Staying informed about cybersecurity can be a daunting task for busy professionals, particularly as the threat landscape is continually expanding. But whether you’re a sole practitioner, the designated chief information security officer (CISO) for your organization, or the de facto CISO by virtue of your role in leadership, you need to stay current to mitigate risk.
While the increased digitization and expansion of remote capabilities catalyzed by the COVID-19 pandemic has created a new, more flexible way of working, it has also expanded the cyber threat landscape, exposing individuals and organizations to many new risks. And this landscape is only expected to get more complex as Canadians increase their use of online services, the systems that facilitate digital business become more connected, “off the shelf” tools for cybercrime become increasingly available, and artificial intelligence and other disruptive technologies create new vulnerabilities.
With this in mind, and recognizing that October is Cyber Security Awareness Month in Canada, here’s a look at some developments and trends identified by the Canadian Centre for Cyber Security, PwC, CrowdStrike (a cybersecurity technology company), and Gartner (an IT research and consulting firm). Additionally, you’ll find a Q&A with Alvin Madar, a partner in cybersecurity and privacy for PwC Canada below.
Canada’s three most targeted industries in 2022
In its 2023 Canadian Cyber Threat Intelligence Annual Report, PwC names the services sector as the most targeted sector in Canada in 2022, accounting for over 19% of all known cyberattacks across the country. The manufacturing sector came in second with almost 16%, followed by the public sector at just over 10%.1 Within the services sector, education was the primary target, with money as the primary motivator and ransomware the primary method.2
Interestingly, CrowdStrike notes in its 2023 Global Threat Report that academia was the sector most targeted by access brokers advertising their services in 2022.3 As the name implies, “access brokers” gain access to organizations and then provide or sell this access to others, and CrowdStrike says advertising for their services increased by 112% in 2022 compared to 2021.4
PwC found that financial gain was by far the primary motivation for cyberattacks in Canada in 2022 (at 67.08%), followed by espionage (23.48%), sociopolitical and geopolitical motivations (7.31%), hacktivism (1.98%), political advantage (0.07%), and insider threats (0.07%).5
In its National Cyber Threat Assessment 2023-2024 report, the Canadian Centre for Cyber Security (CCCS) describes ransomware as “almost certainly the most disruptive form of cybercrime facing Canadians.” The CCCS warns that ransomware operators have created a sophisticated and thriving “cybercrime ecosystem” that enables them to move beyond encryption and data theft to more complex methods.6
These complex methods include distributed denial of service attacks, which increased by 60% in the first half of 2022, according to PwC. The firm says another surge happened in Q4.7
The increasing availability of ransomware-as-a-service (RaaS) schemes is a significant contributing factor to the problem, as these schemes are making it cheaper and easier for even unsophisticated threat actors to mount successful cyberattacks against organizations of any size.8,9 PwC warns that Canada’s manufacturing, services, construction, and information and technology sectors are increasingly being targeted.10
“Ransomware campaigns are expected to increase significantly in the coming years, as technology advances continue to make ransomware attacks a very inexpensive way for threat actors to target different organizations.”
— PwC Canada, Canadian Cyber Threat Intelligence Annual Report (8)
The CCCS says state-sponsored cybercrime activity is an ongoing threat to Canadian individuals and organizations “whether they are the intended targets or not.” The organization identifies China, Russia, Iran, and North Korea as the nations whose cyber programs currently pose the greatest threats to Canada.11
The motivations for state-sponsored attacks range from business disruption to espionage to destabilization, with nations often using “zero-day” (aka unreported) vulnerabilities in commonly used software platforms to maximize the reach and impact of their campaigns.12
Public trust is also a target of state-sponsored attacks, and the CCCS predicts that geopolitical interests will continue to drive misinformation and disinformation campaigns in Canada over the next two years, facilitated by machine learning, algorithms, and “synthetic content.”13 Critical infrastructure is another target, in part because the threat of widespread disruption increases the potential for larger ransom payouts.14,15
Although, the CCCS believes that Canada’s critical infrastructure will likely be safe “in the absence of direct hostilities,” it warns that the increasing interconnectedness of operational technology (OT) and IT is making our critical infrastructure increasingly vulnerable, with the use of both OT- and IT-targeted malware on the rise.16
“As Canada adopts smart systems and becomes more digitally transformed, more sectors and services will become vulnerable to cyber threat activity. This includes espionage, fraud, extortion and sabotage.”
— CCCS, National Cyber Threat Assessment 2023-2024 (2)
Supply chain attacks
Critical infrastructure providers are particularly vulnerable to supply chain attacks because of their reliance “on their vendors and suppliers for expertise and equipment as they operate, maintain, and modernize their OT processes,” says the CCCS.17 The increased digitization of supply chains during the pandemic compounded the problem by exposing new vulnerabilities, and PwC reports that there was an “exponential surge in supply chain attacks” between 2022 and 2023.18
Simply put, supply chains are only as secure as their weakest links, and the more access a vendor or supplier has to the network, the greater the risk. The CCCS warns that this potentially problematic interconnectedness is increasing “as cloud-based software, infrastructure, and platform ‘as-a-service’ models proliferate.”19 Given this, and given the global nature of business, it’s unsurprising that PwC expects these supply chain attacks to continue.20
Many businesses also ramped up their migration to the cloud during the pandemic, and in doing so revealed what CrowdStrike calls “a tsunami of unknown exposed assets.” In fact, CrowdStrike says the number of observed cyberattacks targeting the cloud grew by 95% between 2021 and 2022, and “cases involving cloud-conscious actors nearly tripled.”21
Similarly, PwC found that the number of attacks against cloud service providers and IT infrastructure companies increased in 2022.22 With businesses unlikely to abandon cloud services in the near future, cyberattacks targeted at cloud solutions are expected to continue.23
Disruptive technologies and social engineering
Email compromise attacks and phishing attacks also increased in 2022, both in terms of number and complexity according to PwC, which identified two main trends: the “TOAD” technique, which refers to a “telephone-oriented attack delivery” method that tricks individuals into installing malware on their phones, and “AiTM” or “adversary-in-the-middle” phishing sites, which target passwords to control sign-in sessions and bypass multi-factor authentication.24
CrowdStrike says the number of threat actors who conducted data theft and extortion campaigns without using ransomware increased by 20% in 2022,25 and it also found “an increase in social engineering using human interaction… to successfully download malware or circumvent multifactor authentication.”26 Social engineering, notes PwC, enables threat actors to gain access without using malware—making their efforts potentially harder to detect.27
According to the CCCS, threat actors have already found ways to manipulate machine learning and target cryptocurrencies. The CCCS cites quantum computing as another area of concern because of its potential to break modern cryptography and says devices powerful enough to do so could be available as early as the 2030s.28
PwC found that “there were rapid developments in AI-driven cyberattacks during 2022,”29 including through the use of Open AI’s ChatGPT, and it warns that increased interest in tools like ChatGPT “raised awareness of the value of AI both for cyberattacks and cybersecurity.”30
As Gartner explains in Predicts 2023: Cybersecurity Industry Focuses on the Human Deal, publicly available tools such as ChatGPT and the “consumerization of AI-enabled fraud” are making it increasingly cheap and easy for even the most novice threat actors to create a “counterfeit reality” (e.g., deepfakes) that many organizations aren’t ready to combat. It predicts that many organizations will start to outsource their trust function by 2025 and notes that some are already using digital risk protection services that use “deep machine learning, computer vision and continuous reputation monitoring” to combat the threat of AI and disruptive technology.31
“As global enterprises make changes to thwart eCrime operators, adversaries will likely extend their reach using novel techniques such as increased social engineering and direct engagement with the victim, as seen in 2022.”
— CrowdStrike, 2023 Global Threat Report (32)
Recognizing the human factor
The overarching focus of Gartner’s report is a “human-centric” approach to cybersecurity design that factors in human behaviour and the user experience. It urges organizations to earmark some of their cybersecurity budget for “the human element,” noting that human—not machine—vulnerabilities are the entry points for most cyberattacks. In fact, Gartner predicts that “lack of talent or human failure will be responsible for over half of significant cyber incidents” by 2025. The company lists several reasons for this, including burnout and high turnover among cybersecurity teams, a lack of buy-in at the top, insufficient resources and training, and ineffective communication.32
“The best cybersecurity programs can’t protect an enterprise when human actors unintentionally or maliciously compromise the enterprise.”
— Gartner, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal
The CCCS, too, emphasizes the importance of factoring human psychology and behaviour into cybersecurity strategies, saying: “Cyber threats and influence operations continue to succeed today because they exploit deeply rooted human behaviours and social patterns, not merely technological vulnerabilities. Defending Canada against cyber threats and related influence operations requires addressing both the technical and social elements of cyber threat activity.”33
Embedding cybersecurity in the culture
The goal of human-centric design, says Gartner, is to initiate “a virtuous cycle of risk-aware decision making between cybersecurity professionals, operators and developers of IT systems, and the business users driving requirements, as each team increases awareness and sensitivity to each other’s design considerations.”34 Leaders, too, need to be engaged in this virtuous cycle, and Gartner urges them to weave cybersecurity into the very fabric of organizational culture and ideology.
This philosophy echoes PwC’s recommendation that CEOs embed cybersecurity into their organization’s culture “by setting the tone at the top.”35 The firm advises that cybersecurity—or “cyber resilience”—must start in the C-suite.
This means learning not just about outside risks but also about risks from inside the organization. Notably, Gartner found that “90% of employees who admitted undertaking a range of unsecure actions during their work activities” knew they were compromising their organization’s cybersecurity. Their top reasons for doing so anyway? Speed and convenience and the belief that perceived benefits outweighed perceived risks.36
Clearly, leaders need to make sure they aren’t inadvertently incentivizing employees to cut cybersecurity corners. They also need to learn where the sticking points are for end users—which Gartner refers to collectively as “cybersecurity-induced friction.” In fact, the company predicts that “50% of large enterprise CISOs will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption” by 2027.37
Gartner also stresses the need for a “focused insider risk management program” that factors in human behaviour.38 Similarly, PwC recommends prioritizing cyber risk management by implementing a proactive plan that includes crisis communications and continuous checks.39
Should “zero trust”—where implicit trust is removed and explicit trust is granted based on identity and context—be part of this program or plan? Perhaps. Gartner predicts that “over 60% of organizations will embrace zero trust as a starting place for security” by 2025. However, it also predicts that over 50% won’t realize the benefits of zero trust because they’ll neglect the human element, fail to get executive buy-in, and/or fail to communicate what zero trust really means.40
Accordingly, Gartner stresses the importance of explaining that zero trust is not a punitive concept, despite how it sounds: “Leaders should stress the philosophy is to trust to the amount needed and no more…. Your primary goal is to protect employees and the organization from any mistakes or oversights that might occur due to excessive trust…. Be prepared to explain not just the technical aspects but also how zero trust can provide a more resilient environment, allow for more flexible access and, importantly, enable new business approaches.”41
A call to action
Amid all the acronyms and unknowns, the encouraging news is that there are still measures we can take to protect ourselves. As Sami Khoury, head of the CCCS, says, “the vast majority of cyber incidents can be prevented by basic cyber security measures.”42 The challenge will be keeping pace with cyber threat actors as they continue to adapt their methods and exploit new technologies.
Distributed Denial-of-Service attack: An attack in which multiple compromised systems are used to attack a single target. The flood of incoming messages to the target system forces it to shut down and denies service to legitimate users.
Malware: Malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.
Ransomware: A type of malware that denies a user's access to a system or data until a sum of money is paid
Quantum computing: A quantum computer can process a vast number of calculations simultaneously. Whereas a classical computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and “superpositions” of ones and zeros. Certain difficult tasks that have long been thought impossible for classical computers will be achieved quickly and efficiently by a quantum computer.
Social engineering: The practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick people into revealing sensitive information. For example, phishing is a type of social engineering.
Zero trust: The philosophy of zero trust, according to Gartner, is “to trust to the amount needed and no more.”
Source: Canadian Centre for Cyber Security
A Q&A with Alvin Madar, Partner, Cybersecurity and Privacy, PwC Canada
In its 2023 Canadian Cyber Threat Intelligence Annual Report, PwC Canada identifies five cyber threats to watch for*:
- Artificial intelligence (AI) and its ability to reshape the cyber threat landscape;
- The increasing sophistication of ransomware operators;
- Data breaches—particularly third-party breaches;
- Geopolitical tensions driving additional cyber threat activity; and
- More threats focused on industrial smart devices and operational technology.
CPABC in Focus reached out to cybersecurity expert Alvin Madar, one of the report’s authors, to gain more insight on the evolving threat landscape.
Will cybersecurity be able to keep up with AI? Or will the risks of AI outweigh the rewards?
Bad actors are definitely using AI to help launch their attacks. But in return, many cyber tools are leveraging AI to help with faster and more accurate detection and response. It will be a continuous game of cat and mouse.
Even though AI does have risks, organizations will have to leverage AI in their cyber arsenals to keep up with perpetrators. At the same time, they will also have to manage the risk of using AI by publishing AI usage standards and incorporating these standards into their organizational policies.
When it comes to ransomware, what is the most threatening development you’ve observed?
A more recent development such as triple extortion is certainly adding complexity to the use of ransomware. For those who are not familiar with the concept, a triple-extortion attack is when a malicious actor accesses data from an initial target and then seeks ransom not only from this target but also from anyone who would be affected by the disclosure of the accessed data.
Another potentially threatening development in ransomware is how initial phishing attempts are created—with the advancements of large language models, it’s getting a lot easier and quicker for attackers to create sophisticated spear phishing emails.* The possibility of ransomware attacks being made through the use of deep fakes is also a newer potential threat.
Emerging threats like these are why it’s so important for organizations to not only have security education programs, but also keep these programs current.
With third-party data breaches on the rise, what can organizations do to find—and fix—their weakest links?
Organizations will need to ensure that cybersecurity standards are embedded into the framework of their third-party risk management program. Before engaging a third party, organizations should conduct a third-party cybersecurity assessment. Third parties should also be monitored on a regular basis. This can be done through processes, tools, or services.
Additionally, organizations should make sure that the third parties they’re engaging with also have robust third-party risk management programs that take cybersecurity into account. Of course, all of this should be done using a risk-based approach that enables organizations to balance costs versus risks.
What trends should every professional be aware of, regardless of their role?
Everyone, including non-cyber professionals, should be aware of how perpetrators try to trick people into clicking on malicious links and of the impact of such actions. This is why security awareness training is so important and should be a high priority for all organizations.
What about professionals whose roles include oversight of cybersecurity or technology?
Cybersecurity and technology are both changing so quickly. It’s important for every cybersecurity professional to stay up to speed with the latest breaches and attacks that are happening in the industry. They must read the news, listen to cyber podcasts, get on cyber forums, and/or subscribe to threat intelligence feeds.
In addition, fundamentals will always be important, so every cyber professional should understand the foundational elements that are required for an organization’s cybersecurity program to be effective. Cybersecurity professionals also need to understand the cybersecurity frameworks that their organizations have adopted. That way, every member of the cyber team will be able to focus their efforts accordingly.
How can small businesses protect themselves against an ever-evolving cybercrime ecosystem?
All organizations, especially small businesses, should adopt a risk-based approach when it comes to cybersecurity—all organizations need to understand their risk landscapes so they can figure out where to focus their cybersecurity efforts. Once the high-risk areas have been identified, organizations should focus on implementing the proper controls.
At the end of the day, though, no cybersecurity program is 100% secure. Therefore, organizations should determine their risk tolerance and invest in cybersecurity accordingly.
Gartner predicts that “over 60% of organizations will embrace zero trust as a starting place for security by 2025.”* Do you agree?
Zero trust is currently a big buzzword in the industry, and it’s gaining momentum as a concept. I think it’s definitely the way to go, as organizations are moving away from traditional security perimeters and accelerating their cloud adoption journey.
Gartner also predicts that most of these same organizations will fail to realize the benefits. Thoughts?
One of the reasons for this prediction is that there’s a general lack of understanding about what “zero trust” means. There are lots of products that market themselves as zero trust tools, for example, and many people assume that just by purchasing and implementing those tools, they will realize the benefits. But that’s not how zero trust works. Zero trust is a concept and an approach, so there’s no single silver bullet that will get an organization to zero trust.
Again, this is why security awareness training is so important.
* PwC, Canadian Cyber Threat Intelligence Annual Report (58-64).
Michelle McRae is the managing editor of CPABC in Focus. She thanks Anthony Green, CPABC’s manager of IT security operations and compliance, for his assistance with this Q&A. This article was originally published in the September/October 2023 issue of CPABC in Focus.
1 PwC Canada, Canadian Cyber Threat Intelligence Annual Report (41).
3 CrowdStrike, 2023 Global Threat Report (9).
6 Canadian Centre for Cyber Security, National Cyber Threat Assessment 2023-2024 (iv, 3, 8).
23 Ibid (22); CrowdStrike (16).
31 Gartner: Deepti Gopal, Leigh McMullen, Andrew Walls, Richard Addiscott, Paul Furtado, Craig Porter, Oscar Isaka, and Charlie Winckless, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal, January 25, 2023.