Cybersecurity: Are Canadians Ready?

Picture this: the power goes out in your house. It’s 11:00 at night, so it’s dark. You look outside, and you see that every other house is dark too. There’s light coming from the odd solar powered porch light, but the streetlamps and everything else are out. You pull out your phone to make a call – no signal – no cell coverage. You’re on your own. It’s at this moment that you think to yourself, “hmmm…how ready am I for this?”

In Canada, we take a lot of our essential services and technology for granted because they are generally so reliable. Because danger does not stare us directly in the face, we become complacent and even confident that any period of crisis will be resolved soon. In the case of a widespread power outage, it would only take a few hours for peoples’ optimism to transform into fear, especially if the blackout was vast and all-encompassing.

Human beings are not very good at being proactive. Whether you place it in the context of blackout survival or cybersecurity, the act of taking steps to prevent or mitigate future problems is not easy to undertake. It represents extra effort and extra cost to prevent something that might not even happen. Humans are far better at reacting to things than they are at preparing in advance, which is why so few of us have a long-term blackout survival kit, and similarly why our approach to cybersecurity, as individuals and as companies, remains an issue of serious concern.

Are We Worried Enough?

In 2018, ESET published its ESET Cybersecurity Barometer, a collection of poll results designed to assess peoples’ attitudes towards cybercrime. The report was based on a sampling of 1,000 respondents and is available for download here. Its author, Stephen Cobb, points out that “more than 80 percent of Canadians surveyed believe that the risk of becoming a victim of cybercrime is increasing,” and “nine out of ten Canadians now identify cybercrime as a serious challenge to the country’s security, bigger than terrorism, corruption, and other criminal activity.”¹

For a clearer vision of this problem and our responses to it, we spoke directly with Stephen and asked him for some specifics from the study. He pointed out that 40 percent of Canadians now:

• Restrict themselves to only using their own computer
• Only visit websites they know and trust
• Only open emails from people they know
• Use and maintain security and antivirus software
• Are less likely to give out personal information online

This means that statistically, Canadians are becoming more cautious and internet-savvy, but 40 percent is not a majority. It’s a mark of progress, but it also means there’s a long way to go in a race that continues to pick up speed.

A related note, Stephen points out, is that this might not be great news for those who rely on websites for sales, marketing, and communication – companies, non-profits, and government agencies. The lack of trust through concerns about security and privacy may be eroding the full potential of the technology. To re-build trust on the internet, Stephen says, “You have to hit companies over the head with the need to do better.”

He mentions though, that Canada already enjoys a leadership role in the global cybersecurity space. Canadian privacy regulations and laws have evolved differently and somewhat better than in the U.S., and in fact, the concept of privacy by design, which became the backbone of Europe’s GDPR, was designed by Canadian privacy expert Dr. Ann Cavoukian.

Security Needs a Change of Mindset along with Swift Justice

On a regulatory level, in terms of the Federal government stepping in to assist in privacy and cybersecurity issues, Stephen admits that as with other countries, Canadian leaders have a lot of other things to worry about and establishing security policies is a complicated undertaking.

He suggests that at this level, a change of mindset may have to come about, especially regarding existing policies toward crime and justice. “The biggest deterrent to a crime like stealing,” he says, “is swift justice. A burglar will not stop burgling just because you double the penalty and sentencing rates. Most criminals don’t think they’re going to get caught. And in truth, there’s a whole lot of cybercrime where the chances of getting caught today are very low.”

He suggests that focused international efforts can create results, and he offers kudos to organizations like the RCMP who are already doing this. “International cooperation is vital,” he says. “We must identify cybercriminals and indict them quickly. He offers this example:

“There is a concern that an indictment in a different country is meaningless because a national authority like the RCMP generally cannot easily arrest and extradite such offenders from their own soil. But that fear is unfounded because, for example, if a criminal lives in Russia and gets indicted by the U.S., that still has impact. Because if they leave Russia, they will set off alarms with INTERPOL. That’s how several hackers have already been caught – they go on vacation to a warmer country and get arrested.”

He adds, however, that most countries’ law enforcement agencies lack the resources to fully stay on top of cybercrime and suggests there is a societal and commercial dividend to decreasing the amount of cybercrime so more people can trust the internet and make full use of it. In other words, it is to the advantage of companies to work harder at collectively solving the problem since they themselves will benefit financially from consumers’ increased confidence in the system.

The Pressing Need for Situational Awareness

Most significantly perhaps, Stephen emphasizes the need for situational awareness for anyone who uses internet-connected devices, which is, of course, almost everyone. “Any internet-connected toy or camera becomes an attack vector,” he says. “We must fight the attitude of ‘I don’t put anything useful on it,’ because that’s not the point. An internet-connected device will actively look for useful things to do such as recording your voice even when you are not aware of it. This can lead to problems since Internet connectivity is two-way.”

As an example, he says, look at apps that ask permission to access your device’s camera. It asks permission, but it is up to the user to know how to say, “Yes it’s OK for this one event.” Most people simply say “yes” and then forget about what they have just done. “We need to make sure we only share the things we want to share,” he says, “and only with the people we choose to share with. That means understanding and adjusting our security settings, our privacy settings, and then refraining from connecting anything we don’t fully understand. Sadly, this takes work and effort, but right now that is part of the hidden cost of technology that we need to bear in order to gain its benefits safely and without unpleasant side effects.”

The Bad Guys Are Always Looking for the Next Easy Take

As a compelling closing takeaway, Stephen shares a current example of why Canadians – and others – should always remain vigilant. It was discovered recently that a bug within a certain brand of smartphone allowed thieves to steal a user’s cryptocurrency wallet number. NOTE: This lesson applies not just to the crypto enthusiast but to anyone who keeps account numbers (like banking, credit cards, and even loyalty cards) on their phone.

Since most people copy and paste long strings of account numbers and passwords, the bug had been instructed to read what had been copied to the phone’s clipboard, and in the case of the crypto theft, modify it to point the deposit to one of the thieves’ own accounts.

The point being, there will always be a constant level of deviousness and creativity in crime. Someone will always be looking to abuse it for money. To that end, readiness is not a goal for Canadians to attain, but a state of being that must be consistently maintained.

In case you want to know more right now, ESET offers free cybersecurity awareness training for companies and individuals. For information click here.

1. ESET Cybersecurity Barometer, 2018