As Covid-19 enveloped the world in early 2020, Royal Bank of Canada (RBC), one of the world’s top banks by market capitalization, joined organizations around the world in becoming a remote workplace. In less than a week, 85 percent of RBC’s global workforce – almost 86,000 employees – were reconfiguring dining rooms into home offices and brushing up on videoconferencing software. Simultaneously, the bank’s 17 million clients, some of whom had never used a digital platform, enrolled in online banking, switched to contactless payments and got comfortable e-signing personal documents.
Larger organizations with fortress-strength cyber security protocols and hundreds of cyber security employees can still be impacted by attacks on one of the thousands of vendors and partners in their supply chains.
RBC had been making steady strategic investments in digital transformation long before the global pandemic, but the goal posts shifted rapidly in a short time and catapulted the bank’s strategy forward about 24 months. In fact, RBC is now seeing about 55 million digital banking transactions in a typical month.
The world’s rapid embrace of digital was a massive shift in consumer behaviour born out of necessity when it was impossible to transact in person. But there’s reason to believe that many of those consumers who hadn’t used digital channels before will continue using them post-pandemic.
And all of this digital acceleration comes at a price, in the form of a significant increase in the scale and frequency of cyber threats. Globally, ransomware attacks increased by more than 400 percent in 2020 as millions of businesses and individuals shared more information online. And a high success rate and profit margins in the high nineties have emboldened cybercriminals to set their sights on bigger targets.
1. Ransomware as a Service – a cybercrime ecosystem
We tend to think of cyber threats in terms of specific threat categories, but an emerging concern is the rise of Ransomware as a Service (RaaS) providers. Ransomware is malicious software that locks all the files on your computer, preventing you from accessing them unless you pay a fee to have them released back to you. Much like how a new legitimate business category creates a network of accessory and satellite providers, Ransomware as a Service has cropped up to support ransomware. Aspiring cyber criminals can rent an attack infrastructure, borrow cloud access, and even call a 24/7 help desk if they need assistance launching an attack. This makes it easier for would-be criminals to enter the industry and the RAAS vendors get a percentage of any ransom paid in a successful attack.
A recent example is the 2021 Colonial Pipeline ransomware attack which U.S. government officials have attributed to the Darksite RAAS. In this attack on the largest refined oil pipeline in the U.S., the group successfully attacked the pipeline’s computer infrastructure system. And while the company was able to mitigate the impact, its system was down for several days causing massive disruption in the distribution of gasoline. Colonial Pipeline eventually paid a $4.4 million ransom ($5.3 million CAD) to restore service.
2. Exploiting cracks in the supply chain
Larger organizations with fortress-strength cyber security protocols and hundreds of cyber security employees can still be impacted by attacks on one of the thousands of vendors and partners in their supply chains. Ambitious cyber criminals know that large organizations constantly test and buttress their systems making them difficult to penetrate. So they set their sights on a smaller, more vulnerable organization that is connected to it in the hopes of finding an open door leading to the client organization somewhere in the infrastructure. Once they have successfully hacked the vendor, they can use it as a jumping-off point for a larger-scale attack.
In late 2019, for example, hackers breached the U.S. IT company SolarWinds and compromised a software product that was part of the supply chain of more than 30,000 large companies, as well as the federal government. This backdoor access gave the hackers access to sensitive data and the ability to “spy” on some larger companies they could not have reached otherwise.
3. Lack of cyber readiness is a constant threat
While most cyber threats come from external sources, general lack of preparedness is one of the largest cyber threats for any organization, regardless of size. This became apparent in the pandemic, as many brick-and-mortar businesses scrambled to move to online commerce and were not prepared for cybercriminals looking to exploit the situation.
A recent RBC survey on small business cyber readiness revealed that only 24 percent of small business owners in Canada feel ‘very’ knowledgeable in regard to cyber security threats. That number rises slightly to 27 percent among those who have experienced a previous cyber security incident. But when asked if they feel prepared for a potential cyber attack, only 16 percent said they feel very prepared.
Small and medium-sized businesses may not have deep pockets but they might be surprised to know that a few basic tools and protocols can successfully mitigate 99 percent of cyber attacks. All organizations should take time to inventory their meaningful information assets – such as intellectual property or a client base – and put adequate protection measures in place to protect them. Management should also discuss in advance how they will mobilize and maintain business continuity in the event of a cyber attack. RBC’s Be Cyber Aware Hub has tips and resources to assist small and medium businesses with cyber preparedness, including a Crisis Management Template which can help with preparing a plan.
Larger organizations that already have a cyber security infrastructure in place need to evolve and grow along with the emerging threats. Building a strong cyber workforce and leveraging insights-driven security capabilities like artificial intelligence and machine learning are key to ongoing success, and today’s cyber security professionals are well-served to add risk, compliance, regulatory, and privacy capabilities to their skillset.
Building a Cyber Ready Team
Regardless of size and scale, all companies should regularly educate their employees and clients on cyber awareness of new and continuing risks, and how they can help prevent, detect, and address digital threats. And it’s important to note that even the largest organizations can’t do it alone. It takes a village – of industry peers, government, law enforcement and academia to successfully fend off attacks.
RBC is proud founder and sponsor of the Rogers Cybersecure Catalyst at Toronto Metropolitan University (formerly Ryerson), a national centre for innovation and collaboration in cybersecurity. This is just one of many partnerships that helps foster collaboration and creates opportunities for discussions on cybersecurity.
Learn more about Tech @ RBC or check out our latest job opportunities here.
Feature image courtesy Unsplash.