Cybersecurity experts say a new poll that suggests nearly 70 per cent of Canadian organizations facing a ransomware attack last year paid the demands is evidence that such payments should be made illegal.
Of the businesses surveyed, 17 per cent said they faced such attacks, according to the Canadian Internet Registration Authority’s (CIRA) annual cybersecurity survey.
Well over half of businesses, or 64 per cent, supported legislation that would prohibit making payments to ransomware attackers.
“I’m surprised, I’d think organizations would want the choice, depending on the business, the exposure they’re facing, the financial losses, that it would be up to them whether they pay or not,” said Mark Gaudet, CIRA general manager for cybersecurity and DNS services.
Ransomware is a form of malicious software attack where a user’s – or company’s data is encrypted, locking the user out. The attacker will only release the encryption key after being paid a ransom.
Gaudet said experts typically advise against paying.
“Why it’s recommended not to pay is because organizations that are hit with ransomware typically get hit again.”
Charles Finlay, executive director of The Catalyst, Ryerson University’s cybersecurity centre, said he was shocked by the high number of businesses paying ransomware attacks, and said legislation was needed to stop a lucrative cycle in the hacking industry.
“I think it’s a wake-up call for Canadian businesses and law enforcement,” said Finlay, who said legislation to prevent such payouts for ransomware attackers is one way to fight the problem.
“It has to be understood that ransomware is a multi-billion dollar industry, and to defeat ransomware as an industry we have to disrupt its business model, which relies on people paying ransoms.”
However, both Finlay and Gaudet said such legislation could further expose businesses in certain cases.
Canada has faced some high-profile ransomware attacks affecting hospitals, RCMP detachments and pipelines.
The CIRA survey found that Canadian organizations that paid their attackers did so to avoid downtime, reputational damage and other costs.
More than one-third (36 per cent) of organizations said they have introduced new security measures to meet increased pressure from hackers. Network security matters more than ever, with 29 per cent of companies saying more people are working remotely than a year ago.
Nearly all of the 510 security professions surveyed (95 per cent) said at least some of the new protections will remain permanent.
The study also found 59 per cent of businesses have cybersecurity insurance as part of their business insurance, with many companies saying their premiums have increased and insurers are asking for more proof of cybersecurity measures that they have in place.
The online survey conducted in July and August of organizations with 50 to 999 employees was released ahead of cybersecurity conference MapleSEC that starts Tuesday.
“It feels like the pandemic forced 10 years of cybersecurity adoption to happen in about 10 weeks,” said Gaudet.
“The pivot to work-from-home and employees using their own devices really increased the number of security threats facing organizations, and the bad guys did everything they could to take advantage of the situation.”
The polling industry’s professional body, the Canadian Research Insights Council, says online surveys cannot be assigned a margin of error because they do not randomly sample the population.