Canucks play fast and loose with ransomware

Hello, world. Meet the two-headed Canadians.

On the one hand, we Canadians seem to be very risk averse people, at least when it comes to business. Craig Alexander spelled it out in a recent interview, right after being named the Conference Board of Canada’s new chief economist.

“Economists don’t have a good explanation as to why Canada does so poorly in productivity,” he told Wealth Professional. “It’s like a good murder mystery — there are many suspects. Canadian businesses do not invest as much in machinery and equipment per worker as the U.S. Also, they are slower to adopt new technology and often want to see it tested in the U.S. first.”

So on the business and entrepreneurial front, Canadians are not the biggest risk takers in the world. In terms of cyber risk, however, we seem to be much more laid back. A new study from Malwarebytes concludes that “Canadians have a false sense of security,” specifically toward ransomware threats.

According to the survey of 540 senior IT managers at enterprises in Canada, Germany, the U.S. and U.K.:

• 51 per cent of Canadians are “fairly confident” in their ability to stop ransomware
• yet Canada suffered the highest ransomware penetration rate of the four countries, with 42 per cent of attacks affecting 26 per cent or more of the victims’ corporate networks
• more than a third of surveyed Canadian companies have been hit with ransomware in the past year, the second highest rate among the four countries
• study researchers said the cost of ransomware attacks in Canada “is much higher than in the U.S.,” with nearly 65 per cent of attacks costing between $1,000 and $50,000
• Canadian companies are the most likely to cede to ransom demands, with 75 per cent willing to pay up

Why are Canadians — so wary of taking risks in business endeavors — playing so fast and loose with risks surrounding ransomware? Are we too cheap to invest in appropriate preventive measures? Do we just naively believe it’ll never happen to us? I don’t know the answer. I’d love to hear some ideas and experiences, so please post your comments.

Another key question on this issue: should victims ever pay ransom to hackers? Although more data is now available on the number of companies being hit by ransomware, there’s still little, if any, research about what happens after they pay off these attackers. How many of the victims who pony up payments get targeted again in repeat attacks?

No More Ransom, a new public/private initiative set up to fight ransomware in Europe, advises victims not to pay the ransom: “By making the payment you will be supporting the cybercriminals’ business. Plus, there is no guarantee that paying the fine will give you back the access to the encrypted data.”

That’s exactly what happened to Kansas Heart Hospital in May. Although the facility paid an undisclosed amount of ransom to regain access to its files, the bad guys only gave them partial access and demanded even more money. The hospital refused to pay the second ransom demand and has remained mum on the incident ever since.

As mentioned, the Malwarebytes survey suggests Canadian firms are more likely to pay ransom than those in other countries. Apparently, we prefer to deal swiftly with ransomware after the fact instead of early at the preventative stage. With ransomware increasing, that attitude clearly has to change.

Nathan Scott of Malwarebytes told me in an interview that hackers are put off by companies that openly talk about tackling ransomware. Since cybercriminals want to make a buck as quickly as possible, they skip past targets who seem like they’ll hold off on paying ransom.

“I’ve noticed there’s a lot more talk in the U.S. (than in Canada) of people wanting to stop ransomware. If there’s a little bit less (talk) in another area then there might be more ransomware there,” said Scott, technical project manager at Malwarebytes.

Scott is politely saying Canadians are too polite about ransomware. If we’re worried about seeming loud and cocky, this is one case where it’s worth the risk.

Image: iStock