Cyber-criminals are wrecking havoc in Atlantic Canada. You need to protect yourself (and your clients)
Picture this: you arrive at your office on an otherwise unremarkable morning. But your computer doesn’t work. Your co-worker’s doesn’t either. In fact, no one in the company can log in. Rebooting the server—or individual computers—results in a big brazen message across the screen: YOUR FILES HAVE BEEN ENCRYPTED.
Last May, the employees at Tony’s Meats in Antigonish, N.S. faced exactly that situation: all accounting, customer and ordering information from across North America was locked up. Whoever was responsible demanded payment for the return of the information. The ransom? About $14,000 Canadian.
A similar thing happened to the owners of Birdhouse Garden Market in Happy Valley-Goose Bay: their modest network of five computers was abruptly hijacked. They were given five days to pay $3,000 ransom or their data—accounts, payroll information, everything—would be deleted.
In both cases, the businesses were able to get their data back, but not without incurring significant costs. Birdhouse Garden Market hired IT experts to get them out of the jam. Tony’s Meats paid the ransom.
Not every business is so lucky. Between recovery fees, liability, and loss of customer trust, a cyberattack can be fatal to a business. “Ransomware has become an epidemic in the past couple of years,” says David Shipley, CEO of Fredericton-based Beauceron Security. “It’s drowning our private sector. It’s wreaking havoc in the private sector.
“Small and medium-sized businesses in Atlantic Canada cannot ignore the threat. I’ve seen numerous cases where these businesses have ground to a halt because they can suddenly no longer access their client information, cannot deliver businesses and services.”
Statistics roll off Shipley’s tongue, and they are staggering: cyberattacks inflicted $2.1 trillion in direct and indirect damage to the global economy this year alone; 43 per cent of cyberattacks in Canada are targeted at small and medium-sized businesses.
According to Statistics Canada—Nova Scotia has the highest rate of cybercrime, per capita, in the country. Halifax is a particular hotspot for the crimes, including fraud, phishing and extortion.
The true scale of the issue, however, is not known: it’s estimated that only one in 15 cybercrimes are properly reported to the police. Fewer still are talked about in public.
Silence is your enemy
In 2012, Shipley was working in the IT department at the University of New Brunswick when the university experienced a large data breach at the hands of a global hacktivist group. “I helped lead that incident response and then went down the rabbit hole of cybersecurity,” he says. He and some colleagues at the university developed the technology that became Beauceron.
Beauceron has since developed training programs and a cloud-based platform that helps organizations around the world measure, monitor and manage their cyber-risks. Shipley’s goal is to help businesses recognize and mitigate those risks.
Awareness and education are key, he says. “The easiest way to hack an organization has nothing to do with technology. It’s taking advantage of employees through phishing emails and phone calls.
“If you don’t actually teach your employees to recognize [cybercrime attempts] and regularly test that knowledge, you’re subject to the single biggest risk to having ransomware or data stolen or even money stolen out of bank accounts.”
You need a security plan
To improve their cybersecurity profiles and resilience, Shipley encourages all businesses to first get a handle on their data. “You need to recognize where your data is stored: is it on your laptop? On a server in your offices? Or is it stored in the cloud? And ‘the cloud’ is just a fancy way of saying someone else’s server.
“Next, why do you have this data? Do you have the proper consent to hold this data for a business purpose and when you no longer need the data, do you get rid of it? Because the easiest data to protect is the stuff you don’t have any more. Get rid of it.”
Most businesses, Shipley says, hold on to more data than they need. He calls it “data hoarding” and it only increases the likelihood of having that data exposed. “If you have no idea how much data you have, and all of it is ‘valuable,’ then none of it is valuable,” he says. “And your costs to protect it, process it, and store it only get higher.”
Next, focus on protecting the data you have to maintain—for tax reasons, for long-term customer relations, for ongoing analytics. Backups are crucial, he says, but in-house storage is not enough. “Attackers have become increasingly sophisticated,” he says. “And they can often encrypt backups as well.”
He encourages businesses of all sizes to consider getting rid of their servers and in-house data storage and instead consider one of the leading cloud-based services: Microsoft Azure, Amazon Web Services (AWS), or Google’s cloud platform.
“It can feel very uncomfortable to let another organization secure your data,” he acknowledged. “But the reality is this is more affordable, more robust, and more secure than storing on premises.”
It comes down to business resiliency, Shipley says. Beauceron opted to use Azure. “[Beauceron] does not have any servers but we serve more than a quarter million users around the world. And if our office in Fredericton was flooded, we could work from a secondary location, from home, with no disruption to business.”
Operating outside the law
Most cybercrime is committed by people outside of Canada; political borders are meaningless and finding the perpetrators is next to impossible. “In the virtual world the police are vastly outnumbered and out-resourced and unable to proactively protect us against these crimes,” Shipley says. “It’s a bit like the wild west—you have to defend yourself.”
To that end, cyber liability insurance is worth considering, says Shipley. “I am in favour of policies that help you with funding the response to a breach. That might fund a breach coach, for example, and help you get your business back on track.”
Basil Crosbie, president of Newfoundland and Labrador’s Crosbie Job Insurance, says he’s seeing a slow but steady uptake in cyber insurance by businesses. Policies cover a number of potential costs, including business losses, data breach repair, liability costs, crisis management and even paying ransoms in the case of a ransomware attack (“that’s never the first option, but it may be an option,” he says.) Businesses can buy a full policy or opt for a smaller add-on to an existing policy.
Given the amount of personal data Crosbie Job holds, Crosbie says he makes sure his agency is well covered. He also runs regular cybersecurity awareness training sessions.
“At least talk to your broker about your cybersecurity situation,” he says. “There are all sorts of things you can do to help prevent an attack. You have to be vigilant. The reality is these people who want to steal your data or lock up your data are ahead of the game.”
On that, Shipley agrees. “The biggest lie we tell ourselves is that this isn’t something we need to worry about,” says Shipley. “It happens to more businesses in this region than anybody realizes. And that’s not to oversell the fear. It’s reality.
“People are online to specifically target your region, your business, and your industry. And they don’t care what they burn down to get what they want. If you’re not prepared for that, and you’re not resilient to that, it can be the end of your business.” •