On a global scale, Canada ranked second as the most affected country for ransomware attacks in 2016 [i]. Accenture, an international consulting firm performed a survey that included 124 Canadian security practitioners and found that, “most Canadian companies do not have effective technologies in place to monitor for cyber attacks and are focused on risks and outcomes that have not kept pace with the threat.” [ii]
On February 3, 2019, Exempt Edge Inc. was indirectly subject to a ransomware cyber attack via malware used on Exempt Edge’s parent corporation, Olympia Financial Group Inc. After an extensive investigation, no evidence was found that customers’ personal information was compromised. Exempt Edge’s system was live to all users again by February 8, just 5 business days after the attack.
Countless start-ups both in Canada and abroad are subjected to ransomware attacks every day – it’s becoming the norm. But while Exempt Edge was able to leverage the resources and technological infrastructure of its larger parent company, most small businesses either end up paying the hackers off (a temporary fix that almost always backfires) or they have their having clients’ personal information compromised.
Without proper protocols and security put in place (items that are often wishes but not in the budget of many small businesses) a cyber attack can result in turning the lights out for a business. We spoke to a former EMD Executive, who discussed his devastating experience dealing with a cyber attack last year,
“Imagine this: You wake up Monday morning to learn that your back-office systems have been compromised and are inaccessible. You call in your IT people to get a briefing and they inform you it may take 60 days and could cost $200,000 to get things back online. The $200,000 is a lot to swallow, but it’s the 60 days that’s the existential threat. Your phone lines will light up with concerned clients and your advisors will begin to examine their options for another Dealership home. Asking advisors to go 60 days (or more) without paychecks is a deal breaker for most. This scenario is more than just plausible. It has happened, and it will likely happen again.”
No matter an organization’s size, cyber attacks are becoming a “when”, not an “if”. Even large organizations that have access to in-house cyber security teams have been unable to keep pace with sophisticated hackers. Take for example the University of Calgary, who in 2017 paid hackers $20,000 to decrypt their computer networks. [iii]
Another risky assumption for start-ups is to assume they are too small for hackers to target them. According to the Netcetera article, ‘Why Cybercriminals Target Canadian Small and Mid-Size Businesses’ hackers spend a huge chunk of their time targeting multiple small businesses daily asking for smaller ransom amounts that are “reasonable” to owners. This sum adds up quickly,“Hackers are serious about collecting ransom money. Whether the ransom demand is small or large, the amount paid in bitcoin, (a digital currency) is pure profit, untraceable and easy enough to get from a small business owner anxious to retrieve valuable data and keep functioning” [iv].
The first step in preparing you and your business for a ransomware cyber attack is either ensuring your business has a highly competent cyber security team in-house, or utilizing a third-party platform’s resources, like Exempt Edge to do the work for you. The most significant problem for small companies is the financial burden of a having cyber security team in-house, resulting in a lot of companies taking the risk of going without one. This perilous decision has resulted in many companies falling to an attack and going under.
The bottom line is, ransomware cyber attacks in Canada are clearly not going anywhere. Is your business prepared?
[i] Symantec, “Ransomware and Businesses 2016”, at pp.6-7 (“Symantec Report”).