Why cybercrime is the new organized crime in Canada

Cybercrime is the new organized crime

One quick thought about organized crime and you’re likely to start thinking about the New York Mafia. This is no longer the case for businesses as cybercrime is rapidly overtaking conventional crime in reality. In the past, Canadian businesses typically sought after offices in the best neighbourhoods hoping it would keep criminals away. Back then, it was safe to leave your windows open all night and return the following day without any incidents.

This mindset overtime has forged an attitude that security isn’t a major concern. The business world has however changed rapidly and having such a mindset can be very costly nowadays. The business frontline has shifted online and so has the crime. Since the internet connects everyone together, cybercriminals can easily launch attacks at any business at will.

Regardless of origins, every type of crime eventually becomes organized and cybercrime is no different. The following shows how cybercrime against small businesses has shifted online and is now more organized and targeted than ever.

The impact of cybercrime on Canadian businesses in recent times.

In 2017, Canadian businesses officially spent around $14 billion in preventing, detecting and recovering from cybersecurity incidents. On average, businesses spent between $46,000 to over $900,000 depending on their size and nature of business. 

With 88% of Canadian businesses admitting that they experienced a data breach in 2019, the cybercrime challenge is huge. It’s fair to say its impact has been far-reaching. Although many of these breaches may have gone unreported, they haven’t gone unnoticed. They definitely influence your decisions and actions as a small business owner. For instance, 95% of Canadian businesses already have some form of basic cybersecurity protection in place. However, advanced measures like intrusion detection, firewalls, and even anti-malware are more prominent in larger organizations.

What does this really mean for your small business and how does cybercrime really affect you?

Without beating around, it now affects your small business in every single way. From how you secure your website to how you store data, there’s no limit to the influence that cybercrime has on your business policies. The overall consequence of the different breaches that have occurred in the past decade is that businesses now have to think about protecting their data and systems at every given moment.

The following are some cybersecurity stats you should be aware of as a small business owner in Canada.

  • 60% of small businesses will most likely shut down within 6 months of experiencing a cyber attack.
  • Only 13% of businesses have a written policy in place for managing and reporting cybersecurity incidents. However, organizations in the banking and transportation sectors averaged over 50%.
  • Only 10% of Canadian businesses that experienced a cyber attack went on to report to the Police.
  • Canadian businesses are already losing over $3 billion annually.
  • SMEs make up 98% of Canadian businesses.

How big is the cybersecurity challenge in Canada today?

The cybersecurity challenge is so huge that not even government institutions are left out. According to Accenture, the average cost of a cyber attack in Canada is just over $9 million. From elections and military operations to business email compromise, cybersecurity challenges can be felt in all corners. So much that many already believe it’s a bigger concern than even terrorism.

The increasing frequency of cyberattacks in Canada today consequently means that you or your CISO will need to do more. You’ll need to do more to proactively protect the business from potential attacks. As more businesses continue to go digital, so will cybercriminals who continue to find ways to breach your data.

Top cybersecurity threats affecting Canadian businesses

Here are the top cyber threats that are most likely to affect your Canadian business in 2020. 

Malware and Ransomware

Ransomware attacks are widely considered as the biggest cyber threat facing businesses today. Attackers would usually use software or malware to prevent victims from accessing the files on their systems. Since the WannaCry attacks of 2017 that affected businesses worldwide, there’s hardly any week without new attacks. 

In November 2019 for instance, the Nunavut government in Canada experienced a ransomware attack. Its security systems were not trained to detect hacks like this, forcing them to shut down parts of their network. In 2019, ransomware attacks reportedly resulted in damages of over $11 billion.

DDoS attacks

Distributed Denial of Service (DDoS) attacks are also very common nowadays. It can be especially problematic without the right tools and measures. DDoS attackers typically flood their victims’ websites or services with so much traffic until it becomes overwhelmed and crashes. Alternatively, cybercriminals may also use this type of attack to redirect your web visitors to other websites.

Endpoint attacks

As more businesses move to the cloud, they’ll need to grand third-parties privileged access. These additional data endpoints, however, come with associated risks. A breach in any of their systems will most likely leave your data exposed without the right tools in place. An example of this is the Marriot attack which was the result of a booking system breach. 

With so many businesses shutting down because of ransomware attacks, it’s important to understand the true extent of their impact. For instance, The Heritage Company in the US had to shut down in December 2019. The business had failed to sufficiently respond to a ransomware attack it experienced two months earlier. This closure meant that around 300 staff were suddenly without a job.

Business email compromise fraud

If you’re a Canadian business decision-maker, you can automatically expect that you’re a target for business email compromise fraud. This threat relies on gaining unauthorized access to a business email and intercepting financial transaction communications. According to the Canadian Anti-Fraud Centre (CAFC), businesses globally (including Canada) lose over $5 billion to this fraud.

One example to remember is the City of Burlington which fell victim after hackers posing as a trusted vendor sent new payment instructions. The City had already sent over $500,000 before it realized it was a scam.

Phishing attacks are becoming more targeted

Phishing remains the cheapest method for compromising business credentials and is the topmost cyberattack vector for hackers. It typically appears as an email with links that either deliver malware to a victim’s computer or network. Hackers can also use phishing attacks to lure you into giving them your credentials.

5 reasons why you need a Managed Security Services Provider (MSSP) to tackle cybercrime

With 43% of cyber attacks now aimed at small businesses, you should need no further incentives to protect your business. Managed Security Service Providers (MSSPs) offer unparalleled benefits when it comes to securing your IT infrastructure from cybercriminals. The following highlights the top five reasons why you need an MSSP for your small business.

Cost savings

The costs associated with deploying the relevant technologies and tools required for combatting cybercrime can quickly add up especially for small businesses. However, MSSPs ensure that you do not have to break the bank by getting all these tools on your own. Similarly, hiring a complete IT team may be unthinkable for a business that’s just starting out but MSSPs ensure that you can remain protected regardless of your size or budget.

Unrivalled expertise

The exposure that comes with providing protection for a wide range of clients means that you will ultimately benefit more from using MSSPs than an in-house IT team. Nevertheless, MSSPs are also known for being an extension of your IT team so if you have one already, they can seamlessly work closely together.

Reliable support and training

From providing technical support to organizing training for your staff or in-house IT department, MSSPs can be at your beck and call when you need them.

Improved cybersecurity insights

As your business continues to generate relevant data about its security, MSSPs can help you use SIEM to analyze the data gathered from a single point of view.

Customized security solutions

Rather than getting numerous disparate cybersecurity tools that may or may not be fully relevant to your enterprise, MSSPs generally ensure that you get a fully customized security solution that meets your specific security needs.

What’s the Future of Cybercrime?

As the threat landscape continues to evolve, so will hacker sophistication. You can expect that hackers will continue to adapt to newer technologies or innovations as they come up. For instance, as the adoption of machine learning and artificial intelligence become more universal, you can expect a shift. You should also fully expect cybercriminals to swiftly adapt and become even more organized and targeted in their approach.

Closing thoughts

As cybercrime continues to be even more organized, SMEs and all businesses at large must respond decisively. A good start is by being preemptive and calculative in your approach towards preventing, detecting and responding to these threats. Over the past decade, MSSPs have proven to be reliable allies for Canadian SMEs in the fight against cybercrime. Contact Abrisuite today to experience how our suite of solutions can help your business stay one step ahead of cybercriminals.

Don’t Get Hooked By a Whaling Attack

The executives of your company are the big fish in your sea. Yet cybercriminals think of them as whales. In fact, whaling is a new cybersecurity threat targeting the C-suite level.

You’ve likely heard of phishing attacks. Phishers use scam emails or spoofed websites to obtain user credentials or financial information. This might be an email that looks like it is from your bank asking you to log in and update your details, or a supposed tax alert needing immediate action.

A vishing attack is another fraudulent attempt to steal protected data, but the cybercriminals are going to use the phone to make contact. They might pretend to be a vendor needing to confirm account details for bill payment.

There’s also spear phishing. In these cases, the attackers do their homework first and target a specific company. They scour directories and employee social media to gather information to gain credibility.

Now, there are whaling attacks, too. The high-value target is a senior-level employee. The fraudster typically also impersonates one of the target’s C-suite counterparts.

What You Need to Know About Whaling

A whaling attack uses the same methods as phishing but focuses on top-level targets. The goal is to get “whales” to reveal sensitive information or transfer money to fraudsters’ accounts.

Whale attacks are intentional. Phishing can see attackers baiting hundreds of hooks to get nibbles. In whaling, information gathered in advance adds credibility to the social engineering. The target has higher value, so it’s worth their time to appear knowledgeable and make a request to and from someone important.

The sender’s email address will look convincing (e.g. from [email protected] instead of [email protected]). The messages will have corporate logos and legitimate links to the company site. Because humans want to help, the communications typically involve an urgent matter.

Whaling attacks are on the rise. In 2016, Snapchat admitted compromising employee data after receiving an email, seemingly from its CEO, asking for payroll information.

In another high-profile example, Mattel nearly transferred $3 million to a Chinese account. Company policy required two signatures, but the attackers (taking advantage of a recent shakeup) faked the new CEO’s signature. The second executive went ahead and added a signature. The only thing that saved the company was that it was a Chinese bank holiday.

Protecting Against Whale Attacks

As with phishing or vishing, the primary way to protect against whaling attacks is to question everything. Train your key staff members to guard what they share on social media. Encourage them to question any unsolicited request. If they weren’t expecting an attachment or link, they should follow up. If a request is unusual, they should trust their spidey-sense and proceed with caution.

It’s also a good idea to develop a policy for handling requests for money or personal information. By requiring that two people must always weigh in, you’re more likely to catch a scam before it’s too late.

Also, train all your employees to look carefully at email addresses and sender names. They should also know to hover over links (without clicking on them) to reveal the full URL.

Security awareness is crucial. It’s also a good idea to test your employees with mock phishing emails.

Need help training employees or testing social engineering? Contact our experts today, call us!

Island Hopping: Not Always a Good Thing

Island Hopping: Not Always a Good Thing

The phrase “island hopping” conjures up positive images. You might think of cruising beautiful sandy beaches on a tour of tropical islands. Too bad cybercriminals have given the term a new, less pleasant spin.

Island hopping is an increasingly popular method of attacking businesses. In this approach, the cybercriminal targets a business indirectly. The bad actors first go after the target’s smaller strategic partners. So, vendors or affiliates, who might not have the same level of cybersecurity, become stepping stones to hop.

Attackers might hack into smaller businesses handling the target’s HR, payroll, accounting, healthcare, or marketing. Then, they take advantage of the pre-existing relationship to access the final destination.

Humans are trusting. Cybercriminals exploit that. With island hopping, attackers leverage the trust established between strategic partners.

It’s quite simple: attackers gain access to Company A and send a counterfeit business communication to Company B. Company B, knowing the sender, is less likely to question a download link or opening an attachment.

After all, it’s not coming from a stranger; it’s a message from perfectly pleasant Jenny at Company A. You may have in the past already shared logins to various sites/portals, or passwords to unlock zip files.

The Rise of Island Hopping

This is not a brand-new form of attack. In fact, it’s named after a military strategy which the United States used in World War II to establish a stronghold in the Pacific Islands.

Perhaps the best-known island-hopping cyberattack was seen in the United States in 2013. Retail giant Target was the aptly named target of a point-of-sale system breach. Hackers stole payment information from 40 million customers. The first “island” in the planned attack was Fazio Mechanical Services. The heating and refrigeration firm suffered a malware attack shortly before Target’s breach. Fazio’s hackers stole email credentials needed to access the retailer’s networks.

As enterprises continue to strengthen their cybersecurity, it’s predicted that island hopping will gain momentum. According to Accenture’s Technology Vision 2019 report, less than a third of businesses globally know how strategic partners secure their networks. A majority (56%) rely on trust that business partners would uphold security standards.

Preventing Island Hopping

You may be one of the islands to hop or the attackers’ final destination. It depends on your business size and industry. Either way, your business is vulnerable to malware attack, infected systems, or a data breach. Plus, if you’re the stepping stone, you’re likely to lose the target company’s business, too.

How do you prevent island hopping? First, secure your own networks and systems:

  • Follow best practices to detect and identify vulnerabilities and reduce risk.
  • Educate your employees about the dangers of business communication scams.
  • Raise awareness of phishing schemes and social engineering.
  • Require two-factor user authentication.
  • Change all default, generic, or predictable passwords.
  • Keep security up to date (patching and system upgrades are mandatory).
  • Control who can access your networks and servers.
  • Protect all endpoints (including employee devices in a Bring Your Own Device workplace).

When it comes to cyber island hopping, your business doesn’t want to be a layover or the final destination. Keep your cybersecurity borders tight to avoid unwanted visitors.

Want to make your business inhospitable to island hoppers? Work with a managed service provider. They can help assess cybersecurity, provide a plan to reduce risk, and upgrade technology. Let us support your efforts to fend off unwanted tourists.

Don’t Get Hooked by Spear Phishing Attacks

Don’t Get Hooked by Spear Phishing Attacks

Phishing attacks have been around for a long time in IT.  Designed to steal your credentials or trick you into installing malicious software, they have persisted in the IT world precisely because they have been so devastatingly simple and effective.  Today, a more modern and more effective version of the same attack is commonly used.

A typical phishing attack involves an attacker sending out a malicious email to hundreds of thousands, if not millions of users.  The attacker’s email is designed to look like it comes from a bank, financial service, or even the tax office. Often aiming to trick you into logging in to a fake online service, a phishing attack captures the login details you enter so an attacker may use them to enter the genuine service later.

By sending out tens of thousands of emails at a time, attackers can guarantee that even if only one half of one percent of people fall for it, there is a lot of profit to be made by draining accounts.  Spear phishing is a more modern, more sophisticated, and far more dangerous form of the attack.  It’s typically targeted at businesses and their staff.

A Convincing, Dangerous Attack

While a traditional phishing attack throws out a broad net in the hope of capturing as many credentials as possible, spear phishing is targeted and precise.  The attack is aimed towards convincing a single business, department, or individual that a fraudulent email or website is genuine.

The attacker focuses on building a relationship and establishing trust with the target.  By building trust and convincing the target that they are who they are pretending to be, the user is more likely to open attachments, follow links, or provide sensitive details.

Consider how many times you have followed a link or opened an attachment just because it has come from a contact you have trusted before.

A Trusted E-mail

The malicious email can appear to come from a vendor you deal with regularly.  It may even look like an invoice you are expecting to receive.  Often attackers can simply substitute the vendors’ banking details for their own, hoping the target will not notice the difference.

Such an attack is very difficult to detect.  It takes a keen eye, strong working knowledge, and constant awareness to keep your company protected.  Even a single small mistake by an unaware member of staff can compromise your business accounts.

Defending Your Business

The key to stopping a spear phishing attack is education.  Learning attack techniques, and how to protect against them is the single biggest thing you can do to enhance business security.

Whenever you deal with a vendor in a business transaction, you should always consider important questions before proceeding.  Are you expecting this email?  Is the vendor attempting to rush you into a quick decision or transaction?  Have you checked all the details are correct and as you expected?  Sometimes a simple query to the vendor can protect you against worst-case scenarios.

In many cases, a phishing attack can be halted in its tracks with a strong IT security package.  Web filtering prevents malicious emails and links from entering the network, shutting attacks down before any damage can be done.

Good Security Practice

As with many types of IT threat, good security practices help mitigate damage.  Locking down security to ensure employees only access the systems they need helps to prevent damage spreading across the network.

Enforcing unique and strong passwords prevents leaked credentials from affecting systems related to the one that has been compromised.  Getting employees set up with a password manager and good security policies can do the world of good to boost your security to the level it needs to be.

Give us a call to audit your security practices.  It could be the difference that secures your firm against sophisticated spear phishing attacks.

What Hackers Target In Small Business

What Hackers Target In Small Businesses

Hackers today have many ways to attack small businesses and business owners. Many attempt to use technology to send malware, viruses, or phishing attacks; or use information to con owners and employees into handing over more information than they should.  

One or more of these techniques can be combined with gaining physical access to steal from vulnerable firms. Identifying precisely how criminals target businesses and what they deem most valuable can help to protect from the most devastating attacks out there.  

Remaining vigilant and informed is one of the most vital things you can do as a business owner to protect your assets and reputation.

Extortion

Different types of attacks tend to rise and fall in popularity. Fifteen years ago, computer worms were the most common attack that businesses faced. Security software wasn’t as advanced or as widely used at it is today. Computer worms were, at the time, an exceptionally low-cost and efficient way to inflict the maximum amount of damage for minimum cost.

Today ransomware has seen an unfortunate boom in popularity. This technology aims to encrypt the target’s files on their personal computer. This technique denies the victim access and charges a large fee in exchange for the key to retrieve the victim’s own data.

The attack has worked so often because it requires minimal effort and can be used again and again. Many businesses have no option but to pay because the data is worth far more than the ransom demand the hackers have made.

The best defense against ransomware attacks, in addition to strong online security, is an up-to-date offsite backup — one that is tested to work reliably.

Targeting Customer Records

One of the most important things for your firm to take care of is your customer data records. Records which include names, dates of birth, and other personally identifying details. These details are extremely valuable to hackers or criminals who, either use them personally or sell them on to someone who will.

Many regions have strict laws and guidelines about how this information must be stored, accessed and protected. Failing to follow these can result in severe penalties that could devastate any company.

Targeting Financial Information

Like personal information, a small business must take extreme care when storing customer financial information. Sensitive details such as credit card or banking information are a key target for hackers looking to steal money fast.

The impact on your business reputation following a breach of financial data will be severe and devastating. Even a simple mistake can require years of advertising and great PR to repair. Many firms have failed to recover after losing the trust of their customers.  

Social Engineering

Most firms today run good IT security packages to protect against online attacks and other forms of malware. Attackers often know to take their methods offline to achieve the best results.

Whether posing as a supplier, customer, or interested party; attackers can seek to gain information that you may be less than willing to hand over to a stranger. Small businesses can often be used to gather information on vendors and suppliers they do business with in order to attack them too.

Be particularly cautious of the information you provide when discussing business with individuals you haven’t spoken to before. 

Keeping Small Business Safe

Each of these targets and attacks are just some of the most popular and hard-hitting attacks out there now. The list is forever changing, and the methods we use to protect against them always needs to change too.

Some can be defended against with great security, backups, and software. Others, such as social engineering, need you and your staff to stay up-to-date and remain vigilant about the major attacks affecting small business today.

If you need help tightening your business’s security, give us a call.

5 Red Flags Of Phishing Emails: Think Before You Click

5 Red Flags of Phishing Emails: Think Before You Click

A single click can be the difference between maintaining data security and suffering massive financial losses. From the moment just one employee takes the bait in a phishing email, your business is vulnerable to data breaches and extensive downtime.

Quickly spot the red flags and put phishing emails where they belong:

1. Poor spelling and grammar

While occasional typos happen to even the best of us, an email filled with errors is a clear warning sign. Most companies push their campaigns through multiple review stages where errors are blitzed and language is refined. Unlikely errors throughout the entire message indicate that the same level of care was not taken, and therefore the message is likely fraudulent.

2. An offer too good to be true

Free items or a lottery win sure sound great, but when the offer comes out of nowhere and with no catch? There’s definitely cause for concern. Take care not to get carried away and click without investigating deeper.

3. Random sender who knows too much

Phishing has advanced in recent years to include ‘spear phishing’, which is an email or offer designed especially for your business. Culprits take details from your public channels, such as a recent function or award, and then use it against you. The only clues? The sender is unknown – they weren’t at the event or involved in any way. Take a moment to see if their story checks out.

4. The URL or email address is not quite right

One of the most effective techniques used in phishing emails is to use domains which sound almost right. For example, [microsoft.info.com] or [pay-pal.com]

Hover over the link with your mouse and review where it will take you. If it doesn’t look right, or is completely different from the link text, send that email to the bin.

5. It asks for personal, financial or business details

Alarm bells should ring when a message contains a request for personal, business or financial information.  If you believe there may be a genuine issue, you can initiate a check using established, trusted channels.

While education is the best way to ensure phishing emails are unsuccessful, a robust spam filter and solid anti-virus system provide peace of mind that your business has the best protection available.

Give us a call to discuss how we can secure your system against costly phishing attacks.