Cybercrime is bigger in Canada than we know — and that’s a problem


Unless business leaders report attacks we can’t fight them

Article content

In the past two years, cybercriminals proved how vulnerable critical infrastructure is to them in even the most secure nations. Their efforts brought the U.S. Colonial Pipeline to a standstill for six days and compromised personal information of 10 million customers of Australian telecommunications provider Optus. Canada has not been immune: A breach brought Newfoundland’s healthcare system offline and forced thousands to reschedule medical appointments.

Advertisement 2

Article content

Governments have taken notice and introduced legislation mandating such organizations to report cyber attacks. In Canada, Bill C-26 will require companies in the telecommunications, banking, energy and transportation sectors to do the same if it passes.

Article content

Only 10 per cent of businesses actually reported cyber attacks in 2021

Every other Canadian business, however, will have no such legal duty. This should be of concern to Canadians as only 10 per cent of businesses actually reported cyber attacks in 2021. Unless victimized businesses begin to understand there is an imperative for them to report cyber attacks, Canada cannot begin to address its soaring cybercrime rates in a meaningful way.

It’s been difficult to grasp the true magnitude of the cybercrime challenge in Canada. Statistics Canada reports that only 18 per cent of Canadian businesses suffered cyber attacks when the real number could be closer to five times greater, according to the CyberEdge Group.

Advertisement 3

Article content

There are a host of reasons why a business may choose to not report a cyber incident. Brand reputation is often cited as top concern. Customers, partners and investors may all revaluate their trust in a business if they learn of a cyber incident.

Australian insurer Medibank is currently dealing with blowback after cybercriminals accessed 10 million records and began leaking healthcare information. The company’s stock has fallen around 20 per cent since the attack was made public.

Business leaders also fear that reporting an incident will lead to a rise in already expensive cyber insurance premiums. Cyber insurers aggressively raised the cost of coverage due to the increasing volume of cybercrime and associated damages. Between 2020 and 2021, premiums collected by U.S. cyber insurers surged by 92 per cent, according to the National Association of Insurance Commissioners.

Advertisement 4

Article content

Some businesses that have experienced breaches or are considered higher risk are even seeing their policy renewals declined. Meanwhile, general insurance providers are considering reducing coverage or vacating the cyber-insurance space altogether.

Given these challenges, businesses face a dual economic threat to their prosperity: they’re either being extorted by cybercriminals or burdened by cyber insurance premiums. Canadian businesses cannot be eternal victims, but on their current path they will be.

Declining to report cyber attacks will leave them at the mercy of cybercriminals who are continuously escalating and evolving their attacks. Ransomware gangs, for example, are now encrypting data, leaking it online, shutting down their victims’ websites and contacting business partners and the media to inform them of the attack.

Advertisement 5

Article content

Reporting cyber attacks is a crucial first step to altering the status quo. As a first step, governments, business associations and insurance companies should come together to understand the perceived and actual concerns of businesses in reporting cybercrime and update policies to address them.

With more data from increased reporting, public safety agencies can develop a better understanding of the current cyber threat landscape and, in turn, help to proactively protect businesses.

The intelligence gathered from these reports could help alert businesses of everything from a new strain of malware to a ransomware gang turning its sights on Canada. With enough warning, Canadian businesses can alter their cybersecurity strategies to deal with new cyber threats.

Advertisement 6

Article content

At the federal level, increasing reporting wouldn’t just serve to shape Canada’s defensive postures and investigative strategies, it would also propel us to pressure foreign governments to act on cybercriminals preying on Canadians.

Increased reporting could also guide legislation and funding decisions. In its most recent budget, the federal government set aside $893 million over five years for cybersecurity, continuing to underspend its allies in the U.S., the U.K. and Australia.

Advertisement 7

Article content

We have yet to see proportional funding for cybersecurity and it’s left police agencies in Canada under-resourced to respond to cybercrime. They neither have the training, nor the tools required to take action on all cybercrime, especially those victimizing small and medium enterprises and ordinary citizens. Our municipal police agencies could become first responders to cybercrime and help respond to data breaches with the proper resources.

This approach could even serve to encourage further reporting from victimized businesses. If the work of police agencies leads to a valuable outcome for business leaders, they may begin to trust that the benefits of self-reporting outweigh the potential risks. Cyber attacks do not need to become a part of the routine cost of doing business today. With Bill C-26, the Canadian government has wisely decided to hold critical infrastructure operators to a higher standard to protect Canadians. It’s now up to every other Canadian business leader to consider meeting that new bar.

Jad Saliba is founder and chief technology officer at cyber-investigation firm Magnet Forensics Inc.



Postmedia is committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. Comments may take up to an hour for moderation before appearing on the site. We ask you to keep your comments relevant and respectful. We have enabled email notifications—you will now receive an email if you receive a reply to your comment, there is an update to a comment thread you follow or if a user you follow comments. Visit our Community Guidelines for more information and details on how to adjust your email settings.


Source link

Comments are closed.