Last October, “next vehicle” screens across the TTC went dark leaving commuters wondering when their ride would show up.
The cause was a cyberattack using ransomware — a program that disables an organization’s I.T. infrastructure and demands money to restore it — which also disrupted the company’s website, and may have exposed data of thousands of employees.
Globally, these attacks are increasing at an alarming rate. In the first half of 2021, the number of attacks increased by 151 percent over the year before.
The reason for this growth is that hackers have perfected their business model. The average cost to resolve a cybersecurity incident — either by paying the ransom or restoring and remediating the affected system — came in at $2.3 million last year. So, attackers price their demands such that victims will be inclined to simply send money to restore their systems quickly and move on.
One survey found that nearly 70 percent of Canadian organizations paid up (the TTC has not said if it did or not). While that puts the matter in the rear-view mirror for them, the long-term effect is emboldened hackers with more resources than they had before.
“Stopping ransomware is not actually that difficult, because there’s only so many ways that it can do what it’s trying to do,” says Matt Holland, CEO of Field Effect, a Canadian cybersecurity company. “If you’ve got a good solution in place, you can 100 percent block it.”
And yet, the ransomware threat keeps growing with successful attacks funding more attacks. So how do we break out of this doom spiral?
Ransomware proliferates because many organizations don’t believe they’ll be a victim. They’re probably wrong. High-profile targets like banks, hospitals or critical infrastructure make headlines news, but it’s estimated that two thirds of all attacks in Canada are on small- and medium-sized organizations. But nearly half of small businesses admit they allocate zero dollars to protecting their company.
Holland believes many people are inclined to ignore the risk. “I think it’s human nature not to want bad news,” he says. “There’s a lot of people who don’t go to the doctor when they probably should.”
Isaac Straley, the University of Toronto’s chief information security officer, says workplace trends are exacerbating the problem. “In this time of rapid digital transformation and remote work, it’s very easy for any company to introduce a vulnerability.”
Last summer — shortly after hackers shut down a critical oil pipeline in the U.S. for six days — Straley’s team launched an awareness campaign aimed at staff and students called “Expect Ransomware,” pointing them to tips and tools to prevent attacks. He said it inspired more users to set up multifactor authentication sign-ins and backup their files, but he plans to send more updates and reminders in the future. “Security requires continual improvement,” says Straley. “It’s not just ‘one and done’ changes.”
To protect their systems, many organizations have employees use multifactor authentication — where you must input a code texted to you to log in — as well as a password manager, like the Toronto-based 1Password, which holds all your passwords where a hacker can’t get to them.
Detection software is also playing an increasingly important role. These products, which began as basic antivirus programs, have come a long way. Along with automated scans for potential threats, the best cybersecurity solutions use machine learning to pick up on new anomalies during attempted breaches.
Although this type of software can strengthen an organization’s defences, Holland says, it still needs an experienced team of cybersecurity professionals — whether in-house or outsourced — backing it up.
“You have to remember who your adversaries are,” he says. “They are highly-skilled, state-sponsored clandestine organizations backed by China or Russia, and their skill levels are well beyond what the average I.T. team can defend against.”
Even tools like data backup can be ineffective if not used smartly.
Mike Potter, co-founder and CEO of Rewind, an Ottawa-based company that backs up data, says organizations should have three copies of all data, two of which are stored locally but on different media, and one that is held off-site. But, he says, even companies that do this sometimes have recovery procedures that don’t work well. “They think they’re O.K., but because they haven’t tested the process of disaster recovery, they don’t know that it’s broken.”
Straley points to the recently launched Cyber Security Innovation Network as a hopeful sign for the future of his profession. A collaboration between universities, the private sector, non-profits and government, the network will promote the development of cybersecurity talent that can keep up with increasingly sophisticated attacks. They’ll have their work cut out for them — it’s estimated that 25,000 more cybersecurity professionals are needed in Canada.
According to the Canadian Centre for Cyber Security, most ransomware attacks go unreported.
Organizations can have legal reasons for withholding this information, but reputational damage is often a main motivation. This secrecy prevents the kind of intelligence sharing that can be useful to shut down future attacks.
Straley, who sits on an expert panel aimed at strengthening cybersecurity in Ontario’s broader public sector, says even he often first learns of breaches in the news. To combat this lack of information-sharing in the industry, he and cybersecurity leaders at other Canadian educational institutions have formed the Canadian Shared Security Operations Centre, which features a feed of threats that members encounter, as well as a number of other services. While the Canadian Centre for Cyber Security does put out advisories and alerts related to ransomware, Straley says he’d like to see that body increasingly become a facilitator of critical information-sharing — even anonymously — across sectors.
As well as helping organizations fight specific threats, Rewind’s Potter believes more openness would also be key to reducing some of the stigma attached to being breached.
“I think that publicity would help convince people that it’s a real thing that happens to real companies.”
MaRS believes “innovation” means advancing Canadian technology for the benefit of all people. Join our mission.