This week’s letter from federal cabinet ministers urging Canadian firms and governments to take ransomware more seriously highlights a serious problem in IT departments: Many still aren’t implementing the basics of cybersecurity that experts have been urging them to use for years.
Asked why Canadian firms fail to protect themselves against cyberattacks in general and ransomware in particular, Sami Khoury, head of the federal government’s Canadian Centre for Cyber Security (CCCS) said, “I think cyber hygiene isn’t part of our day-to-day activities, yet.”
“There are businesses that are very well prepared, but for the rest, the [Ransomware] Playbook [released Monday] is meant to help them go through a process of whether they are prepared or not. We are seeing that ransomware is getting more sophisticated and that threat actors are constantly raising the bar in terms of their capabilities, so we update our bulletins and playbooks fairly regularly. But the point of the campaign launching today is to sensitize Canadians and Canadian businesses that the threat is real and we need to take it seriously.”
In addition to heading the Cyber Centre, a resource centre for the public and private sectors and individuals on cybersecurity, Khoury is also deputy chief of the Communications Security Establishment (CSE), the country’s electronic spy agency.
What’s being done
U.S. President Joe Biden has been talking up awareness about ransomware since the Colonial Pipeline attack last summer, including issuing a National Security Memorandum ordering government departments to create cybersecurity performance goals for critical infrastructure organizations like banks and utilities.
Khoury said that “behind the scenes” the Cyber Centre has been talking with Canadian industry about raising the bar on cybersecurity to tackle ransomware. “We have had a number of engagements with critical sectors where the topic of conversation has been all about ransomware and how do we provide advice and guidance to them. The public message might have been lined up for today, but behind the scenes there have been a number of conversations that I and others from the Cyber Centre have been involved in with key industry players.”
“This is part of our standard engagement, whether with the health sector, the energy sector, telecommunications. Whenever we meet with them we highlight the importance of getting ready for a ransomware incident.”
Asked why the government isn’t launching a more visible campaign with provincial and territorial leaders, or holding webinars or conferences, Khoury said that “we are talking every day to the provincial and territorial colleagues. We are also talking to small and medium businesses, to the critical infrastructure sector. So we’re anchoring a lot of these refreshed conversations in what we are releasing today. It’s going to be a sustained effort, because we see the impact of ransomware on Canadian businesses and the economy, and we want to make sure it will be a sustained effort that would last a number of weeks and months.”
It will take a “sustained campaign of awareness” to get Canadian organizations to pay more attention to basic cyber hygiene, he said. “It’s simple sometimes: Make sure your passwords are complex, enable multifactor authentication, update the apps on your phone , install the latest patches, do you have backups, do you have a cybersecurity [response] plan?
“Some of these are basic things we need to hammer home and say, ‘Please pay attention to those details.'”