Pretty Ugly

Everyone likes to feel attractive; everyone enjoys having a “clean” reputation.

However, being viewed as attractive because one’s unsullied reputation (so far) makes one an easy target for cyber crime can take some bounce out of the step.

That is where Canada now finds itself, at least if a report card from IT security company Websense reflects the bigger picture. It seems that Canada is becoming tantalizingly attractive as a welcome spot for cyber criminals. Apparently, the country’s clean reputation has insulated it from businesses avoiding having their computers communicating with an IP address in Canada. But, perhaps, those days are over.

Websense cites a 25% hike in sites hosting malware since 2012, and an 83% increase of command and control servers, through which hackers direct malware what data to look for. One explanation for the rise is large-scale compromises of Canadian sites built on vulnerable content management platforms.

Worse still is the fact that more foreign cyber criminals are setting up virtual bases in the country to co-ordinate corporate attacks. Last year, “Canada hosted the third largest volume of servers communication with the type of highly sophisticated malware responsible for stealing valuable corporate data,” notes the report, putting the country “ahead of Korea, Germany, Russia and even China.”

These can be expensive matters, so preparedness is critically important. Unfortunately, preparedness against cyber crime among Canadian businesses is wanting, the International Cyber Security Protection Alliance (ICSPA) notes in a report released in May. “Across business communities, there is a general lack of strategy, procedures and trained personnel to combat cyber crime.”

Citing results from the survey of 520 small, medium and large Canadian businesses, ICSPA notes that 69% reported some kind of attack within a 12-month period.

Malware and virus attacks were cited by 51% of surveyed businesses, while phishing and social engineering was reported by 18%. “The distribution of application-based malware for mobile devices using cloud-based services for both personal and business use will become a new threat vector of the future.”

The reported cyber crime attacks over the past 12 months resulted in financial losses of $5.3 million on average, with financial fraud accounting for approximately $1.9 million, theft of devices containing company information for around $850,000, malware and virus attacks for about $772,000; and sabotage of data and networks for approximately $584,000.

Beyond costs was a number of other disconcerting findings. In all, only 22% of surveyed business employed risk assessment processes, and about seven in 10 organizations do not have formal procedures in place to follow in the event of a cyber crime.

Willis North America noted in June that more than half of Fortune 500 companies in the United States reported that their firms would face “serious harm” or be “adversely impacted” by a cyber attack. Among their top risks, respondents identified loss or theft of confidential information, loss of reputation and direct loss from malicious attacks.

Although some companies are actively taking steps to assess and mitigate cyber risk, others continue to overlook critical exposures.

In all, only 6% of companies reported they had purchased insurance to cover cyber risks.

A.M Best notes in a recent report that pricing strategies and the evolving nature of cyber risk make effective underwriting a challenge.

Projecting the cost of losses is difficult, as exposures evolve quickly, there is a short claims history around losses and there is not much data reported for cyber risk-related losses, the report states.

Failing to be prepared, however, will not do.

Notes Websense, “As countries come under scrutiny for known malicious attacks, the bad guys are simply shifting criminal activities to countries like Canada that have strong infrastructure and traditionally have had better cyber reputations.”