Cyber Risks – Understanding Ransomware Attacks

Cyber Risks – Understanding Ransomware Attacks

Studies and Tips for Businesses

It is critical that cybersecurity be a top priority for businesses as the threat landscape continues to evolve. A cyber strategy includes regular security assessments, certifications that put security controls front and centre, effective security policies and training, as well as cyber risk coverage. The Blakes, Cassels & Graydon Canadian Cybersecurity Trends Study 2021 is an excellent resource if ammunition is needed in Canada for convincing senior management to invest in reducing security risks. The study, based on an aggregation of data from forensic firms that responded to cybersecurity incidents across Canada, found that manufacturing, public service and the professional services industry were targeted to a greater degree in 2020.

There has been a general fallacy that ransomware threats have remained the same throughout the years and that attacks are starting to dwindle. But this is not the case. In fact, the technology and tactics attackers use increase in sophistication every year.

Some key findings of the Blakes study include:

  • 67% of cyber incidents in 2020 were ransomware attaches (up from 35% in 2019);
  • 52% of these ransomware attacks involved unauthorized access to data as opposed to merely encrypting the data for a simple ransomware attack;
  • In over half of ransomware attacks (54%), the victim opted to pay the ransom. And if paid, in 91% of cases the threat actor provided functional decryption keys and/or evidence of data deletion;
  • Ransomware attacks are clearly becoming more costly. Threat actors are demanding much more than what the 2019 study indicated (approximately 60% of the ransom payments that were made were greater than US$100,000). This has had a knock-on effect on cyber insurance becoming both more sophisticated and expensive; and
  • Almost half of attacks (46%) were the result of an open remote desktop protocol which allows employees to connect to their organization’s network and continue their jobs remotely as normally as possible. During the pandemic, threat actors clearly exploited the work-at-home environment.

Taking a more global perspective for a moment, a Bitdefender analysis of the cybersecurity threat landscape found that ransomware attacks surged 485 percent from 2019 to 2020. So why are ransomware attacks so successful? Useful studies published by Statista indicate that according to managed service providers, the most common delivery methods and cybersecurity vulnerabilities that caused ransomware infections in 2020 were via spam/phishing e-mails (54%). Employee gullibility (social engineering attacks) and weak passwords/access management) are other key weaknesses leading to cyber attacks.

This highlights once again how the human error factor plays such a significant role when it comes to security incidents. If our clients have not implemented security awareness training, we direct them to security firms such as KnowBe4 or Infosec Institute to get such a program off the ground. These programs are comprehensive and offer excellent options for SMBs. Studies conducted by KnowBe4 found that organizations conducting regular anti-phishing exercises can lower their risk by more than 80 percent over the course of a year.

When it comes to compliance with data protection laws and keeping up-to-date on moving privacy targets, I also recommend privacy officers get certified – this is an important step in demonstrating a strong commitment to privacy and data security. PRIVATECH is a training partner with the International Association of Privacy Professionals and will be hosting in-depth training to prepare individuals for the Canadian Certified Information Privacy Professional designation in the Fall. The CIPP/C training will be held October 27-29th, 2021. Contact us for more information or to ensure you are notified as soon as registration is open in September! Training will be delivered via Zoom. Class size will be limited to 15 people.


Note that PRIVATECH’s blog has been selected by Feedspot as one of the top 35 privacy law blogs on the Internet. Our objective is always to provide you with practical tips on privacy and data security best practice.