Ignorance is bliss, they say, but this is definitely not true when it comes to data protection and data security. Our daily lives revolve more and more around the online world (home office with video conferences, online banking, social media and the list goes on). This, most certainly, comes with a lot of amenities. However, there is also a dark side to the cyberworld. Online our threat surface is much bigger, giving more opportunities to bad actors to exploit our data and leverage it for criminal offences.
It feels like not a day goes by without a new report on another high-profile cyberattack. Especially, Canada has been hit hard by a sheer tsunami of ransomware these recent months: the Toronto Zoo, several universities, Sobeys, which is one of Canada’s largest grocery chains and even the National Police was targeted successfully. The victims are all kinds of different businesses, as well as an array of municipalities, shutting down city services across the board. Seemingly, there is no rhyme or reason to why exactly those institutions were hit. Or is there?
An open Door may tempt a Saint – Or: The next Breach is just a Click away
Businesses frequently ask ‘Why did we get hit? We are just a small cog in the machine.’ But that is not the point. During the pandemic so many businesses rushed to become more digital. However, data protection had sadly not been their top priority. Now, we are dealing with the aftermath. Meaning, businesses have to hurry up again – not only, to become compliant with current data protection laws (if already in force), but especially, with properly training their employees. Just one click on a malicious link is enough for an intruder to enter your systems and cause horrendous consequences by encrypting or even deleting valuable data right away. Especially concerning is the fact that ransomware and phishing e-mails are not only increasing, but are more sophisticated than ever with the aid of AI. Long gone are the days of e-mails with lots of grammatical mistakes or awkward phrases, which were easy to spot. Now, even fraudulent (video-) calls of a superior can be generated (the so called “deepfakes”), and frankly, they are almost impossible to detect.
Victims of cyberattacks usually all have one thing in common, though: they are targets of opportunity. What does that mean? It means that everybody may become a victim as soon as the opportunity arises to attack them, as soon as a mere weakness is spotted. So, an unprotected port or server for instance, may quickly become the proverbial “open door that may even tempt a saint”. So, cyberattacks are part of our daily lives now – weather we like it or not. Here is a real-time map of attacks just to show how frequent they really are. You might be shocked!
Ransomware as a Service (RaaS) – A lucrative Business Model
Nowadays, it is easier than ever to carry out a cyberattack. It is not even necessary to know how to code to become a hacker anymore. How does that work, you may ask? Well, cybergangs develop ransomware tools, not because they want to use them themselves, but rather to rent them out to other criminals. While we probably all know the term “Software as a Service”, this one is called “Ransomware as a Service” – or RaaS, which turns out to be quite a lucrative business model. These cybergangs then take a generous cut from the ransom paid. Surprisingly enough, most of the victims actually do pay the asking price, which may vary from thousands to millions of dollars. Sadly, this is not a guarantee to get your data back. Some hackers simply vanish with the ransom and then still leave your data encrypted or even worse: delete it altogether. Why? Because they can.
Most frequent Targets
One of the most frequent targets in Canada are universities. Are you surprised? Then join the club! Or better yet – don’t, actually! Because one of the reasons this is the case are the universities’ student groups. Most universities will have a debate or chess club. But they might also have a Tibetan student group, a Hong Kong Democracy Activist Club, a Free Kongo or Palestine group, a Democracy for North Korea Club and so on. It is their hacked membership lists that make it extremely easy to find information on dissidents and then possibly also their families and loved ones back home. This is highly sought-after information for several states, where basic human rights do not exist. So, students are alarmed to say the least.
Another great find amongst the universities’ data is intellectual property such as top-secret research results. Projects that cost billions in funding are stolen in mere seconds. Very often not nearly enough is invested in their protection. Cybersecurity is in dire need of improvement and this is true for many areas, not just in Canada. Adding insult to injury are current legal frameworks (or rather the lack thereof). Current laws, if already in force, struggle to keep up with new technologies and their extensive threats. Adversaries are very much aware of this issue and are exploiting the situation to the best of their abilities.
International Alliance on Cyber Security
Just recently in May 2024 Canada joined an international Alliance consisting of the United States, Japan, Finland, Estonia and the United Kingdom. Cybersecurity experts of each member state, have come together to warn the public about the growing threats of the online world. Even a guidance was published where new details on the ways and means foreign threat actors use to launch an attack are shared. Also included is a list of recommendations on how businesses, as well as civil society can best protect themselves.
Fun fact: Cloudflare, IBM, and even Meta contributed to this document. It’s worth giving it a read!
Outlook
Yet again it shows that not all that glitters is gold. The cyberworld does offer a lot of advantages for our daily lives. That is undeniable. But at the same time, it should also be handled with great care! A certain awareness of data protection and data security is crucial for literally everyone these days – on a personal as well as professional level. Continuous learning and up to date security measures are key in this regard, which cannot be stressed enough.
On that note, may I ask, when was your last data protection refresher?
Incidentally, mine happened to be just yesterday. It discussed the security of online conferences. I cannot recommend it highly enough!
Andrew
13. Juli 2024 @ 0:21
Interesting and informative! A difficult topic, presented in a most delightful way.
Johnny
4. Juli 2024 @ 23:09
Oh dear, I didnt even realize about this whole students being targeted as dissidents and businesses being targeted just because thing.
Thanks for pointing out!
I’ll go change some passwords now.