Paladion’s John Daniele, at his firm’s cybersecurity monitoring centre in Oakville, Ont., says Canadian companies tend to lag their U.S. counterparts in spending on data security.J.P. Moczulski/The Globe and Mail
That message from an Eastern European stranger who would like to make your acquaintance is obviously bogus.
So is that random PayPal notice. Yet the e-mail from a manager at your company, authorizing a money transfer, could just as easily be the work of criminals, too.
E-mail is still, and could very well remain, one of the most porous entry points for cybersecurity breaches, as evidenced in last week's massive phishing hack targeting Gmail accounts. (Phishing is an attempt to gain sensitive information, such as passwords and credit card numbers, usually through e-mail inquiries.) Against a rat-a-tat machine-gun fire of constant hacking attempts, a defence that depends merely on employee vigilance not to open or act upon any seemingly questionable e-mail can seem hopelessly fallible.
"Just recently, I was dealing with a client who had about $200,000 transferred out of their account due to some criminal entity that was exploiting their business process," said John Daniele, chief analyst of cyberintelligence and digital forensics at cybersecurity firm Paladion in Oakville, Ont.
The criminals had studied the business closely, determining which part of the process was vulnerable, "and they used a very sophisticated spear-phishing attack to exploit that," he said. Spear phishing is a more targeted version of an e-mail ploy.
The problem is not only tricking a victim to click a link or give personal information. A hack can also be planted in a business process in which it is acted upon nearly automatically, faster than it can be confirmed.
"With the pace of business, that's not always so easy. You may not be able to pick up a phone every single time and delay a business process that may be happening 100 times a day," Mr. Daniele said. So, ideally, companies and organizations need to build a defence very specific to their unique operation.
Yet, he added, threats are so constant that "breaches are, in my view, inevitable, and many companies simply operate in a continuous state of breach." Like wildfire, some breaches are simply left to burn.
"Some companies know that they are breached and decide not even to take the extra step to hunt for the attackers who are live on their network," he said. It can be too costly, and Canadian businesses often spend less on cybersecurity than U.S. counterparts.
U.S. firms tend to set aside 2.5 to 5 per cent of their information technology budgets on security, "and I continuously see Canadian companies well under the 2.5 per cent," Mr. Daniele said.
For many institutions, training users to detect suspicious messages and e-mail filters are their main defences. Yet, there are obvious limitations. Rather than just making the text of an e-mail look official, hackers are getting better at spoofing an e-mail's point of origin, said Daniel Tobok, chief executive officer of Cytelligence in Toronto. Scammers can make an e-mail address look like it is legitimately from a vendor.
"The problem is that you can't stop it fully because the bad guys are relying on the human factor. You're dealing with psychology," Mr. Tobok said.
Also, employees may wait to fess up whenever they think they might have clicked on something nefarious, but an immediate response is crucial. "Those five, 10, 30 minutes are critical to potentially contain whatever they clicked on," Mr. Tobok said.
Phishing through e-mail is still the most pervasive way to breach a computer network, say security experts. Sometimes phishing may also lurk on websites, fooling users and implanting all manner of dangerous code from spyware to ransomware, but predominantly e-mail remains the main phishing spot.
There are automated processes, though, that institutions can apply. For instance, a system can be created to send any message to a sandbox, a location (usually remote servers, a.k.a. in the cloud) where a link or an attached file is automatically opened up to see if there's anything wrong. Or it may test the link or file before the receiver even gets the e-mail, explained Danny Timmins, national cybersecurity leader at MNP in Mississauga.
This verification process can happen in seconds. Yet, it also needs to provide a safe way for users accessing the network from outside.
Training also can be more targeted. With clients, Mr. Timmins's firm can simulate a focused phishing attack, trying hard to deceive users. If a few dozen users are fooled enough to click on a link, and some even provide their passwords or other personal information, the firm can then go back and provide more targeted education.
In particular, this can mean picking apart a company's business process to find its weak links. "That's often how wire frauds happen. Somebody has already phished them. They are already watching inside the network," and then exploit how the company moves money or commercial data, Mr. Timmins said.
However, relying solely on education isn't enough, experts warn.
"We've seen some very convincing e-mails which would even potentially fool a professional security consultant," said Mr. Daniele at Paladion, noting that this also applies to websites hiding that they are controlled by dubious hosts. Detecting these dangers goes far beyond merely locating a secure site icon at the top of a Googled Web page.
"There is so much nuance involved that it's a bit of an unrealistic expectation I think for security professionals to say, well, this is just a user problem, and a user simply needs to be better educated," Mr. Daniele said.
"Security education and awareness is vitally important … but beyond that, there is a role for vendors [computer software and service companies] to produce secure software to ensure that they are doing right by their clients and consumers who are relying on the safety of that application," he said.