The findings were reported in an annual cyber safety analysis by Blake, Cassels & Graydon LLP
Increased training on cybersecurity risks and the growing use of deepfake technology by threat actors are some of the cybersecurity trends that businesses across Canada have encountered over the past year, according to a recent report by Blake, Cassels & Graydon LLP.
Since 2020, the law firm has published its “Canadian Cybersecurity Trends Study” – an annual look at how cybersecurity risk is evolving across the country.
While businesses and industry regulators have made strides in recent years in how they understand and prepare for cybersecurity threats, the sophistication of threat actors like cybercriminals has also grown. With many of these actors increasingly taking advantage of new artificial intelligence tools to expand their reach, the threat to businesses is “going to get a lot worse,” says Sunny Handa, partner and national group leader of Blakes’ technology and communications law groups.
Just about every type of company is potentially at risk. “Cybersecurity is still a number one issue facing all organizations,” Handa says. “Not just corporations, but not-for-profit corporations, partnerships, individuals… all businesses.”
Below are some of the biggest takeaways from Blakes’ report.
As large organizations grow increasingly aware of the potential for cybersecurity risks, many – particularly those in frequently targeted industries like technology and financial services – have taken steps to prevent cybersecurity incidents, according to the report.
These include training boards and senior management on handling attacks and training employees on how to mitigate risk. Many organizations are also allocating more funds to information technology departments for software and hardware updates, as well as third-party services that detect and prevent intrusions.
However, the same can’t be said for small and mid-sized organizations like hospitals, nonprofit organizations, and educational institutions, even as they face a growing number of attacks. This lag relative to larger organizations is likely due to limited resources, Handa says.
“Business is tough these days, right? Everyone is strapped. Everyone is optimized, efficient,” Handa says. “Adding another layer of cost or perceived cost is not something that businesses like to do, or that they do easily.
“But unfortunately, when they do get hit with an attack, it sort of wakes everyone up and reminds them why the cost might have been a good idea,” he says.
Over the past year, Handa has observed an uptick in data theft, business email compromise, and attempts to get employees to wire money to fraudsters. These schemes have grown increasingly successful, with a “level of sophistication [that] is probably being assisted by AI development,” Handa says.
AI tools can help threat actors develop deepfakes of voices and write convincing material, making it harder for businesses to detect fraud. Handa pointed to tools that can help threat actors get into a user’s inbox, analyze the emails they’ve sent, and generate emails in the same voice. Threat actors can similarly use tools to analyze recordings of an individual’s voice and generate deepfakes that sound convincingly like the person.
The Blakes report pointed to a recent example of this type of impersonation, where a Hong Kong multinational company was tricked into sending a threat actor the equivalent of US$25.6 million. An employee in the company’s finance department had received instructions to make the transaction over multiple videoconference calls with someone he believed was the company’s chief financial officer.
However, the videoconference calls turned out to be deepfake creations.
“Those are things that are coming down the pike and we started to see them this year, more than we ever have,” Handa says. “But it's going to get a lot worse.”
As cybersecurity attacks increase, so too has the number of companies hit. In the mergers and acquisitions space, this means a growing number of companies being bought have been previously victimized.
“When you are buying a company now, it really is incumbent upon you to do proper due diligence on cyber with the company that you're buying, or you may end up inadvertently buying some of the risks of lawsuits or the fact that other companies might have been affected by the attack that hit you,” Handa says.
In addition to liability issues, buying a company that has been hit by a cyberattack exposes purchasers to expenses like forensic investigations, notifying hundreds of thousands of affected individuals, and managing a reputational fallout, Blakes’ report said.
During the due diligence process, purchasers have grown increasingly likely to ask whether a company has experienced a cyberattack, how they dealt with it, whether they paid a ransom, and whether any data was taken, Handa says.
To date, “there's no common protocol for this,” he adds. “It's a bit like molasses in deals where we're sending in these cyber questions on behalf of a buyer, our client, and the other side isn't comfortable giving us candid answers, which of course, provokes us to dig more.
“So sometimes cyber becomes a bit of a sticky point that slows the deal down because the communication is fractured.”