Proactive measures to avoid and respond to cybercrime attacks: Kathy Macdonald Q&A Part II

Rogers Business

One of Canada’s leading cybercrime gurus provides advice on password hygiene, how to deal with social engineering, and steps to enact an efficient attack recovery

Man with headphones looking at computer

The first part of our chat with cybercrime expert Kathy Macdonald provided an overview of the increasing threat that ransomware poses to Canadian small- and medium businesses (SMBs).

In the second half of our interview Kathy provides useful advice for SMB owners and managers interested in taking proactive steps to prevent attacks, as well as guidance for companies that need to recover from one, including a 12-step response plan. She also explains the impact that the COVID-19 pandemic has had on cybercrime over the last couple of years.

When we last spoke to you in 2019, you talked about the importance of education and training to help companies avoid cybercrime. What else should SMBs be doing?

One of the best proactive measures is simply good password hygiene. Create policy that ensures employees are using two-factor authentication and multifactor authentication if available. Companies need to enforce password policy around critical applications, encouraging non-guessable passwords and not reusing passwords they have already used for other websites and applications. I also strongly recommend signing up to receive notifications from haveibeenpwned.com, a service that lets you know when data breaches have compromised your user IDs.

Next, learn more about the rise of social engineering through security awareness training. Social engineering targets human emotions and is essentially human hacking. These are scams that target and lure overly-trusting users to install malware, clip on web-links, provide access to sensitive systems, or share data. Get to know the names of ransomware attacks, and teach users how to spot rogue URLs – malicious sites that mimic legitimate sites.

And, of course, install your security system updates. The more up to date your system is, the better it will protect you.

Your book, Cybercrime: Awareness, Prevention, and Response, looks at how cybercrime affects police, individuals and businesses. How can these stakeholders work together to address cybersecurity threats?

Communication is critical. IT and cybersecurity professionals should speak directly with employees that report suspicious activity within the workplace or that have received unusual emails, texts or unexpected phone calls. This may be a clue that hackers are checking the security profile of the company or possibly are already inside the network.

You should also encourage trusted information sharing relationships within volunteer organizations to learn more about cybersecurity. It's such a broad field with so much expertise. Police and businesses may network in associations that focus on security and privacy like ASIS International (the American Society for Industrial Security), the High Technology Crime Investigation Association, Certified Fraud Examiners or other such organizations.

Remember: The general rule is that if it's against the law in the real world, it's against the law in the virtual world.

As part of your pre-planning you should also understand what constitutes a criminal matter, when you should call the police and whether you should contact the municipal police, RCMP or possibly to the Canadian Centre for Cyber Security (CCCS). Remember: The general rule is that if it's against the law in the real world, it's against the law in the virtual world. It is important to report cybercrime so that police are able to recognize how big the problem is and where to focus their resources. The CCCS provides a variety of resources that might support SMB's, as well as the private sector, public institutions and Canada’s critical infrastructure.

Have you noticed trends in threats targeted at SMBs?

During the COVID-19 pandemic there's been an exponential increase in cybercrime as well as the role that social engineering is playing in digital attacks.

When targets of fraud are in a highly emotional state – such as during this pandemic – there is a greater likelihood that they will fall victim to scams that target their emotions. Social engineering attacks use tactics, techniques and procedures that give rise to people doing things against their sense of better judgement.

Fear, for example, is a powerful emotion. Fear will trick people into clicking on scams and entering their credit card information to buy personal protective equipment (PPE), or motivate parents to click on links in an email that talk about school safety. Phishing and spear-phishing emails containing malware related to the pandemic are plentiful and have directly led to an increase in ransomware schemes. Another threat are involve watering hole attacks whereby a user may be directed to a website that has been infected with malware.

Cybercriminals seem to thrive in chaos, distraction and disruption, which has made the past couple of years a breeding ground for malicious digital attacks.

This is opportunistic social engineering during a very difficult time. Cybercriminals seem to thrive in chaos, distraction and disruption, which has made the past couple of years a breeding ground for malicious digital attacks.

While cybercrime in general and ransomware in particular may be on the rise, Kathy is confident that, with a little forethought and planning, Canadian SMBs can mount a successful defense against the malware and online scams targeting their operations.

She strongly recommends business owners and managers take time to visit stopthinkconnect.org, a non-profit security organization that provides free resources in multiple languages. Kathy serves as a volunteer ambassador for them.

She also provided us with a straightforward 12-step response plan for any company currently dealing with an attack.

Activate your policy, crisis communication, and incident response plans
Halt system access
Determine if any unauthorized access still exists
Identify and consider demands, if they exist
Confirm that the threat is gone
Work with cybersecurity experts to determine the root cause of the compromise
Assess if any Real Risk of Significant Harm (RROSH) data was accessed
Notify critical stakeholders, including legal, insurance, and affected individuals
Proceed with indirect notification – likely via the media – if warranted
Notify - i.e. law enforcement, CCCS, privacy commissioner, and any relevant financial institutions (such as credit payment card companies) of the incident
Restore the online environment with new hardware
Implement changes to data security protocols and security awareness training to prevent a similar incident occurring again