The media reported recently disconcerting results from a recent survey of Canadian employees about the protection of personal information and cybersecurity.
The report at issue indicates about 1/3 of Canadian employees do not think data theft is really in an issue they should be concerned with, or that they are likely to be targeted by cybercriminals when at work. Even with everything happening in the past couple of years, including almost daily announcements of computer intrusions and ransomware attacks (including in Canada), your typical employee does not seem all that worried.
In Québec, 3/4 of employees who answered the survey indicated they did not think the protection of personal information had anything to do with them, rather thinking this is an issue that IT is responsible for. Heck, the same proportion of respondents even admitted they had received NO training whatsoever at work about cybersecurity. None. Yikes.
Yeah, it seems, even today, with everything being published and privacy laws being adopted, your typical Canadian business may not be all that concerned about protecting data, whether it be personal or otherwise. Given that even some SME officers and business owners often still basically choose to ignore the issue, it is not all that surprising that a lot of employees do too. The Vietnamese have a good saying that may apply here: A house leaks from the roof on down.
Our job educating businesses and employees about this may not be quite done, it seems.
I attended the MAPLE-SEC conference this week which I thought was quite good to provide a good overview of the state of cybersecurity and cybercrime, in Canada, in 2021.
On thing we learned during the conference was that a majority of businesses faced with a ransomware incident during the last year, ended-up paying the criminals, to get their data back and/or to avoid its disclosure to third parties. Not too surprisingly, this type of crime is pretty consistently on the rise, as the typical victim ends-up capitulating and rewarding criminals, by paying some sort of ransom.
We also learned recently that a 2021 report by cybersecurity firm Sophos revealed that about a third of businesses were the victim of some sort of ransomware attack during the last year. That makes for ALOT of businesses and data!
With stats like these, it’s not surprising that insurers offering cyber-insurance products are now feeling the pinch. Cyber-insurers are now apparently losing considerable money because of this type of policy. Because of this, an expert in insurance law who spoke at the MAPLE-SEC conference warned everyone that cyber-risk insurance coverage is about to get substantially more expensive for businesses everywhere. His advice as to this was to get the best cyber-insurance you can afford, right now.
Recent stats clearly show ransomware is unfortunately here to stay, as we’re now seemingly paying the price for collectively minimizing the importance of cyber-security for so long.
Faced with a seemingly endless series of cyberattacks through ransomware, some businesses are now turning to insurers to make sure they are in a position to pay eventual ransoms. Insurers indeed realized a while back that some companies would pay to insure against the risk of facing cyberextortion and having to pay to recover their own data. Once insured with such coverage, a business can essentially have the insurer pay the ransom that cybercriminals are requesting once the business falls victim to ransomware that encrypts its data.
Recently, the European insurer AXA decided to stop offering this type of coverage, in France, including because of certain comments from French authorities about the fact this type of coverage was essentially counterproductive and, as such, may be something that France would soon prohibit. Indeed, according to many (including the FBI), the existence of insurance coverage of this type in fact encourages the ransomware industry, because it increases the odds of managing to convince the typical victim of such a cyberattack to pay a ransom.
In what may be a clue that not offering this type of coverage does play into the hands of criminals, shortly after its announcement, AXA’s Web servers were the object of a DDoS attack from criminals, in what may be seen as retaliation. It seems criminals do want insurers to keep paying ransoms, which may be a reason to rethink allowing it, in the future, if you ask me.
Even though forbidding payments by insurers is not likely to stop ransomware, many are now calling for a global strategy that may allow us to collectively fight the problem, including by stopping to throw oil on the fire, so to speak. Sure insuring against this risk is convenient but is it the right thing to do in the grand scheme of things? The question stands.