Canada: Federal Government Urges Canadian Organizations To Adopt Updated Cyber Security Best Practices

On December 6, 2021, with global ransomware attacks at an all-time high, the federal government published an open letter to Canadian organizations urging them to adopt updated cyber security best practices to reduce the rising threat of ransomware attacks. The federal government also issued additional guidance on preventing and responding to ransomware attacks, including a new Ransomware Playbook. Below, we summarize the federal government's recent guidance, what it means for Canadian organizations, and how we can help your organization prevent and respond to ransomware attacks and other cyber security threats.

The Threat of Ransomware Is on the Rise

As most readers will already know, ransomware is a type of malware (malicious software) that denies a user's access to a system or data until a sum is paid. Ransomware is a serious and evolving threat to organizations of all kinds. Over the past two years, as more and more people have been working from home and doing business online, we have seen a sharp increase in ransomware attacks. Between the first half of 2020 and the first half of 2021, global ransomware attacks increased by 151%.¹ These attacks have become increasingly sophisticated, targeted, and complex, with threat actors adjusting their tactics to minimize the risk of detection and maximize the potential ransom payment. These tactics have included:

• high-impact targeting, such as attacks on organizations involved in the supply of critical infrastructure, including governments and businesses in the communications, energy, financial services, health care, and transportation sectors;
• use of Ransomware-as-a-Service ("RaaS"), by which developers sell or lease ransomware to other cybercriminals;
• covert reconnaissance to identify critical systems and high-value data;
• demands for payment in the form of cryptocurrency;
• threats to release stolen data publicly; and
• active monitoring of communications and planned recovery actions to undermine response efforts and further infiltrate networks and connected devices.²

Ransomware attacks can have severe and far-reaching impacts, including business downtime, permanent data loss, intellectual property theft, privacy breaches (which can spawn class-action lawsuits), reputational damage, and recovery costs.³ While average ransom payments stabilized at around $200,000 in 2021, the global average total costs of a ransomware attack more than doubled, increasing from $970,722 in 2020 to $2.3 million in 2021.⁴ The recent ransomware attack against Colonial Pipeline, which halted the U.S. oil pipeline's operations for days and led to a spike in gasoline prices and localized fuel shortages, illustrates just how widespread and severe the impacts of a ransomware attack can be.⁵

For more on recent trends in ransomware attacks, see our recent blog post titled "Emerging Developments in Ransomware".

The Federal Government's Open Letter

To reduce the threat of ransomware attacks, the federal government's recent open letter urges Canadian organizations to adopt updated cyber security best practices. The letter states that "[b]asic but appropriate cyber security practices" can help prevent "the vast majority" of ransomware attacks, and "taking basic steps to ensure your organization's cyber security will pay swift dividends".⁶ To help organizations take these steps, the Canadian Centre for Cyber Security (the "Cyber Centre") recently issued a range of guidance materials, including "Baseline Cyber Security Controls for Small and Medium Organizations", "Top 10 IT Security Actions to Protect Internet Connected Networks and Information", "Ransomware: How to Prevent and Recover", and a Ransomware Playbook (described below).

New Ransomware Playbook

The Cyber Centre's new Ransomware Playbook provides guidance on how organizations can protect themselves against the threat of ransomware attacks and recover from an attack. Key recommended best practices include the following:

Prevention

• Adopt a multi-layer prevention strategy. Organizations should adopt a multi-layer strategy to protect itself against cyber threats. This strategy should include several layers of defence with several mitigation measures or security controls at each layer.
• Have a backup plan. Organizations should have a backup plan detailing how the organization will restore backup data and systems in the event of an incident. Organizations should store their backups offline, have a secondary backup in the cloud, encrypt their backups, and conduct the backup process regularly.
• Have an incident response plan. Organizations should have an incident response plan detailing how the organization will detect and respond to cyber incidents. Elements of this plan may include a risk assessment, a policies and procedures assessment, a cyber incident response team, training, stakeholder identification, and a communications plan.
• Have a recovery plan. Organizations should have a recovery plan detailing how they will recover from a cyber incident. This plan should identify what is to be recovered, by whom, when, and where.
• Establish cyber security controls. Organizations should establish cyber security controls, which may include: tailored cyber security training; strong password or passphrase requirements; multi-factor authentication ("MFA") for the organization's devices; hardware, software, and operating system scanning for vulnerabilities; patches and updates to address vulnerabilities; segmenting networks to protect sensitive and high-value information; monitoring and logging functionality; and disabling macros.

Recovery

• Immediate response actions. In the event of a cyber incident, organizations should take immediate steps to respond. These steps should include engaging professional assistance, assembling a cyber incident response team, determining what data and systems have been affected, containing the issue, and reporting as appropriate.
• Recovery actions. Once an organization has completed its immediate response, it should begin the recovery process. This should include remediating the point of entry, implementing the organization's backup plan, restoring systems, informing stakeholders, and performing a post-incident analysis.

Footnotes

1 Canadian Centre for Cyber Security, "Cyber Threat Bulletin: The Ransomware Threat in 2021" (November 2021) ["Cyber Threat Bulletin"], at 2.

2 Canadian Centre for Cyber Security, Ransomware Playbook (November 2021) [Ransomware Playbook], at 3; "Cyber Threat Bulletin", at 2-5.

3 Canadian Centre for Cyber Security, "Ransomware" (6 December 2021).

4 "Cyber Threat Bulletin", at 3.

5 See Stephanie Kelly & Jessica Resnick-ault, "One Password Allowed Hackers to Disrupt Colonial Pipeline, CEO Tells Senators", Reuters (8 June 2021).

6 The Honourable Anita Anand et al., "Open Letter to Canadian Organizations About Ransomware" ["Open Letter"].

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.