Cybercriminals have found an unsupervised playground in Canada to horse around in. And the complacency of many companies is allowing them to wreak havoc in our neighbourhood.
During a morning session at the SC Congress in Toronto on Tuesday, titled ‘Why being nice attracts the naughty,’ panelists discussed the reasons behind Canada’s dismal Internet security ranking in the third annual report card from security firm Websense: third place in the world for number of advanced malware command-and control-servers.
This isn’t terribly shocking. As a prosperous, highly-developed country, Canada is a target-rich environment for hackers. Still, one of the panelists, Michelle Warren, president of MW Research & Consulting, said it was troubling that we’re so close to the top — more infested with malware than even certain eastern European countries long associated with the dark underbelly of the Internet.
But leaving aside the stereotypes, she said, part of the reason for Canada’s vulnerability is the vast number of small businesses on its soil. Companies of this size lack the means to protect against concerted attacks by large groups of hackers.
“When we look at small and mid-sized companies, we don’t have — and I operate one — I don’t have an IT guy or IT woman full time, running things. I can get attacked and not even know about it. I’m going to find out about it from Google. And I’m not alone,” said Warren.
Warren estimates that the vast majority of SMBs, which represent somewhere around 97 per cent of businesses in Canada, outsource their security instead.
So, with the enemy at the gates, who should we rely on? Who does have the power to protect Canadian individuals and companies from malware?
Robert Knoblauch, director of technical security services at Scotiabank, responded to a question about whether large enterprises and Internet service providers, the only parties with the kind of resources to stop massive DDoS attacks, for example, deserve some of the blame when client systems are compromised.
Knoblauch said that ISPs can’t exactly be singled out for criticism for two reasons. First of all, over the past few years, the nature of DDoS attacks has changed considerably, from the forced conscription of thousands of workstations to knock off sites to more targeted attacks against popular Web platforms (such as WordPress) using automated kits. Meanwhile, he said, the bandwidth hackers use in the old-fashioned mass attacks is growing so exponentially that ISPs simply won’t be able to keep up.
ISPs and security firms can only do so much without the cooperation of their clients, he added. And the lack of such cooperation effectively means helping the hackers.
“What we’ve seen at Scotiabank (is) an increase in Canadian ‘attackers,’” said Knoblauch. “We don’t think it’s Canadian people being malicious — it’s people just not patching their systems and hackers breaking in and using their system as a launching point for other attacks.
Canadian companies are consistently failing to keep their security up to date, he added, with Java and Adobe in particular being “a very easily exploitable vector in your system.”
Patching systems regularly is easier said than done, Knoblauch acknowledged, and companies often run into compatibility problems that can cause major headaches for IT. Still, he said, do whatever you can.
“My advice is to prioritize. Look at your most critical systems and see what can be patched and what bandaids or other workarounds you can put in to mitigate the risk. Focus on those systems and then move down the chain to less critical systems, because you’re not going to secure everything.”
In the end, the panelists left their audience with some good news and some bad news about what the future holds.
Bad news first? Cybercriminals will always be a step ahead of IT security firms. The good news? Well, it will at least promote job creation. Many Canadians will have long and prosperous careers protecting networks against increasingly sophisticated hackers.
While we should have the utmost respect for the professionals who work to keep our systems secure, we also have to acknowledge that a thriving security industry isn’t exactly a pillar of a healthy economy. So, let’s all work together to knock Canada’s malware-friendly ranking down a few notches.
Start by assessing your organization and downloading, “Planning Security Budgets: Quantify the Financial Risk of DDoS,” today.