Study finds more than half of victims of malware pay a ransom
Cybersecurity incidents at Canadian businesses are growing at an alarming rate according to a new study by Blake, Cassels & Graydon LLP. The first annual Blakes Canadian Cybersecurity Trends Study found that both public and private sector businesses are generally ill-prepared to cope with rising numbers of cyber breaches. Such attacks can result in financial loss, operational disruption and reputational harm, so taking action to prepare is key.
“Don’t assume this isn’t going to happen tomorrow. There are two kinds of companies: those that are being breached and those that don’t know they are being breached,” says Sunny Handa, a partner at Blakes who was instrumental in launching the study.
Ransomware and business email compromise were the top two threats in 2019, the study found, with more sophisticated ransomware variants emerging at an accelerated rate. Financial, health and professional services were recognized as the most likely industries to be targeted by hackers due to the quantity of sensitive information they hold, including personal information on employees and customers.
The study also found that 53 per cent of victims of a ransomware attack opted to pay a ransom demanded by hackers, while 31 per cent reported the incident to law enforcement and 29 per cent followed a cybersecurity incident response plan. More than half of organizations called external counsel when a breach occurred, which Handa believes is an important step to deal quickly with privilege issues, lawsuits and potential liability. In most instances, organizations reached out to specialized cybersecurity firms to assist them in containing the incident, remediating and conducting a forensic investigation.
In-house counsel should be wary of assuming data breaches are simply an IT issue, in Handa’s opinion.
“What I would tell in-house counsel is to address it at an enterprise level,” he says, “This is a governance issue for the C-suite and the board of directors. This means putting training programs in place and an incident response plan in place so if something bad happens, you know what to do.” Speaking to an insurer is also recommended, as Handa says general liability coverage may not protect your company from a cyberattack. In fact, that study found that only a little over 10 per cent of publicly listed companies have standalone cyber insurance in place.
Since the COVID-19 crisis forced many businesses to adapt to a remote work environment, the risk of cyberattacks has risen.
“Because of remote working there is more risk at play. People are sometimes sloppy, using personal email accounts to save a step here and there, but if your account is compromised, you’ve put the business at risk,” says Handa. However, Handa does not believe that the increased risk accounts for the spike that we are seeing in cyberbreaches which has been a growing concern for many years.
“I think the spike is coming because we are in the midst of reaching a tipping point where things are really taking off in a big way,” he says. “Out team is growing every week because we are getting more and more breach response work.”
Blakes plans to repeat the study next year and add additional features such as details about the types of malware for which companies are paying a ransom.
The study took place from January, 2019 to October, 2019, and was based on a survey of cybersecurity forensic firms that responded to more than 250 incidents across Canada. It also made use of publicly released data by the federal, Alberta and British Columbia privacy commissioners’ offices and a review of various public disclosure documents.