Canada: Locked Out And Out-Of-Luck: The Impact Of Ransomware On Smes

Recent high-profile data breaches have emphasized the importance of protecting client, company, and personal information by governments and businesses.  In May 2017, the WannaCry ransomware attack rapidly struck many high-profile public and private targets worldwide. WannaCry effectively "locked" companies out of their data and demanded a "ransom" or payment in exchange for the data's release.¹

Cyber-attacks such as WannaCry have resulted in many large corporations increasing investments and dedicating company resources to safeguard against breaches. Given the costs that can result from a data breach, it should come as no surprise.  In 2016, the average cost per compromised record in Canada was $211, while the average cost per Canadian data breach was almost $5 million. Additionally, lost goodwill may significantly impact a company's bottom line if customers lose confidence in the competency and security of the business.²

However, studies show that small and medium-sized enterprises (SMEs) need to do more to strengthen their cybersecurity plans. According to a 2017 Canadian Chamber of Commerce report, SMEs lag behind large businesses in deploying cybersecurity measures. In fact, most attacks now target SMEs specifically.  The Chamber report also indicated that 71% of data breaches happen to small businesses.³  In addition, nearly half of all small businesses in the US have been victim to a cyber-attack; rates are estimated to be a similar in Canada.

Experts believe that SMEs have become the focus of cyber criminals because these businesses are less prepared to prevent and respond to attacks. As a result, ransomware attacks can disproportionately impact SMEs.  If the targeted data is extremely valuable (e.g., helps to maintain the business' operations), the likelihood of the ransom payment being paid will increase. This was the case in a 2015 attack on a Calgary wine store. The hackers made the Kensington Wine Market's database inaccessible through a ransomware attack.  They demanded a ransom of $500 in bitcoins for the data to be released.  While the data itself was not extremely profitable to the hackers, it was critical to the wine store's operations. The wine store could not open email, review inventory, or process sales during the busy holiday season. Ultimately, the store paid the ransom because it was estimated that paying a software company to resolve the issue would cost 10 times more than the ransom.⁴

In 2016, the University of Calgary fell victim to a ransomware attack that encrypted staff and faculty emails.  The university paid $20,000 to regain access to their data, which was seen as a bargain given the university faculty consisted of more than 1,800 members. Even at minimum wage, an hour of time for each member represented a sum of more than $20,000.⁵

Whether to pay the ransom or seek the expertise of a cybersecurity specialist will depend on the objectives of the SME and the circumstances at the time of the attack.  Regardless, companies ought to spend time considering, drafting, and implementing a policy that outlines the risk assessment and response process required for a ransomware attack well before it happens.  This will allow for and improve employees' understanding of the issues at play (and highlight what to do if they face such an incident that impacts their day-to-day operations).  

It is also important to keep in mind that once the recently published and proposed Regulations of the Digital Privacy Act come into force, SMEs governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to notify affected Canadians (and the Privacy Commissioner of Canada) as soon as feasible in circumstances where:

• Personal information has been lost;
• Stolen; and
• The individuals are at a risk of suffering harm.

These discussions may also assist in streamlining internal protocols and external communications in the event the attack becomes public knowledge.

Although media outlets might not always report on SMEs being attacked, these businesses are increasingly becoming a target of cyber criminals. Here are some strategies that SMEs might consider in order to combat cyber-attacks:

• It is important for SMEs to take measures to protect their systems against the constant probing of hackers. Ongoing monitoring of system security can raise awareness of impending attacks before serious damage is done.
• Many cyber criminals check for well-known points of entry due to old patches and systems. Make sure systems, software, and applications are updated frequently.
• Train employees to conduct themselves in a manner that does not open the company up to a potential data breach. Raising the awareness of employees of cybersecurity risks can improve prevention, reduce system gaps, and hopefully lead to an overall faster response in the event of a breach.

For a business that is just now taking stock of the cybersecurity threats it may face (and any related data privacy obligations it may have), these issues may seem daunting.  However, the team at Cox & Palmer is here to help.  Should you have any questions, please do not hesitate to contact us.

We will be holding a complimentary Breakfast Seminar on Privacy and Cybersecurity in Halifax on Tuesday, September 26, 2017. If you are interested in attending, please follow this link to RSVP.

Footnotes

^{1 Christina Mercer, "What is WannaCry? How does WannaCry ransomware work?" (15 May 2017), Techworld, online: http://www.techworld.com/security/what-is-wannacry-how-does-wannacry-ransomware-work-3659064/.}

^{2 Larry Ponemon, "2016 Cost of Data Breach Study: Global Analysis" (15 June 2016), online: https://securityintelligence.com/cost-of-a-data-breach-2016/.}

^{3 Canadian Chamber of Commerce, "Cyber Security in Canada: Practical Solutions to a Growing Problem" (31 March 2017), online: http://www.chamber.ca/media/blog/170403-cyber-security-in-canada-practical-solutions-to-a-growing-problem/, at 25.}

^{4 CBC News, "Bitcoin ransom demanded by hackers of Calgary wine store" (10 December 2015), online: http://www.cbc.ca/news/canada/calgary/kensington-wine-market-bitcoin-ransom-1.3359427.}

^{5 Dave Dormer and Stephanie Wiebe, "U of C ransom payout better than battling hackers, expert says" (8 June 2016), CBC News, online: http://www.cbc.ca/news/canada/calgary/university-of-calgary-cyberattack-part-of-increasing-problem-1.3621505.}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.