Steve Weeks, president of Netcetera, says protecting computer systems is like fortifying a castle, where a moat, drawbridge and patrolling soldiers form layers of defence in front of a wall.Darryl Dyck/The Globe and Mail
John Cantafio is not an IT professional. Nor does he pretend to be.
As president and chief executive officer of Joseph S. Chow Ltd., a Surrey, B.C.-based trucking business, the 57-year-old has enough on his plate managing his 45 employees without worrying about things such as computer viruses.
There are other dangers out there, too, and they're evolving. While the spectre of malicious software programs has been around for quite some time, ransomware, a type of computer malware that holds a victim's data hostage for the purposes of extracting a ransom, is a more recent threat.
For peace of mind in that area, Mr. Cantafio employs North Vancouver, B.C.'s Netcetera to take care of that side of his business. As a proprietor who is mindful of both the cost of his business going down for any length of time, as well as having employees relying on him for their livelihoods, he considers it prudent.
"If you're a single operator and you're the only one who depends on your business, then go ahead and fill your boots and take the risk," says Mr. Cantafio, who has used Netcetera since 2001 and hasn't been victimized. "But when you have more than yourself, whether it's one employee, or 20, or 5,000, you need to be thinking about it, it needs to be part of your business strategy."
As anyone who has fallen victim to ransomware knows, the risk is real. According to Joseph Noonan, vice-president of product marketing at Unitrends, a Burlington, Mass.-based business continuity and disaster recovery company, up to 60 per cent of businesses in North America were attacked by ransomware last year. Of those that were hit, 63 per cent of them were down for more than one day, with the cost of downtime across the continent adding up to $700-billion (U.S.).
The threat of ransomware and other types of malware isn't likely to diminish any time soon, either. Mr. Noonan says that those kinds of threats are expected to double every year until 2019.
"Ransomware is a billion-dollar industry at this point and they [criminals] launch 4,000 new attacks every single day," he says. "It's tough for a security vendor to stay in front of that."
Small and medium-sized businesses are often easier targets than their larger brethren for ransomware criminals. Without the sophisticated, big-budget IT teams of multinational corporations, smaller-scale operations without clear defences and anti-hacking policies in place can inadvertently put themselves in the line of fire. In some cases, ransomware could look as innocent as a simple PDF file.
"Someone could be sitting in a small law office searching for a cruise vacation, come across one of these dodgy sites, and download what they think to be a brochure about the cruise ship and the vacation packages," says Mark McArdle, chief technology officer at eSentire Inc., a cybersecurity firm in Cambridge, Ont.
"In fact it's a ransomware-loaded piece of malware."
Mr. McArdle says that once the malware has been downloaded, it looks for sensitive, important files to encrypt. Once it has those, it throws a message to the victims to say that they have so many hours to pay a certain ransom in Bitcoin. In return the hackers will release the data, a promise that they deliver on most of the time – "They want you to be a 'happy customer,'" he says.
He adds it's a particular threat to small and medium-sized businesses, most of whom can't be expected to have a high competency in cybersecurity. One of the problems is that many of these organizations have employees clicking on suspicious e-mail links and doing Internet searches that take them to dangerous places. But in many ways that's just the tip of the iceberg when it comes to exposing weak spots in an organization.
"The freedom [for employees] to install software without any IT involvement is a pretty bad practice," Mr. McArdle says. "A lot of more sophisticated organizations that we work with recognize that not everyone needs to have administrator rights on their machine, and that gets to be harder to do when it's 10 people and they all want to treat their machine [as] half personal and half business."
Training staff to be alert for possible threats is a good starting point for any small business looking to minimize ransomware threats to their network. On top of that, finding a trusted, local partner to put reasonable cybersecurity measures in place is another worthwhile step.
Steve Weeks, president of Netcetera, says companies should follow these measures: Educate end users, build policies around things such as money transfers, create an after-infection plan, install commercial-grade firewall and antivirus software, and finally create a backup and recovery solution.
He compares it to building a castle, complete with a moat, drawbridge and a cavalry on patrol outside the castle walls. Without those kinds of securities, he says that eventually someone will tunnel under the walls or parachute in and wreak havoc on your fortress.
"It's the same in security," he says. "You can't say, 'Oh, I'm putting a firewall in so I'm protected or I'm putting antivirus in so I'm protected.' You need all these layers and each of these layers is going to give you some level of protection."
For those who do get hit by ransomware, the choice of whether to pay the ransom can be based on each situation. The University of Calgary and Cambrian College in Sudbury recently faced the dilemma after important, time-sensitive data and information was exploited. (Calgary paid, Cambrian did not.)
The advice from experts about paying is generally not to, mainly because doing so allows the criminals to invest more resources into developing better malware to attack more companies.
A 2016 International Business Machines Corp. survey found that seven out of 10 executives at attacked U.S. companies ended up paying the ransom to get their data or files returned. Half of the paying companies turned over at least $10,000, and 20 per cent paid more than $40,000.
"I think that typically what happens when companies end up paying criminals is they did not have current backups – or maybe they didn't test their backups and they tried to restore and it didn't work for whatever reason – and sometimes they weigh up the cost of having paid up and maybe the operational cost is going to be higher," says Limor Kessem, executive security advisor for IBM.
Much like buying house insurance in case of a fire or a flood, minimizing the risk before a ransomware attack takes place won't necessarily completely eliminate the possibility, but it might make it easier to sleep at night.
Alex Ricardo, director or breach response services at Beazley Group, a global insurance company, says that ransomware is the No. 1 incident being reported on its cyberinsurance policies, with a 400-per-cent increase in incidents in the small and medium-sized markets from 2015 to 2016.
It's certainly not going away, in part because of its efficiency, he explains. Unlike other cybersecurity threats, which required the criminals to not only hack into a company, but also to then exfiltrate the data undetected and then find a market to monetize it, ransomware simplifies that process considerably.
"With ransomware, if you envision it, you just have to hack in, it's the once single hurdle you have to overcome," he says. "Once you're in, locking up data, you immediately have the option to monetize it right there and then."
Paul Attfield