How vulnerable is Canada to cyberattacks, including highly disruptive and damaging ransomware? The short answer is very. The past few months paint a troubling picture.
In November 2022, a major Canadian grocer, Sobeys, was hit with ransomware. The company’s owner, Empire Company, did not confirm either the extent of the incident or its root cause, issuing just one news release at the time of the attack. But judging from publicly available reporting, it appears the incident impacted Sobeys’ business network, including its ability to fill prescriptions and process credit card payments. Almost certainly, the $25 million cost of recovering those systems will be passed on to consumers, at a time when inflation has already vastly increased the cost of living. A few weeks after the Sobeys incident, on December 18, cybercriminals struck again, hitting The Hospital for Sick Children (SickKids) in Toronto. This ransomware incident impacted several network systems, resulting in SickKids calling a Code Grey — a system failure — that lasted for weeks while the hospital rebuilt its systems. Then in January 2023, the LCBO (Liquor Control Board of Ontario) was hit with malware designed to harvest individuals’ financial information. Most recently, Canada’s largest bookstore chain, Indigo Books & Music, was breached, halting all website transactions for weeks.
Incidents such as these may seem like mild inconveniences to the average consumer. But the reality is that such attacks have a significant cost to the Canadian economy. In 2021, cyber-enabled fraud resulted in losses of $379 million. That year, there were 235 known ransomware attacks against Canadian industry, each with an average cost of $6.35 million. In 2022, the Waterloo, Ontario-based cybersecurity firm for which I work, eSentire, conducted research on what is commonly known as the “dark web,” which is accessed via software called Tor. We reviewed ransomware name-and-shame sites and identified 232 Canadian companies that had been victims of ransomware attacks; most were launched by Russian-based ransomware gangs.
And these figures only include the attacks we know about, where the company’s information ended up on the dark web. Ransomware gangs extort their victims through a variety of methods, including by sharing the breached company’s information over the dark web. Because some companies pay the ransoms to have their systems restored, the actual number of victims is not known. In fact, in a look at the impact of cybercrime in 2021, Statistics Canada estimated 90 percent of such crimes go unreported. The reputational loss organizations can suffer following an attack also can have crippling consequences.
There’s a national security aspect to this, as well. Government agencies across the country at the federal, provincial/territorial and municipal levels are struggling to protect their own networks and information technology (IT) infrastructure.
Not a New Problem
The problem is by no means new. For decades, cybersecurity has been a challenge. Important Canadian businesses have been destroyed by cyberattacks that resulted in data breaches, as happened with Nortel. It is widely believed Chinese hackers breached Nortel Networks in 2000 and went undiscovered until 2004. The hackers stole technical papers, research and development reports, business plans, employee emails and other documents. At its height, the now defunct Canadian tech company employed 90,000 people and had a market value of about $250 billion (equivalent to $367 billion today), and accounted for more than 35 percent of Canada’s benchmark stock market index, the TSE 300.
Inadequate cybersecurity protections clearly put companies at incredible risk. Yet doing cybersecurity right also comes at a cost. For many Canadian businesses, the financial hurdle is high. But it’s not nearly as high as that of a cybersecurity incident that results in business downtime.
The human challenge is further intensified by a continuing cybersecurity skills shortage, organizations’ struggle to retain what cybersecurity skills they have, and the personnel costs of building in-house security programs. These challenges, piled onto already overburdened IT departments, mean more damaging breaches to come, unless something is done.
What Is the Answer?
There are solutions, and they are achievable for Canadian organizations. For starters, the federal government needs to look at updating the now decade-old cross-industry minimum standard for cybersecurity programs. We need a new, national policy on cybersecurity. Bill C-26, which has passed second reading in the House of Commons, is a start. But the legislation does not identify ways to support organizations that simply cannot afford to build out these programs in-house.
What should the revised standard look like? I argue that it should mandate six controls: token-based multi-factor authentication; a vulnerability management program; endpoint detection software; 24-7 monitoring of corporate networks; incident response plans; and data backups.
Token-based multi-factor authentication is the most secure multi-factor authentication available. It mitigates risk with respect to what is referred to as SIM swapping, or SIM hijacking, which occurs when attackers take control of your mobile number. In such cases, the attacker tricks your telecommunications provider into transferring your number to their mobile device. They then use your phone number to access other online accounts that belong to you. By using token-based multi-factor authentication, you remove the ability for a hacker to intercept a two-factor authentication code sent in a phone call, email or text.
A vulnerability management program searches for vulnerabilities in an organization’s network and takes steps to mitigate and patch those vulnerabilities so that threat actors have fewer opportunities to exploit your organization.
Endpoint detection software is designed to monitor for abnormal behaviour and allows cybersecurity professionals to immediately respond to intrusions such as an employee’s click on phishing emails. By reducing the amount of time a threat actor lurks in your network undetected, you greatly increase your chances of preventing a catastrophic outage from ransomware, or the theft of intellectual property.
Endpoint detection and response software should then be leveraged by a trusted third party. For rapidly scaled defences, this software offers the most logical and feasible solution. Very simply, hackers are working around the clock, 365 days a year. Every organization needs 24-7 managed detection and response monitoring of its corporate network to enable it to investigate and respond to cyber incidents in real time.
Finally, if the worst does happen, and all your controls fail, and bad actors get in and burn your network to the ground, you must have two things: an incident response plan and data backups. An incident response plan will help you bring your business back from the brink. Data backups will allow you to recover at least some of the information that has been destroyed.
While there are dozens more ways to reduce risk, these six controls have the greatest return on investment. They are also financially within reach of most digitally enabled businesses.
These updates would drastically improve our collective defence from malicious state and non-state threat actors and ensure this country’s data, intellectual property and businesses are better protected from increasingly aggressive adversaries. This would also better protect our sovereignty and ensure Canada is safe to conduct digital business. As mentioned, Bill C-26 is a start. But it should point to more explicit standards.