I attended the MAPLE-SEC conference this week which I thought was quite good to provide a good overview of the state of cybersecurity and cybercrime, in Canada, in 2021.
On thing we learned during the conference was that a majority of businesses faced with a ransomware incident during the last year, ended-up paying the criminals, to get their data back and/or to avoid its disclosure to third parties. Not too surprisingly, this type of crime is pretty consistently on the rise, as the typical victim ends-up capitulating and rewarding criminals, by paying some sort of ransom.
We also learned recently that a 2021 report by cybersecurity firm Sophos revealed that about a third of businesses were the victim of some sort of ransomware attack during the last year. That makes for ALOT of businesses and data!
With stats like these, it’s not surprising that insurers offering cyber-insurance products are now feeling the pinch. Cyber-insurers are now apparently losing considerable money because of this type of policy. Because of this, an expert in insurance law who spoke at the MAPLE-SEC conference warned everyone that cyber-risk insurance coverage is about to get substantially more expensive for businesses everywhere. His advice as to this was to get the best cyber-insurance you can afford, right now.
Recent stats clearly show ransomware is unfortunately here to stay, as we’re now seemingly paying the price for collectively minimizing the importance of cyber-security for so long.
The Slaw blog had a good basic post yesterday morning on cybersecurity for law firms. It made me want to share some of their advice, to which I’d add a few of my own and which may apply not only to professionals but also to any type of organization.
As you may notice, a lot of this is basically common sense, as applied in the digital age:
- Start by asking yourself what type of data your organization handles, and contemplate what problems you may have were it to fall in other hands or become unavailable;
- Inventory all devices which your organization uses, including in particular those that connect to its systems and/or the Internet and make sure your personnel knows the dangers associated with plugging anything new (for ex., an infected USB stick);
- Realize that anything you plug into the Internet (i.e. make accessible) may become a point of entry for eventual hackers or infections, in particular any devices that have not been fully updated (including any firmware and software running on it) – make sure all your hardware and software are regularly updated (starting with your router and computers/servers);
- Stop allowing or using weak passwords and force everyone to use a solid password manager;
- Better yet, have everyone in the organization access every tool that can be through Two Factor Authentication (2FA);
- Acknowledge that employees require on-going cybersecurity training and reminders, and actually schedule it so that it does happen, at least every year,. Including as to things like:
- The risks associated with using passwords (such as weak or reused ones);
- Problems which may be triggered by navigating one’s browser to a malicious site or clicking on a link in an email;
- The dangers of activating, opening or clicking on attachments;
- The concept of social engineering and its role in many attacks;
- Know in advance who you will call in case of an incident to investigate or remedy, and make sure your personnel knows what your game plan is;
- Do not assume you are safe because no one would bother attacking you, as we’re all potential victims of cybersecurity incidents, as anyone can fall victim to an attack without even having been specifically targeted.
With Québec’s passing of a new personal information stature, further to Bill 64, I’d say now’s a good time to brush-up on your cybersecurity practices and safeguards!
The U.S. started cranking-up the heat on cybercriminals responsible for recent important ransomware attacks on American businesses and organizations. This include offering a reward for millions of dollars to anyone who provides specific information as to the criminals behind those recent attacks.
The move is part of several initiatives by the U.S. to try and start getting a handle on the problem of ransomware, a problem which is fast reaching epidemic proportions. Who knows, large rewards like these may help motivate citizens and businesses to investigate recent attacks and, who knows, even track down those responsible for these cyberattacks. Can’t hurt!
In addition to those rewards, it seems the U.S. is also continuing to tighten banking regs (to squeeze those trying to cash cryptocurrency paid as ransom) and increase international collaboration.
It is hoped initiatives such as these may help obtain more information, in particular, as to recent sophisticated attacks which were, more than likely, sponsored by foreign States such as Russia, China and North Korea.