Ransomware’s a bigger threat — to business and beyond — than many understand

One of the most under-reported — and harmful — phenomena in Canada is ransomware attacks.

Recent high-profile ransomware attempts, the most common form of cyberattack, have obscured how pervasive the problem is, and how urgent the need to better guard against it.

It is estimated that in Canada this year there will be such an attack every 11 seconds. Most of them go unreported to law enforcement, and the problem will get worse if that continues.

A ransomware attack occurs when cybercriminals install malware in your computer network that encrypts your data so that you no longer have access to it. They then demand a ransom, usually payable in Bitcoin or another cryptocurrency, to “unlock” it.

Until recently, almost all ransomware victims in Canada were small and medium-sized businesses (SME). In fact, a 2019 survey of Canadian SMEs found that every one of them had faced a cyber threat, and 58 per cent reported that their data systems had been breached. (Some leading SME protections against ransomware appear near the end of this article.)

Three major shifts in ransomware activity are now underway.

First, cyber-thieves are raising their sights. They’re targeting bigger enterprises — in the public, private and non-profit sectors — and average ransom demands have skyrocketed, from an average of $5,000 in 2019 to the $82-million ransom paid in 2020 by attack victim United Health Services Inc., one of America’s largest hospital chains.

Second, ransomware attackers are no longer merely encrypting data, but stealing it as well. That way, if the victim refuses to pay the ransom, the attacker can threaten to sell your data on the black market or post it all over the internet.

That, in turn, opens the door to regulatory censure and class-action lawsuits against the victim over its failure to protect sensitive data on customers, suppliers, financial institutions and others with whom it does business. The victim’s data in the wrong hands is not only a problem for the victim, but for countless third parties whose own data, in the victim’s care, has also been compromised.

And third, information technology (IT) systems and operational technology (OT), once segregated, have…