serdjophoto/iStockPhoto / Getty Images
Imagine a roving gang of thieves lurk through your neighbourhood each night. They jiggle every knob to see if the door is unlocked and test every window to see if any are left ajar. If the thieves find an opening, they slide in and ransack the place.
Some of your neighbours respond by buying alarm systems or upgrading their locks. None call the police if they are hit, or try to work together to deter the gangs. “Why bother?” they think as they huddle in their homes, afraid to draw attention. “I just pray it won’t happen to me.”
Sound like an effective way to deal with danger? Not really. Canadians wouldn’t accept such a response to a threat of real-world crime. Yet we continue to treat digital risks this way.
As cyber threats escalate, companies and institutions need to be more pro-active about defending themselves and much more open about disclosing the threats they face so we can all fight back more effectively.
It’s hard to get an accurate picture of the damage dealt by cybercrime, for reasons we will get to shortly. The Canadian Anti-Fraud Centre, a government agency, reported a total of $530-million in victim losses in 2022, a 40-per-cent increase over 2021, which was itself a record.
And this is, of course, a global phenomenon: U.S. researchers Cybersecurity Ventures estimated the total cost of cybercrimes, including scams, will hit US$8-trillion this year. The NCC Group, which tracks ransomware attacks, reported 502 incidents in July, up 153 per cent from the year before.
Cybercrime is now a sizable industry. The old image of a lone, hoodie-clad hacker eating Doritos and typing furiously on a laptop in his mother’s basement is a thing of the past. Hackers now work in offices with org charts, salaries and summer vacation. They are professionals and, in some cases, sponsored by hostile governments.
Do these numbers even capture the full extent of the damage cybercrime has inflicted? No. According to the Canadian Anti-Fraud Centre, the increase in financial loss is not because of an increase in reporting. They estimate that only between 5 and 10 per cent of victims come to authorities when they’ve been hit.
This is the first thing that needs to change: corporations and institutions hit by cybercriminals need to come forward to authorities. It’s not good enough to sweep incidents under the rug and only report in the case of major failures that can’t be hidden, such as the attack in February that crippled bookseller Indigo. Sobeys was notably tight-lipped about an incident last year that cost it $32-million. Police need a better picture of criminal activity to understand and investigate it.
Likewise, publicly traded companies should be required to be more forthcoming about their cybersecurity investments and hacking incidents. It is critical information for investors to understand the risks associated with each company. The U.S. Securities and Exchange Commission recently introduced new rules that mandate more disclosure. Canadian securities regulators should follow suit.
Corporations balk at greater disclosure because they fear it will hurt their brand or make them greater targets for criminals. But, frankly, they will get targeted either way. Lack of transparency just creates cover for the chronic underinvestment in cybersecurity to continue.
The federal government should include robust investment in cyberdefence as part of its defence policy review. It could also help those in the private sector who are vulnerable and need the assistance: the Canadian Chamber of Commerce suggested in this year’s budget consultations that a $500-million fund could help small- and medium-sized businesses with their cybersecurity needs.
Ottawa should also get moving on Bill C-26, which was introduced more than a year ago. It gives the government more authority to protect critical infrastructure in federally regulated sectors, such as telecommunications and banking. It also requires companies in those industries to have a cybersecurity plan and to monitor and report any incidents that come up. The House of Commons unanimously approved the bill on second reading last March and sent to committee, where it has since sat undisturbed. MPs should rouse the bill from its rest this fall so regulators and companies can get moving on implementing the new rules.
Cyber-burglars have not used that time to doze. Every day they develop new tools. And their next break-in target may be you.