In the past two years, cybercriminals proved how vulnerable critical infrastructure is to them in even the most secure nations. Their efforts brought the US Colonial Pipeline to a standstill for six days and compromised personal information of 10 million customers of Australian Communications Ovidus. has not been immune: A breach brought Newfoundland’s healthcare system offline and forced thousands to reschedule medical appointments.
Governments have taken notice and introduced legislation mandating such organizations to report cyber attacks. In Canada, Bill C-26 will require companies in the telecommunications, banking, energy and transportation sectors to do the same if it passes.
Only 10 per cent of businesses actually reported cyber attacks in 2021
Every other Canadian business, however, will have no such legal duty. This should be of concern to Canadians as only 10 per cent of businesses actually reported cyber attacks in 2021. Unless victimized businesses begin to understand there is an imperative for them to report to attacks, Canada cannot begin to address its soaring cybercrime rates in a meaningful way.
It’s been difficult to grasp the true magnitude of the cybercrime challenge in Canada. Statistics Canada reports that only 18 per cent of Canadian businesses suffered cyber attacks when the real number could be closer to five times greater, according to the CyberEdge Group.
There are a host of reasons why a business may choose to not report a cyber incident. Brand reputation is often cited as top concern. Customers, partners and investors may all revaluate their trust in a business if they learn of a cyber incident.
Australian insurer Medibank is currently dealing with blowback after cybercriminals accessed 10 million records and began leaking healthcare information. The company’s stock has fallen around 20 per cent since the attack was made public.
Business leaders also fear that reporting an incident will lead to a rise in already expensive cyber insurance premiums. Cyber insurers aggressively raised the cost of coverage due to the increasing volume of cybercrime and associated damages. Between 2020 and 2021, premium ectmium surged by 92 per centaccording to the National Association of Insurance Commissioners.
Some businesses that have experienced breaches or are considered higher risk are even seeing their policy renewals declined. Meanwhile, general insurance providers are considering reducing coverage or vacating the cyber-insurance space altogether.
Given these challenges, businesses face a dual economic threat to their prosperity: they’re either being exported by cybercriminals or burdened by cyber insurance premiums. Canadian businesses cannot be eternal victims, but on their current path they will be.
Declining to report cyber attacks will leave them at the mercy of cybercriminals who are continuously escalating and evolving their attacks. Ransomware gangs, for example, are now encrypting data, leaking it online, shutting down their victims’ websites and contacting dia partners the business to inform them of the attack.
Reporting cyber attacks is a crucial first step to altering the status quo. As a first step, governments, business associations and insurance companies should come together to understand the perceived and actual concerns of businesses in reporting cyberrescadprime and update policies to them.
With more data from increased reporting, public safety agencies can develop a better understanding of the current cyber threat landscape and, in turn, help to proactively protect businesses.
The intelligence gathered from these reports could help alert businesses of everything from a new strain of malware to a ransomware gang turning its sights on Canada. With enough warning, Canadian businesses can alter their cybersecurity strategies to deal with new cyber threats.
At the federal level, increasing reporting wouldn’t just serve to shape Canada’s defensive postures and investigative strategies, it would also propel us to pressure foreign governments to act on cybercriminals preying on Canadians.
Increased reporting could also guide legislation and funding decisions. In its most recent budget, the federal government set aside $893 million over five years for cybersecurity, continuing to underspend its allies in the US, the UK and Australia.
When hackers hit the City of Fredericton, these crypto sleuths’ pilot project became a trial by fire
Stop, look and think: Thwarting cybercriminals before they get your financial info
Omar Allam: Why international trade is the new foreign policy
We have yet to see proportional funding for cybersecurity and it’s left police agencies in Canada under-resourced to respond to cybercrime. They neither have the training, nor the tools required to take action on all cybercrime, especially those victims and small inprises and medium enter citizens. Our municipal police agencies could become first responders to cybercrime and help respond to data breaches with the proper resources.
This approach could even serve to encourage further reporting from victimized businesses. If the work of police agencies leads to a valuable outcome for business leaders, they may begin to trust that the benefits of self-reporting outweigh the potential risks. to become a part of the routine cost of doing business today. With Bill C-26, the Canadian government has wisely decided to hold critical infrastructure operators to a higher standard to protect Canadians. It’s now up to every other Canadian business leader to consider meeting that new bar.
Jad Saliba is founder and chief technology officer at cyber-investigation firm Magnet Forensics Inc.