‘It’s getting kind of crazy out there’

Hey there, time traveller!
This article was published 23/10/2024 (319 days ago), so information in it may no longer be current.

Canadian businesses have doubled their spending on cyberattack recovery in recent years as the financial stakes become “more severe,” a new Statistics Canada report finds — and Manitoba is not immune.

Companies across Canada spent $1.2 billion recovering from cybersecurity incidents in 2023, the data show. The number doubles the roughly $600 million spent in 2021.

Meanwhile, the number of victimized businesses has been decreasing — 18 per cent were impacted in 2021, down from 21 per cent in 2019. StatCan pointed to victimized firms paying more money as a potential reason recovery spending has grown.

Neither StatCan nor the Canadian Centre for Cyber Security track cybersecurity incidents by province.

Manitoba businesses are tested often, said Jason Kolaski, owner of computer support company Constant C Technology Group.

“If it’s your day, then you just happen to be the person that gets hit,” he said.

His company gets calls from distressed businesses who’ve been scammed and those who want to increase their protection after a scare.

Artificial intelligence is making scammers more sophisticated, Kolaski explained: for example, criminals can use AI to impersonate a chief executive’s voice on the phone and ask for money to be transferred.

One of the top cyber crimes affecting leadership involves signing false documents online. It might happen during tax filing season or a period where “the executive is always in a rush,” Kolaski said.

An employee enters their Microsoft Office username and password without realizing the file isn’t from their accounting partner, legal firm or other trusted entity. Scammers then have the username and password for their own purposes, Kolaski relayed.

In some instances, hackers have gotten into organizations and sent emails to that organization’s vendors stating they’ve changed their banking information, offering up the criminal’s account.

“It’s getting kind of crazy out there,” Kolaski said.

Nationally, businesses increasingly faced identity theft, ransomware attacks, scams and fraud when comparing 2023 to 2021. Scams and fraud remained the most common crime, StatCan said.

The upticks follow a rise in online shopping. Canadians spent more than $84 billion online in 2020, a COVID-19 pandemic-era jump from 2018’s $57 billion.

“Just the volume that we’re seeing of retail trade going on online, I think it makes sense that the dollar amount lost is … going up,” said Brianna Solberg, Canadian Federation of Independent Business director of legislative affairs, Prairies and northern Canada.

Nearly half of Manitoba small businesses the CFIB surveyed in 2022 had experienced a random cyberattack; 27 per cent reported a targeted attack.

Victimized Manitoba enterprises lost an average $13,000, including time and resources to recover, Solberg said.

Tessa De Sousa and her staff now backup every spreadsheet and file.

Years ago, a service technician opened a virus email at Underworld Scuba and Sport. The company’s customer order sheet was quickly blocked; hackers asked the Winnipeg retailer for upwards of $25,000 to get the information back.

“As a small business, you just don’t have that type of revenue stream,” De Sousa said. “We ended up just dealing with the loss of the (spreadsheets).”

It meant many lost sales, De Sousa recalled.

Financial fallout and a diminished reputation are among the risks attached to cyber crime against business, noted Chuck Davidson, president of the Manitoba Chambers of Commerce.

In some cases, customers are put at risk, he added. He’s seen a “huge increase” in businesses upping their cybersecurity measures. It prompted the chambers to offer grants for tech assessments through its Digital Manitoba initiative.

The largest cybersecurity cost for businesses last year was employee salaries related to prevention and detection, StatCan found.

Computer science pupils studying cybersecurity are “very popular choices” for employers, said Kathy Knight, director of the James W. Burns Executive Education Centre at the University of Manitoba’s Asper School of Business.

Asper plans to launch a cybersecurity program for non-tech leaders in 2025. The curriculum will include how to create a “cybersecurity mindset” within organizations, Knight outlined.

“All (employees) have a role to play in cybersecurity,” she said. “It is the human factor that is the biggest risk.”

Many small- and medium-sized businesses fold within six months of being hit by a cyberattack, she added.

“They only need to be right once,” Kolaski said of hackers, noting the money is life-changing. “If you’re on the IT side, you’ve got to be right every single day.”

The Canadian Centre for Cyber Security responded to 2,192 incidents — successful or not — in its 2023-24 fiscal year. It’s a slight uptick from the year prior.

Such incidents are “significantly under-reported,” spokesperson Nayeli Sosa wrote in a statement.

Marc Perreault, senior manager of security risk at Mozilla, has watched cyberattacks become “commoditized,” affecting individuals and businesses alike.

Using strong passwords, multi-factor authentication and secure data storage online are among the Canadian Centre for Cyber Security’s recommendations to prevent scams. It emphasizes being on guard for phishing messages.

The number of cybersecurity professionals is growing, but more are still needed, Perreault said.

gabrielle.piche@winnipegfreepress.com