Cybersecurity Statistics 2019: A Comprehensive Overview

The cyberworld has been in a constant metamorphosis ever since its emergence, pushing forward the boundaries of our comprehension. When it comes to online businesses and other similar actors, cyber threats are an ever-increasing problem that have slowly seeped in every industry.

For this reason, the topic of cybersecurity deserves much more attention and credit that it’s been given so far. Thus, we have compiled a number of pertinent cybersecurity statistics related to the repercussions of cybercrime on various markets and online industries.

To start with, do you know which countries reported the highest number of geopolitical cyber attacks on an all-time spectrum? We have them right here:

  • Bangladesh – 35.91% in terms of mobile malware infections
  • Algeria – 32.14% in terms of computer infections
  • Uzbekistan – 14.23% in terms of security threats related to cryptocurrency
  • Germany – 3% in terms of cyberattacks related to financial industries

On the opposite side of the spectrum, Japan, Denmark, and Ukraine scored the lowest in the above-mentioned cyberthreat statistics.

These statistics relate to the total number of global attacks of each type. For instance, out of all the mobile-related malware infections in the world, 35.91% of them took place in Bangladesh.

Secondly, there’s been a clear improvement in cybersecurity awareness lately. The following industries have shown a keen interest in allocating more money on cybersecurity:

  • State and local governments – a increase of 11.9% in terms of cybersecurity spending
  • Telecommunications – this industry has seen a 11.9% spike in cybersecurity spending
  • Resource industries – these guys put forth 11% more of their money in security improvements
  • Banking – 10.4% increase, though you’d expect financial institutions to take first place in this ranking
  • Federal and central governments – only a 9.9% increase

However, these are only informational tidbits that are less important compared to what’s coming. Read on to get a better perspective on the evolution of cybercrime, and how it affects the market.

Cybercrime Eagle-Eye view

The more technologically adept people become and the faster technology evolves, the more cybercriminals will roam about. In the 21st century world, felony and crime have taken on a whole other meaning. Criminals have gotten smarter, they’ve started using smarter tools, and they’ve started plying their trade on another medium – the cyberworld.

Various cybersecurity experts confirm that cybercrime has recently become the fastest evolving type of crime in the world. This is nothing if not foreseeable, given the rate at which new technologies and innovative uses for them emerge constantly.

The statistics below will paint a clear picture of the looming threat that cybercrime is becoming:

  • Contrary to common sense, out of all worldwide cybercrime incidents, only about 10-12% of them get reported to the relevant authorities
  • Cybercrime has officially been coined as a more profitable undertaking than drug trafficking
  • The FBI have included in their Most Wanted List a number of 63 individuals known to have perpetrated severe cyberattacks
  • The most recent US elections were manipulated by Russian actors who used ad campaigns to favor one candidate

At a more in-depth analysis of how specific industries were targeted, we see a pattern emerging. By far, the healthcare industry became the biggest target of them all when it comes to cybercrime. In fact, Cybersecurity Ventures found out that healthcare institutions suffered double or even triple the number of attacks in 2019 when compared to other domains.

This might also be caused by the fact that the healthcare industry (the US one) ranked 15th out of 18 industries when it comes to overall security. That’s a pretty bad score any way you look at it.

The incentives aren’t anything to scoff at either – compared to personal information, any medical data is 50 times more valuable when sold by hackers on any black market.

As for the rest of the industries, malicious email tactics are extremely notorious, with 1 mail out of 302 sent to users being malicious. Moreover, in the UK, 48% of all manufacturers (this includes everything from clothes to cars and basketballs) have been the target of cyberattacks.

Looking at the greater picture, it has become a necessary requirement for companies and online actors to spend more on better cybersecurity standards.

Cybersecurity market statistics

The Achilles’s Heel of cybercrime lies with cybersecurity, a branch of common security that deals with online threats. With the rise in cybercrime complexity and severity, cybersecurity had to up the ante as well.

The following are global statistics gathered from all around the world:

Next, we’ll talk about the country-specific statistics:

  • Cybersecurity awareness is outmatched by the constant surge in cybercrime (approximately 68% the businesses established in the US don’t have any form of data-breach coverage)

The data shows the exact trends of most companies when it comes to vigilance toward cybercrime. The conclusion is quite worrisome – many companies have inadequate cybersecurity budgets.

Cyberattacks statistics

Next-up, we’re going to talk about specific events that, when put together, illustrate a statistical truth. Looking at the types of cyberattacks that took place in the past, their targets, and severity of the events, we can sum up a pertinent conclusion.

Based on the attack-type, we know of:

  • Zero-day attacks, which the studies say they’ll be a daily occurrence in a few years
  • The EAC tactic (Email Account Compromise) led to substantial losses suffered by businesses when making wire transfers (approximately $12.5 billion)

Depending on specific targets, we can tell you about:

  • The largest cryptocurrency scams of all time – Mt. Gox, Poloniex, BitFloor, Bitfinex, and BitStamp
  • Other expansive cyberwarfare targets have been: MySpace, Marriot (over 500 million accounts compromised on a period of 4 years), Under Armor, LinkedIn (more than 100 million accounts), eBay, Target, Equifax, Heartland Payment Systems, and Adult FriendFinder

The conclusion is simple – no one is safe from cyberattacks, not even the giant corporations out there.

Cybersecurity employment statistics

With such a fervent problem to deal with, cybersecurity has become a bustling professional opportunity for many. The world needs innovative and revolutionary solutions to past and future cyberwarfare problems.

We’ll have a look at how the cybersecurity workforce plays out in the US and around the world:

The unemployment rate in the cybersecurity domain is rather alarming, at least on a future note. Apparently, by 2021, more than 3.4 million jobs will remain vacant with no one to fill them.

However, it’s still good to see that the cybersecurity market will expand its quotas exponentially in the near future.

Ransomware, formjacking & cryptojacking statistics

Ransomware has seen the biggest increase in severity and potential losses for the end-user across time. In fact, compared to its severity now, by 2021, most cybersecurity experts estimate it will be 57 times more dangerous.

Here’s a rundown of how dangerous and overarching ransomware truly is:

  • In 2015, worldwide damages totaled $325 million. Two years later, it skyrocketed to $5 billion, only to reach $11.5 billion in 2019. Most experts estimate the damages will reach $20 billion in 2021. If this isn’t relevant to the boundless potential for destruction of ransomware, I don’t know what is
  • In 2016, every 40 seconds, a business would be assaulted by a ransomware attack. That estimation jumped to 14 seconds in 2019, only to reach 11 seconds in 2021. It’s a mind-blowing idea to think about, indeed

Cryptojacking and formjacking, on the other hand, haven’t been around as much as ransomware. However, don’t mistake this for their lack in latent or demonstrated danger to individuals and businesses alike. They have their bloody history, which we’ll unfold right now:

  • In 2018, the statistics said that 25% of the world’s businesses had met face to face with cryptojackers and lost. That same year, the cryptocurrency prices were plummeting without any sign of stopping, and that was a result of overwhelming cryptojacking events (an increase of 459% all around the world)
  • Thanks to the high-tech tools they use, cryptojackers commit invisible attacks 50% of the time. This means half of the time, the victims don’t even realize they’ve been attacked

What should we take away from all this?

The statistics clarify a few things – namely that cybercrime will continue to expand in scope, breadth, and sophistication. At the same time, cybersecurity will follow suit, extending the relevant workforce as well.

Essentially, as long as the Internet will exist, people will find ways to exploit its vulnerabilities and commit fraud and felonies. It is our jobs to seek a perfected cybersecurity solution to prevent such events from befalling us.

 

Why Spam and Robocalls are on the Rise

We’ve all been receiving these types of calls, pre-recorded messages that are relentless, annoying and almost always, downright illegal. It’s become an absolute epidemic.

According to North American statistics, spam calls or robocalls are at an all-time high and it only appears to be increasing each and every single month. Just this past October 2019, US citizens received a record-breaking amount of them… to the tune of 5.6 billion calls. That’s BILLION.

Here in Canada, we’re also likely setting new records each month and our telecom industry is facing a massive challenge from a deluge of these unsolicited and unwanted phone calls.

So why are these types of spam and robocalls on the rise? Simply put, scammers can easily and anonymously victimize consumers for millions and millions of dollars, from anywhere in the world, with little chance of getting caught and prosecuted.

It’s simply a numbers game. Make billions of calls, get thousands of people to answer, and it trickles down to dozens of victims every day.

Technology has made it possible for a rapid increase in fraudulent or nuisance calls. One of the reasons is phone systems that use voice over internet protocol (VOIP) are being used for either legitimate or criminal purposes. It allows for a technique known as Caller ID Spoofing and it has been available to people with a specialized digital connection to the phone company.

There are legitimate reasons why a caller ID’s information is altered, such as when medical staff call patients but want to direct them to call back on a hospital’s general number. This makes spoofing so difficult to stop because it is so easy for scammers to change the information to anything they want to make it appear it’s coming from legitimate businesses or phone numbers.

One of the most common scams has been spoofing the number of the Canadian Revenue Agency (CRA) in which callers posing as officials have defrauded Canadians of over $16 million since 2014.

Another common scam is known as ‘neighbouring’, where they trick you into answering the call by altering the caller ID to appear to match the first 6 digits of your phone number so it looks like a local call.

So how are scammers actually making these illegal calls?

Basically, they buy a big list of leads, put them all into the phone system, set up a call center, blast out calls with pre-recorded messages and voila! The risk is almost zero, while the rewards are millions every single year.

But how do they get your phone numbers?

Every time that you sign up for a free service, whether it’s from the phone company, an app, or maybe you use your phone number in a retail store to get coupons or points – we’re the ones giving out that information and it’s up to us as the consumers to ask what they are doing with that information? Do they sell it to a third-party?

These are serious questions to ask when companies ask for your personal information. Even if they don’t sell off your information, countless big security breaches have occurred where cyber-criminals have collected a massive amount of personal data to be used in illegal schemes. Something seemingly as innocuous as giving out your phone number to established brands might have put you on lists where you end up being spammed relentlessly on a daily basis.

And oftentimes, scammers use systems just to dial randomly on a mass scale until someone picks up.

There is a whole criminal enterprise that exists to create lists of phone numbers that are active. Have you ever received a call from an unknown number and you answered but there is nobody there? That could be one of these services that check if your phone is active and being used. You are then added to a list and sold.

And these calls appear in ever more creative ways. In October, the most popular phone scams in the US involved the health-related industry, interest rates, student loans, social security and warranties.

When it comes to who falls for scams, it’s interesting to note that in a report from the Better Business Bureau, that people in the 18-24 age range were more than twice as susceptible to robocalls than those who are over 65. But the people in the 65 and over age range, lost four times the amount of money. That’s a simple answer to why these calls are on the rise. Criminals are making millions.

The problem is so big, the US government and all 4 major US carriers (Sprint, AT&T, T-Mobile, Verizon) are trying to do something about it to combat the issue.

Industry regulators here at home, the Canadian Radio-television and Telecommunications Commission (CRTC) has given telecom companies until December 19th to start introducing preliminary measures that block or filter out some illegal calls. But it has also informed service providers that they have to do more to address the situation.

As one of the first steps, Bell and Rogers are adding Universal Call Blocking and applying it to their systems at the network level to stop malformed and blatantly spoofed numbers. However, Universal Call Blocking is less effective at stopping nuisance calls. As an alternative, Telus will put in place a filtering system that blocks most robocalls. Their system aligns with the CRTC’s best practices for filtering services.

All of Canada’s major carriers have pledged to work with industry partners to fully address the problem but say that it is complex and will require multiple advanced solutions. For instance, the CRTC wants telecom carriers to eventually put a traceback system in place for tracing the origin of spam calls, which would be a vital tool for enforcing Canada’s laws and regulations.

But even then, there will always be a challenge to find permanent solutions as many of these calls are outside of North American jurisdiction.

So how do we stop (or at least reduce) telemarketing and other unwanted calls?

First, you can register your home, mobile, fax or VoIP number on Canada’s National Do Not Call list.

Next, use your device’s built-in settings to block spam calls.

In iOS devices, there is an embedded feature called ‘Silence Unknown Callers’ to help prevent spam phone calls. However, if you’ve previously texted a number or had the phone number sent via email, then that call will still get through.

Once the feature is enabled, these unknown callers will be silenced and sent straight to your voicemail. For example, if you haven’t saved a number from your doctor’s office, they can still leave a message and you will see the call appear in your recent calls list.

In Android devices, there is a ‘Caller ID & spam’ feature that is typically configured to be on by default. To turn on the feature, open up “Settings” and select ‘Caller ID & spam’ to toggle it on.

To add an additional layer of protection from spam calls, add a third-party app like Truecaller (iOS and Android) or Call Blocker (Android) that helps you identify spam calls and text messages and automatically blocks them. Both apps are free to download, but also offer paid subscriptions to remove the ads and give you access to a larger spammers blacklist.

At the end of the day, even with all of these initiatives and measures in place, you will not be able to completely block all of the spam or robocalls from trickling in, but you should be able to greatly reduce the amount you receive. Spammers will always find ways and loopholes and game the system for profit.

But most importantly, remember the most basic rules when dealing with annoying and infuriating spam and robocalls:

Just don’t respond to them!

Don’t interact with them. Don’t call them back. Don’t ask to be removed from their list.

As previously mentioned, if you don’t recognize the number, don’t even bother picking it up because it tells the scammers or people searching for valid numbers to sell to robocallers, that your number works and is active.

The Difference Between Vulnerability Assessment and Penetration Testing

Over the years, we have had many businesses inquire about vulnerability assessment and penetration testing services. Quite often, these business owners, upper-level executives and other important decision-makers, ask for one service when they actually require the other.

This confusion is quite common, as many people and even providers in the industry sometimes use both these terms interchangeably. Because of this, companies are often misinformed about the difference between a vulnerability assessment and a penetration test (or pen test).

In this article, we will explain the differences in scope between these two security services to assist you and your organization to understand what makes the most sense for your needs and requirements.

Vulnerability Assessment

A vulnerability assessment is a procedure used to identify or discover threats and vulnerabilities in a network environment. Furthermore, it can diagnose other potential weaknesses and provides measures to mitigate the removal of these risks.

This process will generally involve using automated network security scanning tools, but may also include a range of tests with manual tools to verify the discoveries by the scanners or to further evaluate the security of the network or applications.

Penetration Testing

In comparison, a penetration test is a manual process that involves not only identifying vulnerabilities in the network but attempting to exploit them.

The objective is to penetrate the system by gaining unauthorized access (hacking) through the identified weakness, which is used to emulate the malicious intents of cyber criminals.

Using advanced tools and techniques, a pen tester (also referred to as an ethical hacker) will attempt to attack the network or security system by installing malicious malware, taking down servers, etc.

Vulnerability Assessment vs Penetration Testing

Both of these methods have their own function and approach, but the key difference in scope between these two services is that in a vulnerability assessment, it will focus on finding as many security weaknesses on your network as possible. Whereas, in a penetration test, the focus is to determine whether or not the network security defences are hack-proof.

The second difference is the extent of testing automation used. Vulnerability assessments are usually automated (without disruption to your network or system), used to discover as many potential issues as they can. Penetration testing is usually a combination of both automated and manual techniques to dive deeper into each discovered flaw in the system.

Because of the automated nature of a vulnerability assessment, larger companies with bigger security budgets can sometimes have an in-house IT or security department perform their own assessments.

However, they may not have the specific, required skills or training to find all the vulnerabilities or know which ones are patch-able. Or they may be unable to see from an external perspective, being so familiar with their own system that tunnel-vision sets in. In this case, a third-party cyber forensics investigator or team may help discover additional flaws and offer solutions they may not be aware of.

On the flip side, penetration testing requires more manual work that isn’t easily automated. Even though some of the same vulnerability scans may take place initially, the next steps involve exploring and poking at the network to find holes to attempt exploits on. Depending on the size of the network and the reporting that is required, a test could be very labor-intensive and time-consuming to perform and takes a tremendous amount of knowledge, skill and precision for the job to be done properly.

There are currently some automated pen testing frameworks available, but they have not proven to be as effective or successful as a highly-trained white-hat or ethical hacker. Having a team of pen testers at your disposal is a much better option as the human element, approaching testing with curiosity, ingenuity and problem-solving (or in this case, problem-creating) cannot be matched by automation tools.

Vulnerability Assessments:

  • Creates a report of all of your network or system assets and resources
  • Comprehensive analysis and review of the system environment, including operating systems and applications, websites & web applications, e-commerce solutions, physical security (access points, cameras, alarms, etc.) and security policies & enforcement and monitoring
  • Creates a comprehensive list of identified vulnerabilities
  • Helps to mitigate or eliminate the potential vulnerabilities found in the system

Penetration Testing:

  • Identifies and determines the scope and risk of exploitable weaknesses
  • Tests your important and sensitive collection of data
  • Creates a complete list of vulnerabilities and emerging threats
  • Concise descriptions of how deficiencies were exploited to infiltrate the system
  • Step-by-step remediation steps for addressing each vulnerability

When to Use Each Option?

Timing, frequency and objectives should be a factor when considering whether to have a vulnerability assessment compared to a penetration test performed on your network. Both are of vital importance to be implemented somewhat regularly to ensure your network security is safeguarded from the numerous cyber threats that organizations face today.

Vulnerability Assessments are a more proactive approach to discover possible vulnerabilities and they should be performed more frequently and continually to monitor and identify new weaknesses that might be exploited in a cyber attack.

Often times, new assessments to the system are made whenever there is a new exploit released, a network or application change is made within the organization, part of an internal vulnerability management program that runs on a monthly, quarterly or annual basis, and after a data breach has occurred.

A penetration test can be initiated by many factors by an organization, but most often they only run one after a security breach from a targeted attack. However, there are many scenarios where a company may run a penetration test on their system.

This includes some of the same reasons why one would perform a vulnerability assessment, such as a network or application update, or an internal vulnerability management program. But there are also other reasons, such as when a new application is launched or there are certain regulations that an organization has to meet to become or to stay compliant.

So, how often should your organization be performing for each service?

It is recommended for companies with highly sensitive data to have a vulnerability assessment monthly or at least quarterly, plus additional testing whenever there is a major change to the network.

For penetration testing, companies should have one at least once per year.

In Conclusion

Vulnerability assessments and penetration testing are different components of network security services, but both are vitally important to implement regularly to keep your organizational network and systems cyber-secured.

In a nutshell, a vulnerability assessment is good for the maintenance of your organization’s network security while a penetration test helps discover real security weaknesses in your system and help prevent targeted, cyber threats before they become serious data breaches.

Now that you have a solid understanding of the differences between these two services, you can make an informed decision at the right time and better determine the scope of the engagement.

TCS Forensics is a high-quality provider of both vulnerability assessment and penetration testing. Give us a call at (604) 370-4336 or book a consultation with us to find out more about these or our other forensic services.

Canada Post Resets Passwords For All Online Customer Accounts

If you have a Canada Post account or an epost account to manage your bills online, you may have received an automated email from them stating that starting on October 16, 2019, they are resetting all of their customer account passwords. Included in the email will be instructions and guidelines for the account holder to create new, stronger passwords.

According to the message in the email and on the Canada Post website, they are investigating a report that some customer information may have been compromised in 2017. However, the compromised accounts were not from any cyberattacks on the Canada Post network.

They have determined that the login and password credentials were stolen in external privacy breaches unrelated to their network and were used to access individual Canada Post accounts. They don’t believe that their users’ information has been compromised, but are requiring that account holders create new passwords.

“We are resetting passwords for online Canada Post customer accounts. Customers will receive an email with instructions. We apologize for any inconvenience. For more info, visit

These types of events are only possible because users re-use their login credentials on more than one website, whether it is for convenience or to avoid having to remember different passwords for each of their online accounts. We recently wrote about the 13 Most Common Cyber Security Mistakes to Avoid for Individuals and addressed why you should never re-use your passwords across multiple websites.

Once a hacker has cracked your password, he can attempt to gain access to your other accounts via a method known as Credential Stuffing. This is essentially a type of cyber attack using a list of usernames/email addresses and passwords combinations stolen from data breaches to break into other websites or web applications through large-scale automated login requests.

In our blog post, we also recommended the use of a password management software that can help you generate, manage and remember your strong passwords as well as implementing two-factor authentication wherever possible.

Canada Post has also said that they are contacting their customers directly if their account information has been compromised this recent activity.

“While this is not a breach of the Canada Post network, we understand our obligation to our customers and all Canadians to keep their information safe. We will be reviewing our policies and procedures to determine how we can continue to improve the security of our online platforms.”

What to do if you have a Canada Post or an epost account:

  • Click on the Reset Password button at the end of the email and follow the steps to create a new and stronger password with these requirements:
    • Use both small and capital letters, a number and a special character such as !, # or %
  • If you didn’t receive the email, you can visit canadapost.ca and click on Sign in (located at the top-right of the website’s navigation) and then click on Forgot Password

Due to their investigation, Canada Post has taken the responsibility to inform their customers and measures to quickly reset all of the passwords of their customers.

When data breaches occur and personal information is compromised, it not only affects those businesses and their users, but it may also affect other businesses and their users down the road, due to the fact that password re-use is still such a prevalent practice.

October is International Cyber Security Awareness Month

Cyber Security Awareness Month October 2019

With all of the recent news and reports of high-profile data breaches, it’s not surprising that most Canadians are feeling more and more vulnerable to cyber threats online.

These days, simply opening an email from an unknown source or visiting a sketchy website can leave one open to a malware or virus attack, leading to loss of personal information or finances.

The cyber threat landscape is constantly evolving in our technology-filled world, which makes protecting your personal data and staying safe online absolutely crucial. It may seem that the list of potential threats are endless and many of the latest cyber attacks are hitting closer to home than ever before. Nowadays, everyone is at risk.

That is why in 2004, National Cyber Security Awareness Month (NCSAM) was developed in the US as a way for people to stay secure online. It was quickly adopted as Cyber Security Awareness Month (CSAM) in Canada, and as European Cyber Security Month (ECSM) in many countries in the European Union.

The primary goal of Cyber Security Awareness month is to educate people and get them to think about the importance of online security, how their online activities and practices can impact themselves and others. The secondary goal is to provide advice and effective measures that users can implement to protect themselves from harm, such as financial loss or identity theft.

In support of CSAM, the Canadian government has published their list of 10 security best-practices for you to review. It is listed below and the full article can be found here.

1. Protect Your Identity

Never re-use passwords. Create new usernames (if possible) and passwords for every account. Make sure they’re strong and difficult to guess by using numbers, case-sensitive letters and characters. Change your passwords regularly.

2. Turn on Your Firewall

This is your first line of defence. Find out if your computer operating system has a built-in firewall and activate it. Firewalls can block connections to unknown or phishing sites and can prevent access to your computer.

3. Use an Anti-virus Software

This is a no-brainer. Purchase and install an anti-virus and/or anti-malware software to keep your computer from infections. Configure it to automatically receive new virus definition updates and schedule a weekly scan of your drives.

4. Block Spyware Attacks

Adding an anti-spyware software will prevent spyware from installing on your computer and monitoring your online activities. It is a form of malware that can log your keystrokes, such as when you are entering your login credentials. Often times, it is used to gather your personal information and send it to advertisers, data firms or other external users.

5. Install the Latest Operating System Updates

Always make sure your operating system and applications are up-to-date with the latest patches. Configure your system to automatically download and install them or at least notify you when they are available so that you can manually install them.

6. Back up Your Files

Protect all of your important files regularly by backing them up on external drives or removable media. Store them in a safe place in a different location if possible.

7. Protect Your Wireless Network

Configure your Wi-Fi network using the highest security and encryption available on your wireless router. If you’re unsure how to do this, ask for expert advice from where you purchased the hardware.

8. Delete Emails From Unknown Senders

If you don’t know the sender, it’s best not to open emails from them. Never open any attachments or follow any links included in the email body. Just delete the emails.

9. Surf the Web Safely

If you must enter personal information such as your name, address, phone number or financial information, only do so from your secured home network. Never do your online banking or shop from untrusted, insecure networks like your local coffee shop, etc.

Whenever you do need to enter personal or financial information online, make certain that the website is legitimate and secure (using HTTPS via an SSL certificate).

10. Get Expert Help

If you suspect or discover a computer crime, identity theft or a phishing scam, etc., call your local authorities to report it.

(The above tips are courtesy of Public Safety Canada)

Since 2009, CSAM has included a different theme for each year, and beginning in 2011, weekly themes were introduced.

This year, the federal government and a coalition of security agencies and organizations have launched a new campaign with a toolkit, themes and shareable resources to promote cyber security.

As with previous years, a different weekly theme highlighting the various aspects of cyber security has been organized. Here are this year’s campaign themes:

Week 1: How Cyber Threats Work

(October 1-6, 2019)

CSAM How Cyber Threats WorkWhat is a cyber threat? It is simply an activity that is intended to compromise the security of an information system such as an organization’s computer network, website or social media. The goal of of these types of cyber attacks is to alter the availability, integrity or the confidentiality of a system and the its information.

Understanding how cyber threats work, who the cyber threat actors are and their motivations is the first step in protecting yourself and your organization.

Week 2: How Cyber Threats Affect You

(October 7-13, 2019)

CSAM How Cyber Threats Affect YouAs more and more people put their personal information online, they become increasingly vulnerable to cyber threats and attacks. The more internet-connected devices you have (computers, TVs, home appliances, etc.), the higher exposure to possible threats.

Even though the available tools and techniques for hackers and cyber criminals continue to increase, the tools and techniques at the disposal of organizations, businesses and individuals allow them to protect against such attempts.

Week 3: How to Protect Yourself Online

(October 14-20, 2019)

CSAM How to Protect Yourself OnlineIt is a common misconception that you need to have expertise and highly advanced tools to protect yourself from cyber threats. The truth is, everyone can exercise simple and common sense practices to stay secure from many of these threats.

Simple behaviourial changes to your online practices, when implemented, can be very effective at protecting yourself online.

Week 4: How to Protect Your Small Business

(October 21-27, 2019)

CSAM How to Protect Your Small BusinessThe Internet is an indispensable tool for most small and medium businesses to succeed in today’s digital economy. Being online lets you to reach new and current customers and allows your business to grow.

You may think that cyber criminals only target larger businesses and well-known corporations, but in reality, they are now actively targeting smaller businesses because hackers believe their computer systems are easier to access and more vulnerable.

Whether your business is small, medium or large, you owe it to yourself and your customers to make cyber security a top priority.

Week 5: How We Can Work Together

(October 28-31, 2019)

CSAM How We Can Work TogetherCyber defence is a shared responsibility. From the government, institutions, private and public sectors, businesses in all industries and individuals must all work together to strengthen Canada’s cyber security.

Our systems hold valuable information that is critical to our health, economy and society. They are targeted by hackers and cyber criminals every day. The security of these systems must be prioritized.

Learn more:

13 Common Cyber Security Mistakes to Avoid For Individuals

Living in these modern times, the internet has become a ubiquitous part of our lives. We do everything online now, from shopping to paying bills to socializing with friends and family. Thanks to small, powerful and portable devices such as smartphones and tablets, we can do anything from anywhere, at any time.

Even when we aren’t in front of a device, we might still be permanently logged into our email or social media accounts. By being connected to the digital world 24×7, we leave ourselves exposed to a variety of cyber security threats, which can create catastrophic results in our real world.

Though we only usually hear about high-profile cyber-attacks on large corporations, high-end brands or well-known web platforms because it gets the most headlines, cyber-criminals also target businesses and organizations of all types and sizes… and they target you, the private individual. Why? Because your personal information is valuable and can be sold.

This can result in personal, financial and data loss, identity theft, your reputation being tarnished and even legal troubles. You can put the blame on the skill and ingenuity or morals of the cyber-attackers, but much of it is on the failure of private citizens to take the necessary precautions to protect themselves.

There are still a vast number of people who are leaving themselves wide-open to an attack, simply because they make the same common cybersecurity mistakes that are easily exploited. Here is a rundown of the top mistakes that you can avoid to keep yourself safe.

1. Thinking it Won’t Happen to You

The first and the most important step to prevent yourself from being a victim of cybercrime is to shift your mindset. Despite hearing about breaches of big businesses and compromised personal data in the news regularly, many of us think that “it won’t happen to me”.

When it comes to securing our lives online, that attitude is our biggest downfall. It isn’t a matter of IF a cyber-attempt will be made on you, but a matter of WHEN.

According to Statistics Canada, the number of reported cybercrime saw an alarming growth each and every year and most of the cases remained unsolved. Data compiled by law enforcement from across the country showed that there were 32,968 cyber-related violations in 2018. The violations being committed could involve emails, text or social media platforms.

2. Poor Judgment, Lack of Awareness, and Lax Attitude Towards Cybersecurity Practices

It’s often said that the weakest link in the system is the humans that use it. When people aren’t aware or fail to recognize the warning signs and ignore basic cyber security best practices, they are willingly exposing themselves as targets to cyber-criminals, who are more than happy to oblige.

Despite their lax attitude towards online security, many people say that a personal data breach would be worse than a physical home break-in. Physical goods can be easily replaced, but the theft of your identity, your reputation, credit score or financial loss might be more difficult to recover.

Secure yourself with knowledge and training. Get access to information regarding cyber-threats and learn how to implement best practices to remain safe online. Be vigilant about your security.

3. Weak Passwords and Re-using Passwords Without Two-factor Authentication

If one were to interview any of the cyber security experts in the industry and ask them what the biggest mistake that users make when it comes to protecting their online assets, every one of them would have passwords at the top or near the top of their list.

Referencing a report from the 2017 Verizon data breach investigation, it was estimated that about 80% of all breaches are the result of weak password security. When your passwords aren’t strong and complex enough, you expose yourself to brute force attacks. Using special software, it’s also been estimated that a good hacker can break two-thirds of all passwords in existence today in only a few minutes.

This is why you should use strong and complex passwords, randomized with a combination of case-sensitive letters, numbers, and symbols. After evaluating over 5 million passwords that were leaked on the internet discovered in various data breaches, it was found that nearly 10% of people still used passwords from this list of the most common and worst passwords.

Even if your passwords are strong, you should never re-use the same passwords for multiple accounts. All it takes for an attacker is to crack your password and gain access to your other accounts, such as your online banking and bill payment.

It’s akin to a thief having a single key to enter your house, steal your car and open your safe. The internet is like a bad neighbourhood known for high incidents of cyber break-ins and data theft. You need to have a more vigilant mindset and focus on security rather than convenience.

Manage Your Passwords and Add an Extra Level of Security

Use a good password manager to help you remember your strong and unique passwords for each of your accounts. There are many available for randomly generating, managing and storing of your passwords – and they can remind you to change them at frequent intervals, which security experts also advise.

Lastly, enabling two-factor authentication wherever possible is always recommended. Two-factor authentication is where websites or web services require a password, then followed by a second authentication such as a one-time security code sent to your phone.

4. Not Installing Software Patches or Updates Right Away

When you get a system message to download the latest security patch and restart your computer or mobile device, do you drag your feet and think, “Ah, I’ll do it later. I’m in the middle of <insert activity>”? Bad idea.

Not installing the necessary updates or patches for your Windows or Mac operating system, Android or iOS, Java, Adobe Flash, web browsers, or anti-virus, anti-malware and Microsoft Office program, etc. is a giant invitation for cyber-criminals to gain access.

Often times, security updates or patches from popular programs are released immediately after a new cyber-threat has been identified in the wild, wreaking havoc. Even with anti-virus or anti-malware running in the background, you may still be vulnerable because you may not have the very latest definitions files to identify and inoculate the new virus or malware threat.

Always find out more information about why an update or patch was released (an update could address several vulnerabilities), then download and install it… or risk a potential data breach.

Also, set your system notifications to automatically download and install system updates or at the very least, set it to notify you so you can manually download and install the system updates.

5. Replying to Unsolicited or Phishing Emails

We all think we’re intelligent and tech-savvy enough to not to fall for solicitations from Nigerian princes or a multitude of other phishing scams, but according to the government’s own Get Cyber Safe website, 80,000 people take the bait and get “phished” every day by sharing their personal info.

So the next time you receive a phishing email that says you won a lottery or a prize, to click here to avoid paying fines from tax authorities, a warning from your financial institution because there is something wrong with your account, some bogus job offer or to watch a video that will shock you, delete it immediately.

Even with spam filters set up to catch these kinds of messages, many still make it through to your inbox. Never click on any attachments or links from unsolicited emails. You should only click on email links from trusted contacts IF you’re expecting a message from them. But even so, always check the sender’s info for both the name and email address that you recognize and contact them to confirm they sent it.

If you’re unsure about whether it’s really your bank, credit card company or the CRA that sent you the message, you can always contact them in person or directly over the phone.

6. Downloading Unverified Email Attachments, Apps or Unsolicited Software

If you receive an unsolicited email from someone you don’t know, and that message asks you to download an attachment or to install an app you’ve never heard of, you know by now that it’s a good idea to delete the message right away.

But what if the message is from someone you know? If you’ve ever received what looks like spam from a friend, acquaintance or family member in your Gmail, Yahoo or another webmail account, the sender’s account could have been compromised.

It’s best to make it a habit never to open any attachments from anyone unless you were expecting that person to send it and have confirmed it beforehand. For example, communications with a business partner or a client. Even then, there are other ways to share documents online like Google Drive, Dropbox, and other cloud-based platforms.

Everyone has probably encountered the annoying pop-up warning that your computer will be at risk unless you download their anti-virus software immediately. Or maybe it’s some cool app or game you should download and play.

How do they know you don’t already have anti-virus or anti-malware installed? It’s a well-known ploy to get you to install their virus or spyware posing as software to protect you. Make sure you actually have legitimate, up-to-date anti-virus and anti-malware installed with a pop-up blocker to keep these cyber-attempts from being displayed on your screen.

7. Browsing Questionable Websites

That’s an interesting cat website full of funny cat photos and videos. Despite all those ads and pop-ups, it seems pretty innocuous, right? How about this music download site you just stumbled upon? Can you even legally download this music for free?

Maybe it’s nothing, but untrusted websites could be full of spyware and any links you click on could install malware onto your system, which could compromise your banking information, credit cards or worse.

If you want to stay safe, it’s probably best to surf on reputable sites from known brands. Usually, the safest and most secure sites will appear at the top of the Google search results. But if you’re in doubt, it’s best to get out (without touching anything first).

8. Clicking on Shortened URLs

You’ve probably seen many shortened links and even clicked on a few of them, but did you really know where you were being redirected to before you clicked?

Long, ugly URLs are often shortened to a few random characters to make them look prettier. For example, a bit.ly or a TinyURL link. You’ll also see this with Facebook updates or Tweets. Using a short link essentially hides the real website URL and if you click on one, you could be clicking on malware.

To avoid this, use the built-in link preview that most of the popular link shortening services will have by default. You just have to alter the shortened URL to preview it.

TinyURL example (these are not real URLs):

ie. https://tinyurl.co/abc123 to https://preview.tinyurl.com/abc123

Each link shortening service will have its own different parameters you need to add to preview its shortened links.

If you don’t want to memorize all the different preview parameters, you can also use an online service like GetLinkInfo.com or download a link preview Chrome extension or Firefox add-on for those browsers.

9. Sharing Too Much Personal Information Online

One of the biggest mistakes people make online is not thinking about what the consequences would be if their personal data is taken out of their control and released into every nook and cranny of the internet to be used and abused by nefarious parties.

These days, people reveal way too much of their personal information online, without even a second thought about the possible implications. They do that in their social profiles, in their social posts, on forums and websites everywhere. They think there is privacy protection on these various platforms, but once they’ve been breached and compromised, your information is out of your hands and into those who would use it for their own personal gain or use it against you.

It is critical that you stop and think clearly before you post anything online, especially anything too personal and revealing. Once it’s posted, it is on the internet forever and you won’t be able to do much about it after the fact.

10. Not Using Anti-malware or Anti-virus Software on Your Computers and Devices

Why should someone use an anti-virus or anti-malware software? Is that even a serious question?

First, what is the difference between a virus and malware?

Generally speaking, a virus is a piece of code that can replicate itself to infect your computer and corrupt your system or destroy your data. Malware is an umbrella term that covers a variety of malicious software, including trojans, worms, adware, spyware, ransomware and also, viruses.

No matter how smart you are or how carefully you browse on the internet, there are just too many cyber-threats out there these days and security software is important to have as your second line of defence… right behind your good judgment, awareness and vigilant attitude towards cyber security best practices.

11. Using Public Wi-Fi or an Unknown Internet Connection

When we are out in public or traveling, we often just use whatever Wi-Fi or internet connection that is available. Sometimes it’s because we’re out of data or just don’t want to use our own data plan.

But because these public Wi-Fi networks are not secure, you should never use these types of untrusted connections to access personal information, make online payments or purchases, etc. They are much more vulnerable to online breaches.

Even worse, cyber-criminals know users who go to a local cafe for a drink, often like to use the Wi-Fi to work or to browse the internet. Some of these hackers will sniff the coffee shop’s network to capture data or some will create an access point with malware and try to lure you into their trap. As soon as you join their network, they could be stealing your passwords and other personal data.

If you want to pay your bills, check your financial statements or do some online shopping, do it from home where you know your network is safe and secure.

However, when you are traveling abroad, it might be difficult or impossible to find secure public Wi-Fi networks to access. This is why you should use a VPN for travel.

What is a VPN? In a nutshell, a Virtual Private Network is a connection method that is used to add security and privacy to public networks like Wi-Fi hotspots. A VPN will hide and change your IP address, mask your location and encrypt data transfers. VPNs use advanced encryption protocols and secure tunneling to encapsulate online data transfers.

In fact, you should always use a personal VPN on every public Wi-Fi network other than your home network.

12. Using Unknown Devices Such as USB Flash Drives

Sometimes you want to move files from one device to another and sometimes you want to back up your important files quickly. But you should always be careful when inserting someone else’s USB drive into your computer.

You’d never think to pick up something that’s dirty and just laying it around and insert it into your ear, would you? So, you should never just insert a random thumb drive that you found into your computer. If you don’t know the origins of the flash drive or it isn’t brand new out of the package, then it could have potentially have a virus or malware in it.

Remember, one tiny, little infected drive can take down an entire corporate-sized network.

13. Leaving Your Webcam Vulnerable to Attack

Webcam hacks can be a very scary violation of one’s privacy. You should be familiar with whether your webcam is active or not and know how to disable it. Just covering it up with tape will not stop your webcam from recording audio. Once a hacker has control of your webcam remotely, they can spy on you and secretly record you for personal or financial gain.

Final Thoughts

So there you are, 13 of the most common mistakes people make online and now you have the awareness and knowledge to avoid them and keep yourself safe and secure.

Federal Government Announces New Certification Program to Enhance Cyber Security

The CyberSecure Canada Certification Program

Earlier this month, Bill Morneau, Canada’s Minister of Finance, launched the CyberSecure Canada certification program, which aims to achieve an increased baseline level of cyber security controls among SMEs (small to medium enterprises).

As more businesses and consumers embrace the use of digital technologies to conduct business online, cyber attacks and data breaches are becoming a serious and more frequent issue to both business owners and consumers alike.

The objective of this voluntary program is to protect small and medium-sized businesses from cyber threats and increase consumer confidence in using Canada’s digital and data platforms.

By offering this certification to SMEs, the government’s goal is to make it safer and more secure online for all businesses and consumers by preventing financial loss, protecting our privacy and safeguarding intellectual property.

CyberSecure Canada Banner

Quote from the Government of Canada news release:

“There’s so much Canadians can do online—from connecting with friends and family, to personal shopping, to building a business. This online activity is good for our economy and helps create good, well-paying jobs. At the same time, it’s critical that Canadians feel confident about the security of their interactions and information. Today’s announcement is an investment in skills, in businesses and in the future of our economy.”
– The Honourable Bill Morneau, Minister of Finance

Certification Program Details

Currently, the CyberSecure program is in the pilot phase and will continue until the National Standard of Canada (NSC) is fully established.

Baseline Cyber Security Controls PDF - SMAlthough the program is targeted at SMEs (with a maximum of 499 employees), large and even enterprise businesses are also eligible for the program, including for-profit and non-profit organizations.

In order to become certified, organizations must demonstrate that they have implemented all of the specific baseline cyber security controls as developed and established by the Canadian Centre for Cyber Security.

Security controls are a detailed outline that lists what companies and organizations must do to protect their digital environments, such as their physical networks, computers, mobile devices, websites, web applications, cloud storage, social media accounts and more.

Quote from the Government of Canada news release:

“As the Government of Canada’s authority on cyber security, and as part of the Communications Security Establishment, the Canadian Centre for Cyber Security has over 70 years of experience protecting Canada’s most sensitive information and networks. Canadian businesses are being, and will continue to be, targeted by cyber threat actors. Many of the most common cyber threats can be mitigated through awareness and best practices. CyberSecure Canada will help raise the cyber security bar for small and medium organizations across Canada and build confidence in our digital economy.”
– Scott Jones, Head, Canadian Centre for Cyber Security

A few of the basic security controls to minimize cyber threats to your business include:

  • Developing a plan for responding to incidents
  • Updating and patching your computer operating systems and applications
  • Installing and configuring anti-virus, anti-malware, company firewalls, etc.
  • Using strong user authentication (implementing two-factor authentication, password length and re-use, changing passwords frequently, etc.)
  • Having a data backup and encryption policy

For the complete list of baseline controls, visit the security control for SMEs page to download the PDF.

Once a business is enrolled in the program, federal government accredited certification bodies will evaluate the implementation of the security controls using an audit checklist defined by a strict set of criteria.

Certification bodies (CBs) are public and private-sector businesses which have met all of the requirements and have been fully accredited by the Standards Council of Canada (SCC).

Authorized and accredited certification bodies include:

After certification, a unique CyberSecure Canada identifier for your company website will be given to you to let your customers know that you have taken the necessary measures to implement security controls to ensure that your business meets the latest cyber security standards and best practices.

The certification is valid for two years. Upon expiration, you will be required to follow a re-certification process to maintain certification status.

The cost for certification is individually set by each of the particular certification bodies. However, some CBs may choose not to charge for the certification if your business uses their products or services that meet the security requirements. Other CBs may charge from hundreds to thousands of dollars depending on the complexity of your organization and its structures.

Why Certification Matters For Your Business

Cyber attacks and cyber threats can have catastrophic effects that directly impact you as a business owner, including:

  • Financial loss caused by cyber fraud or other means
  • Damage to business reputation
  • Lawsuits
  • Loss of business

As of now, certification is not mandatory and completely voluntary. However, having the CyberSecure designation will give your customers, partners and suppliers extra assurance and trust that their valuable information (personal and/or confidential, credit card and/or financial, etc.) will be secure and that as a business, you have decreased their risk of cyber threats.

With the CyberSecure Canada certification mark, your business will have the official recognition by the federal government for demonstrating compliance with their baseline security controls.

Example CyberSecure Certified Logo - EN

Once your business has been CyberSecure Canada certified, it can display a government-issued certification seal to be used in digital and print formats.

How to Become CyberSecure Canada Certified

You can find more information and apply for enrolment into the program by going to the Get Certified page. Follow the step-by-step process on how to get started to make your business cyber secure.

Start Taking Proactive Measures With Your Security

The federal government has created this program, focusing on a foundation of security best practices, with methods and strategies to help SMEs guard against the threat of cyber attacks. But it is important to recognize that, while it is a great initiative, this is just the minimum standards approach to cyber security.

As a business owner, you should understand that these minimum standards, audited by the various accredited certification bodies, only gives you a basic level of security.

Quote from the Government of Canada website:

“Certification does not guarantee complete protection from cyber threats. However, the processes and best practices learned as you make your way through the certification process, will provide businesses owners, managers and employees with the tools and abilities to improve your level of cyber risk and to better deal with breaches, if they occur.”

Unfortunately, many organizations only take an interest in their security after their digital space has been compromised by cyber attacks and the damage has already been done. With our many years of experience in the cyber security industry, we recommend that you be proactive in your approach when it comes to your organization’s security.

You can only truly evaluate the strengths or weaknesses of your security structure and policies by hiring a qualified expert to test your organization’s network defences. Call or contact us to schedule a free consultation today.