other. “Every little bit of isolation helps,” he says.
It makes perfect sense: you’re stuck at home and looking for the quickest, easiest way to start collaborating with co-workers. Personal cloud-storage solutions — the One Drive and Dropbox accounts where company documents will end up sitting alongside last year’s family-vacation photo — are convenient. But it’s one of the quickest ways to magnify what security experts calls the “attack surface”: the entry points would-be attackers can use to gain access to company data, hold it for ransom or wipe it out.
Instead, says Johnston, companies should swiftly move to prohibit personal cloud storage and move all employees over to a secure solution. Most cloud-storage providers offer business options, which include more robust security and file backup and recovery options. Upgrading could be the best investment your company ever makes you ever make.
Home networks are likely less secure than the enterprise-grade networks found in most workplaces, which include monitoring, tools and dedicated IT staff. The go-to solution for more secure remote access is a VPN (virtual private network), which encrypts all web activity, protecting it from hacking. Setting up a corporate VPN can be cumbersome and time-consuming, but it’s well worth it, says Johnston. He adds that companies looking to avoid some of the administrative and cost barriers associated with configuring a VPN can look at a service like Cloudflare Access, which funnels web-browsing activity through a secure portal.
If you’ve ever given some unseen IT employee remote access to your machine, you know what this is all about. It’s handy in the office, where remote control is usually exposed to internal IP addresses only. But when exposed to the open Internet, it can be a major security hole —especially for companies using Microsoft’s popular remote desktop tools. Hackers can scan the web for machines being operated remotely, and use brute-force tools to crack passwords. If remote access is a necessity, make sure your passwords are strong and you’re operating behind a VPN. Otherwise, skip it.
Because no amount of precaution can reduce risk to zero, making a recovery plan is critical, even for the best-prepared enterprises.
“Backup and recovery are critical components within any cyber resilience strategy,” says Hope Swancy-Haslam, senior director of product marketing at OpenText, a Waterloo-based company that develops information management and security software. “The likelihood of an incident,” she explains, “is more a ‘when’ than an ‘if.’ ”
Last December, OpenText acquired Webroot, along with cloud-backup provider Carbonite. In the past few months, the company has used the newly expanded security portfolio to package together some new cyber-resilience offerings, to help companies manage the new work-from-home reality. It includes real-time threat monitoring, endpoint security and data backup and recovery, for protection against ransomware and other threats.
Moffitt also recommends an actual physical backup of mission-critical files, or what’s called an “air gap” backup — literally an external drive, including recent versions of the files you’ll need to get back up and running in a worst-case scenario. (Just make sure to keep it disconnected from any internet-connected machine, except when it’s actively backing up files.)
According to Ghorbani, creating a more cyber-secure work culture may be one of the few bright spots of the current crisis. “This is a very good example of a situation that pushes both governments, industry and academia to come together to improve Canadian digital hygiene,” he says. “What will be important is for companies to keep communication open with employees, adapt to new threats and listen to employees’ concerns.”
And, he adds, it’s crucial to stay vigilant throughout this ‘new normal’ and beyond.