What former police officer and cybercrime expert, Kathy Macdonald, has to say about the state of cybercrime—and cybercrime victims—in Canada today.
A Member of the Order of Merit of the Police Forces (M.O.M.) for her dedication to cybercrime prevention and awareness, Kathy Macdonald, a former police officer with the Calgary Police Service, draws from her 25 years of investigative and crime prevention experience to educate audiences on how to deal with the growing threat of cybercrime. A professional speaker, author, consultant and university instructor, Kathy highlights that, in the business world, small- to mid-sized companies are particularly vulnerable. “I think there are many more small- and medium-sized businesses in the pool of victims,” she says. “They don't have the resources; they don't have in-house security people…Oftentimes, they are disadvantaged and not even aware of the issue, and when they are hit by ransomware demands, they'll just pay the $2,000 or $3,000 as a cost of doing business.”
However, Kathy emphasizes that no business, large or small, is immune, citing the hundreds of millions of dollars large companies have had to pay for falling victim to data breaches. “It maybe takes a little bit more work to get into the large corporations, but then again, there are more people [to exploit].”
Ransomware is often the result of a phishing or spear-phishing attack. A regular phishing attack is a broadly cast scam; it typically takes the form of a seemingly innocuous email, duping an employee into clicking on a link to a malicious website that then launches the ransomware or other type of malware. A spear-phishing attack actually targets a specific individual.
Spear-phishing is particularly predatory and can result not only in serious financial fallout for a business, but also serious personal consequences for the individual victim. “I did a talk at a law firm a couple of years ago,” recalls Kathy. “The CEO had been travelling in Europe, and cybercriminals had gotten into his email through an insecure wireless network…[Pretending to be him], they started to communicate with the executive assistant…They tricked her into wiring $250,000 to another country…[When I spoke to them], she had already been in therapy for six months; she was totally devastated…She had worked there for over 18 years, but she just felt like she had lost the trust of the executives.”
So what can businesses do? Kathy is a strong advocate for stringent company policies and employee training. “Many companies are now doing training around phishing and spear-phishing so that employees understand it and understand how hackers can get into a network,” she says. She also strongly suggests businesses have a communication plan ready in case of a breach. “Not having one can really turn into a problem at a time when everybody's in a state of disrepair, running around trying to figure out what they should do.”
However, educating and training employees to avoid cybercrime is also a legal matter. “It is really important to make that investment in education and training because if there is a data breach, that's one of the questions that's going to come up from the privacy commissioners when they investigate,” says Kathy. “[You need] to be able to say, ‘yes, we did this training this many times a year…[and this is] who was there.’”
Kathy says the same expectations are there when it comes to technology. “I think that will come up,” she says. “You can read some of the case studies or investigations that the privacy commissioners do, and they will often talk about that. And I think they will weigh that in when they decide if a company is going to be held responsible, and oftentimes that comes out in the media as well. So, yes, an investment in technology is really important.”
According to Kathy, technological investments in fighting cybercrime will become only more important as technology evolves. “Just with the Internet of Things, there are so many more devices that can be connected to the internet, so there’s a greater pool of choices and opportunities for cybercriminals to attack,” she says. However, she stresses there’s a flipside to that coin: “This kind of future also holds opportunities for police to find new methods and new efficiencies for responding to and solving cybercrimes.”
Kathy’s new book, Cybercrime: Awareness, Prevention, and Response, is the first comprehensive Canadian resource on how cybercrimes affect the police, individuals, businesses, governments, institutions, and organizations. Get your copy today.