Head of national centre for cybersecurity training and policy says smaller organizations and institutions, like Huron-Superior Catholic District School Board, are becoming more vulnerable to cybersecurity breaches
An expert at Toronto Metropolitan University’s national centre for cybersecurity training and innovation isn’t exactly shocked by the ransomware attack at Huron-Superior District School Board that crippled its communication systems and pushed ransom notes out of photocopiers at its board offices and several of its schools Dec. 15.
The English Catholic school board is back online, but has since warned employees that their personal information — including social insurance numbers and banking information — was breached in the attack using Royal, a relatively new form of ransomware, to hold school board systems hostage for a “modest royalty.”
So far, Huron-Superior Catholic District School Board has not disclosed whether or not it has paid its attackers a ransom, citing “security concerns.”
“It is absolutely not a surprise, and it’s really important that smaller communities recognize that they are vulnerable to cybersecurity attacks,” said Charles Finlay, founder and executive director of Rogers Cybersecure Catalyst in Brampton, Ont. “One of the dynamics here is that larger communities, larger public sector organizations, larger institutions often have more resources to put in place to protect themselves from cybersecurity attacks or to mitigate their risks.
“Ransomware attackers and cybersecurity attackers often target smaller organizations because they can be more vulnerable. So in some ways, I’m not surprised at all — in fact, it’s one of the key dynamics that we’re seeing, which is smaller communities, smaller public sector institutions, smaller school boards, smaller hospitals, smaller businesses are being impacted just as seriously, if not more seriously, than the larger entities.”
Finlay says the impacts can be severe for smaller entities, as hackers generally seek out “extremely large sums of money” from victims.
“It can be devastating and very difficult for smaller entities, smaller communities, to meet these demands,” he said.
The head of the university-led cybersecurity organization says there have been significant increases in ransomware attacks on critical infrastructure in “all aspects of our society and economy,” as the form of hacking has grown into a sophisticated, multibillion-dollar criminal enterprise run by well-funded gangs which are “often based in countries that provide them with essentially immunity from prosecution from western authorities” such as Russia, Iran and North Korea.
Ransomware attackers look for “vulnerability and leverage” in determining their targets, Finlay adds, and attackers essentially found the “perfect storm” during the COVID-19 pandemic.
“The pandemic opened new vulnerabilities — people were working remotely, [the] business process was interrupted,” he said. “People were working from home using insecure technologies. There was a general sense of anxiety and uncertainty, and all of this created opportunities for ransomware attackers to penetrate systems — and through that, to leverage ransom from impacted organizations.”
Finlay says all public and private sector organizations and firms of all sizes need to determine the level of risk and undertake a detailed risk assessment. After that, it’s a matter of investing in “people, processes and technologies” in order to mitigate the risk of falling prey to a cyberattack.
Part of that strategy, Finlay says, is to educate employees and create protocols around cybersecurity in the workplace.
“Employees need to be properly aware of how they can mitigate cybersecurity risks by not clicking on links that they don’t recognize and not answering emails that they’re uncertain about, having multi-factor authentication and having proper password protocols in place,” he said.
Huron-Superior Catholic District School Board says the hackers have deleted the stolen information, but will continue to investigate the impacts of the mid-December attack.