(c) Chartered Professional Accountants of Canada. Contact CPA Canada for permission to reproduce this article.

Be prepared

Considering the number of ransomware attacks each year, why don’t organizations devote more resources to protecting themselves from these debilitating intrusions?

By David Malamed

In mid-July “a major Canadian company was forced to pay $425,000 in bitcoin to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups,” ITworldcanada.com reported. The company did not want to be identified, for reasons of confidentiality. It is believed the ransomware payment was the largest in Canada as of that date.

A few weeks earlier, a South Korean web-hosting company, Nayana, had reportedly paid US$1 million in bitcoin after hackers encrypted data affecting approximately 3,500 of its customers. That amount is believed to be the largest known ransomware payment in the world.

On a smaller, but still significant scale, in 2016 the University of Calgary paid $20,000 one week after its computer systems had been encrypted. The university decided to pay the ransom “because we do world-class research here,” Linda Dalgetty, vice-president of finances and services, said. “We did not want to be in a position where we had exhausted the option to get people’s potential life work back in the future if they came today and said, ‘I’m encrypted, I can’t get my files.’ We did that solely so we could protect the quality and the nature of the information we generate at the university.”

All three incidents received news coverage but nothing compared to the worldwide attention garnered by the WannaCry ransomware attack of early May. That attack, which targeted computers running the Microsoft Windows operating system, reportedly infected more than 300,000 computers in 150 countries, especially Russia, Taiwan, Ukraine and India, The Telegraph reported. The UK, however, suffered a serious blow when the hackers paralyzed the country’s National Health Service. Spain was also targeted, with Telefónica, a leading telecommunications giant, on the receiving end of an attack.

Although Canada was largely spared, it was “nothing more than a fluke,” Atty Mashatan, a professor at Ryerson University’s School of Information Technology Management, told The Globe and Mail. “This time around we were lucky,” she said. “There’s so many people who are emailing one another within the UK, whereas the traffic between the UK and Canada is not as much.” Canada’s luck continued to hold when a second international attack occurred in late June. Known as NotPetya, it crippled thousands of computers in Ukraine, Russia and other countries, but not Canada. Unlike WannaCry, however, it seems the purpose of this attack was to destroy data, not hold companies hostage for payment.

Ransomeware attacks on the rise

Ransomware attacks are incredibly commonplace, according to the FBI. “On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016,” the bureau reported recently. “This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.”

Most ransomware attacks occur because someone at a company or organization opens an attachment sent out by the hackers en masse. Once the hackers gain access to a company’s computer network, they can lie in wait until they decide to strike. If the hackers are sophisticated, they will likely use a malware that encrypts a victim’s files, making it impossible for the files to be accessed. With WannaCry, the attackers demanded between $300 and $600 to unlock each infected computer, to be paid in bitcoin, the digital currency.

Not long after the WannaCry demands had been made, a UK security expert discovered a “kill switch” in the malware that basically disabled WannaCry. As a result, the hackers received only about US$50,000 in total, according to CNBC.

Despite the publicity the ransomware attacks generated, many Canadian companies, especially small and medium-sized ones, remain vulnerable to future intrusions. According to a 2017 security report by consulting firm Accenture, “most Canadian companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat.” Of 125 anonymous Canadian organizations that participated in its global ransomware survey this year, Accenture said 72% reported being the victim of a cyberattack in the previous 12 months, and of those, 35% were identified as ransomware attacks.

A laissez-faire attitude toward cybersecurity attacks also seems to be prevalent in the US, which was the most affected region in the world for ransomware attacks over the past year, netcetera.ca reported. Canada ranked a close second. A survey by the National Cyber Security Alliance and Symantec found that “small business owners or operators have a false sense of cyber-security as more than three-fourths say their company is safe from cyber threats such as hackers, viruses, malware or a cyber-security breach, yet 83% have no formal cybersecurity plan.”

Risk reduction

Considering the number of ransomware attacks each year, and the scope of WannaCry and NotPetya, it is hard to understand why so many companies and organizations don’t devote more resources to protecting themselves, as best as possible, from these debilitating, and often devastating, intrusions.

Risk reduction starts with backing up regularly and making sure your backup is disconnected from your system so that you don’t have to even contemplate paying the ransom.

“First task to ensure you can respond appropriately is to identify critical information and systems that support your organization’s primary business functions,” says Sunil G. Chand, director of cybersecurity and national practice lead at Grant Thornton LLP Canada.

Next, companies should prepare for the possibility of a ransomware or other cybersecurity attack. With the former, time is critical as the hackers often demand payment within 24 to 72 hours. If a company has to formulate its response as of the time its systems have been compromised, it may be too short a time span to make the best decisions.

An initial step would be to understand what risks exist; this can be accomplished by conducting a cybersecurity posture review. Typically this would require the assistance of outside experts. Many, if not all, the necessary resources could be obtained from any of the large accounting firms.

An increasing number of firms are engaging “ethical hackers” to conduct “white-hat” scenarios, where they attempt to infiltrate a company’s systems to see how easy or difficult it is to penetrate them. These are often done in parallel with tabletop exercises, in which a company’s cybersecurity response plan can be tested and evaluated through the use of scenario gameplay.

At the same time, a company needs to have a cybersecurity team in place, comprised of internal and external experts. It’s best to have an IT person trained in cybersecurity on the team, rather than an IT employee who has responsibility for a myriad of operations within a firm. The IT expert would be responsible for evaluating the technological standards of the security defences as well as ensuring that the most effective and up-to- date firewalls are in place and constantly upgraded.

If an attack does occur, forensic specialists will need to assess and assist in the response a company decides to make. These experts should be retained ahead of time so they are familiar with the company’s systems and available when needed.

The team should also include in-house and external counsel, and they should have brainstormed strategies beforehand with each other and any pertinent PR or communications personnel, as their agendas are often at odds.

To pay or not to pay?

The question of whether to pay or ignore a ransom demand should be explored by key players in advance. It will not be an easy call to make. In some scenarios, paying the ransom will be preferable to a lengthy period during which a company’s ability to conduct business would be hijacked. But it’s a risk as the hackers might take the money and not unlock the files. Or they might come back for more. There’s no certainty about what will transpire but it is almost a sure thing that the best decision will be reached if the possible scenarios have been examined and determined without a ransom clock ticking in the background.

Also, every company needs to educate its employees on an ongoing basis about the various ways sophisticated hackers get them to open files or divulge passwords through phishing or social engineering tactics.

It’s human nature for people to click on what seems to be one more innocuous link to an engaging video, free game, online contest, adult content or other lure hackers use to gain access to a company’s computer systems. The education component can’t be done just once, such as when a person is hired, and never repeated. It must be revisited and updated constantly. All employees need to know and be reminded of the dangers of visiting a website with unpatched third-party applications.

If employees doubt that hackers would attack them, they should read futurist Thomas Koulopoulos in May’s Inc. magazine. He writes, “Almost 50% of small businesses have experienced a cyberattack. More than 70% of attacks target small businesses. As much as 60% of hacked small and medium-sized businesses go out of business after six months.”

This article was originally published in the October 2017 issue of CPA Magazine.