Kathy Macdonald Q&A Part I: What Canadian SMBs need to know about ransomware
One of Canada's foremost cybersecurity thinkers talks to Rogers about this quickly growing threat to SMBs and what can be done to mitigate risks
A couple of years ago, former Calgary police officer-turned-cybercrime author Kathy Macdonald published a handbook on how cybercrime affects the police, individuals, businesses, governments, institutions and organizations. The respected author and speaker chatted with Rogers for Business about the impact of cybercrime and on Canadian businesses, discussing the consequences not only for companies, but also the individual workers who fall victim to attacks.
Since then, the cybersecurity situation for small- and medium-sized businesses (SMBs) has only become more pressing. In 2020, more than half of known email scams targeted SMBs, according to an in-depth study conducted by TUCU. That same report suggests Canadian companies have a become high profile targets for hackers because they're more likely to pay ransoms – perhaps with good reason, since last year Canada ranked second only to the U.S. in countries where stolen business data was published on the web.
We decided to circle back with Kathy to get a sense of how she views the current cybercrime landscape in Canada. We've broken our interview into two parts, starting with a focus on ransomware, one of the most common and debilitating digital attacks SMBs are currently facing.
Let's talk about ransomware. What concerns you the most?
Probably that many organizations will just pay the ransom demand so as not to disclose the breach, experience downtime, rattle shareholder trust or perhaps lose their customers.
The problem is that when demands are paid it encourages future ransomware attacks. Meanwhile, criminals may have corrupted files and deleted backups. And even if the ransom is paid, the decryption key they provide may not work.
I'm also very concerned about social engineering in spear-phishing attacks. The tactics and techniques being used are disturbing, to say the least. They prey on chaos and disruption and emotions like fear and urgency, while using events happening within a company or something in the news cycle as a starting point. They do reconnaissance in social media to learn about the people they are targeting and they impersonate people.
The sophistication of these attacks is distressing. They are very patient and very persistent.
What sort of ransomware trends are you seeing within SMBs?
Many SMBs are finding it challenging to protect against ransomware because some employees' jobs inescapably involve clicking on links, opening attachments, and responding to emails. Security teams – or perhaps business owners and managers – need to figure out how to allow employees to do their work both safely and efficiently.
Part of the solution is awareness. Training workers with jobs that make them a high-risk target for social engineering attacks is critical.
Part of the solution is awareness. Training workers with jobs that make them a high-risk target for social engineering attacks is critical. Users need to understand the tactics, techniques and procedures hackers use. They need to be taught about spear-phishing, business email compromise (BEC) and ransomware.
Complementary to robust employee policy is a strong incident response plan. When an event occurs – and it probably will – having a plan ready to effectively deal with it is half the battle.
On that subject, what do SMBs need to know in regards to a cyber breach or attack?
It's imperative that you know what to do the moment you realize a hacker has made contact in a social engineering scheme or when an attack takes place. What steps do you take according to your incident response plan? Do you have a working real-time redundancy system, and can it be accessed offline?
The longer a business takes to decide what to do, the longer their downtime and the costlier the attack. Some companies have never conducted a test to see if their backup and restoration systems actually work, and the middle of a crisis is not the time to do this. The clock is ticking, so many organizations make the decision to pay the ransom and bypass police.
Here's my advice: Develop rules for online engagements, including common policies and procedures around privacy, information security and acceptable use of social media within the network.
Next, do an inventory of the data your company collects and where it resides. This includes human resources personnel files with personal data such as applicant names, addresses, phone numbers, email addresses, dates of birth, self-reported incomes, social insurance numbers, health data and information relating to worker's compensation and mediation. You'll also want to note where you keep information on suppliers, vendors and contractors and customers. And, of course, you need to know where your company's vital digital assets are, including photographs, social media IDs, intellectual property, logos and website files, as well as legal and corporate data, forecast prices and costs, property rights, land descriptions, board of directors' data, court documents, RFPs and statement of reserves data.
It might seem daunting, but any assets you don't make an effort to protect will be among the first data stolen and held for ransom by hackers targeting your company.
Ransomware perpetrators are clever. These criminals have likely been inside your network for a few days, a few weeks, or possibly even longer.
What should organizations know when confronting an active ransomware event?
Know that ransomware perpetrators are clever. These criminals have likely been inside your network for a few days, a few weeks, or possibly even longer. They probably know whether you have insurance, what your incident response plan entails and how much the company is capable of paying. They will not try to destroy your business. Rather, they'll demand an amount that they know you can pay.
And it can get even more expensive. Demands are typically made in Bitcoin, and most companies have no idea how to purchase or deal in Bitcoin. Often companies will end up hiring a negotiator or a third party to pay the demand on their behalf.
It also pays to research and stay up to date on trending ransomware attacks, and even know them by name, if you can. For example, there's one called Mirror Blast that's currently targeting financial services organizations. It's delivered in a phishing email and it basically weaponizes an Excel document. If you're already aware of this particular piece of ransomware when your company is attacked you might have a better chance to mitigate the damage and get back to normal operations much more quickly, potentially saving a lot of downtime and money.
The second half of our chat with Kathy Macdonald digs into the effect that the pandemic has had on cybercrime, and provides practical advice and guidance that Canadian SMB owners and managers can use right now to protect their businesses, including a 12-step attack response plan.
Further cybersecurity reading
Wondering how to ensure digital security in a remote workforce? Read about how Secure remote work starts at home.
Worried about the safety of your Microsoft 365 documents? Learn How to back up all your Microsoft 365 data safely and cost-effectively.
Want to learn the fundamentals of cybersecurity to better protect your business? Learn how to protect your SMB with Simply Secure.