Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP.
KPMG identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers, KPMG said in a statement.
The first trend affecting Canadian organizations is the increase in extortion-driven and ransomware incidents. Cyber criminals will deploy ransomware to infiltrate and encrypt files, devices and networks, then demand payment for their release or threaten to steal data if payments are not made, the firm noted. “Incidents of ransomware and extortion-driven attacks are expected to increase in Canada, particularly within the public, legal and financial services sectors given the private and sensitive nature of the information these organizations hold,” KPMG said in the statement.
Other forms of attack include “shameware”: viruses that use laptop cameras and microphones to record behaviour, with perpetrators hoping to find details that can be used for blackmail. “Companies must protect their assets, operations and reputation by employing a back-up strategy and conducting regular employee awareness campaigns,” KPMG said in the report. “Most ransomware spreads via emails with contagious attachments or bad hyperlinks, so it is imperative to educate employees. A dedicated clean machine should be used to periodically check backups.”
Another trend impacting Canadian firms is mandatory breach notification. Consumers, governments, privacy commissioners and courts will increasingly pressure Canadian organizations to be more transparent about their cybersecurity readiness, responsiveness and breach notification protocol. KPMG anticipates an increase in breach management and notification costs in 2016 due to the Digital Privacy Act’s mandatory breach notification requirement. This act will require organizations to notify affected consumers about security breaches that pose a risk of significant harm.
The third trend is increased risk with use of mobile devices and the growing pervasiveness of IoT. As more players, service providers and third-party suppliers become part of the mobile and IoT ecosystem, these parties may not have completed sufficient security testing, KPMG warned in the report. “In the absence of generally accepted security standards for these devices, Canadians will start to demand assurances that all suppliers have suitable security and privacy policies and safeguards in place,” KPMG said. “Retrofitting systems for security typically costs 20 to 35 times more than the cost if security had been built in from the start.”
Yet another trend affecting Canadian organizations is the greater use of real-time intelligence tools to monitor live attacks. “It is imperative businesses detect threats as early as possible, and disarm them proactively,” KPMG said in the statement. “Real-time intelligence solutions give organizations visibility into global cyber threats as they happen to help block attacks, uncover hidden breaches and track emerging threats. Because speed is of the essence, KPMG believes Canadian organizations will make increasing use of real-time intelligence tools.”
The final trend revolves around a greater focus on risks posed by third-party vendors and suppliers. There is no longer a clear delineation between “internal” and “external” threats, KPMG noted, and as Canadians begin to demand security, privacy and trust assurances, organizations will need guarantees that their third-party suppliers have suitable policies and safeguards in place to prevent cyber incidents.
“In 2016, we expect boards, audit committees, executives and public officials to ask more pointed questions to ascertain whether their organization is in a defensible position,” KPMG concluded. “Oversight is a key component of a defensible position, so proper metrics and oversight should be in place for audit committees and boards. To become cyber resilient, companies need to get a clear view of their specific cyber security risks and probable impacts, assess and prioritize enterprise improvement activities, and ensure current risk assessments, budgets and IT initiatives are appropriate.”