In the first half of this year, there were 17.8 billion attempted cyberattacks in Canada, according to FortiGuard Labs.
One of those attacks succeeded in hacking into three websites operated by the Health Employers Association of BC between May and June, though the attacks were not detected until July 13. These websites contain personal information of health care professionals using services like Locums for Rural BC.
This was the third such major hacking of an organization in the health-care field in B.C. in the last four years.
As BIV has previously reported, ransomware hackers broke into the Vancouver Coastal Health Employee and Family Assistance Program system in 2020, and in 2019, diagnostics contractor LifeLabs was targeted by ransomware.
Cybercriminals can make money from hacking websites that contain personal information by blackmailing a company or organization to pay a ransom to have the information released back to them, even though there’s no guarantee the criminals won’t still sell the information on the dark web after they are paid.
“Sometimes companies will pay that ransom and take that risk,” said Jake Munro, lead cybersecurity instructor at Lighthouse Labs, which teaches cybersecurity.
Personal information sold on the dark web can be used by other criminals for identity theft.
Over a four-year period, the number of cybercrimes reported to the police in Canada more than doubled, from 33,893 in 2018 to 74,073 in 2022, according to Statistics Canada.
FortiGuard – the cybersecurity research arm of Fortinet (Nasdaq:FTNT) – notes in a recent threat assessment that ransomware “detections” were actually down in the first half of 2023, though it notes a trend of increasing “unique exploits.” These are attacks that are tailor-made to specific targets. The company also notes the increased use of Ransomware as a Service (RaaS).
“RaaS programs are unique in eliminating the need for attackers to write their own malicious code,” FortiNet explains. “This allows even inexperienced cybercriminals to successfully target people, businesses and other organizations for a quick payday.”
Another worrisome trend is the increased use of wiper malware tied to the Russian-Ukrainian war.
“FortiGuard Labs continues to observe wipers being used by nation state actors, although the adoption of this type of malware by cybercriminals continues to grow as they target organizations in technology, manufacturing, government, telecommunications and health-care sectors,” FortiGuards’ recent threat assessment notes.
Unlike ransomware, where the aim is leveraging money from victims, there’s no profit motive in wiper malware. It is malicious code designed to cause damage by erasing information – the virtual-world equivalent of indiscriminate vandalism.
Businesses and organizations can reduce the risk of getting hacked by keeping their cybersecurity systems and their employees up to date. For example, many businesses and organizations have moved to multi-factor authentication for corporate or organizational emails and websites.
This can reduce penetration risks by 80 to 90 per cent, according to U.S. technology experts advising the White House on cybersecurity in 2021.
But cybercriminals have proven remarkably adept at responding to tighter security and finding new ways of penetrating firewalls. Some are already using artificial intelligence, for instance.
“There’s actually been AI that I’ve been reading about that’s been developed that will create malware for you and create phishing scams for you, for malicious intent,” Munro said. “These attackers are already leverage AI.
“On the other hand, anti-virus solutions and end-point detection and protection solutions are implementing AI to better find malware or phishing scams. So, it’s kind of being used on both ends already.”
No matter how robust one’s cybersecurity system is, all it takes is one employee clicking on a link or document in a phishing email to open a digital door and let the enemy inside the gates.
Phishing scams and weak passwords are among the most effective hacking tools in the cybercriminals’ toolbelt because both rely on human error or complacency.
“Around 95 per cent of cyber-attacks are usually caused by some sort of human error,” Munro said.
That’s why it’s important for employers to ensure all employees are trained in cybersecurity awareness, he said.
“The reason why a lot of companies may not train their employees is its costly,” Munro said. “So they’ll put minimal training into them and say, ‘Here’s how to be safe,’ but it might not be good enough.
“Organizations should continuously train their employees. With the cybersecurity world, it’s rapidly changing.”