STUDY OF THE IMPACT OF CYBER CRIME ON BUSINESSES IN CANADA 2 Introduction

The International Cyber Security Protection Alliance (ICSPA) www.icspa.org, has conducted a study on the impact of cyber crime on businesses in Canada.

The ICSPA is a global not-for-profi t organization established Each business was asked a series of questions to to channel funding, expertise and assistance directly to establish the: assist law enforcement cyber crime units in both domestic ¢ Prevalence of cyber crime. and international markets. ¢ Cyber crime impact on their business operations. The ICSPA is a business-led organization comprising large national and multi-national companies who recognize ¢ Organizational preparedness against cyber crime. the need to provide additional resourcing and support to ¢ Involvement/Effectiveness/Expectations of the RCMP law enforcement offi cers around the world, in their fi ght and/or other Government Agencies in relation to cyber against cybercrime. The ICSPA is also supported by law crime. enforcement partners, such as the Europol, and associated international organizations whose remit is complementary ¢ Awareness of the RCMP and Public Safety Canada’s to our own. roles in cyber crime education and prevention.

The study was sponsored by the following ICSPA To compliment the survey and provide independent Canadian business associates: views of cyber crime from leading Canadian businesses, sponsors of the study were asked to provide papers ¢ Above Security. covering the following:

¢ BlackBerry. ¢ The nature of cybercrime in Canada today including ¢ CGI Group Inc. threats and their impact on Industry and Business.

¢ Lockheed Martin. ¢ New and emerging cybercrime threats that may impact Canada over the next 5 years and those ¢ McAfee Inc. sectors most at risk.

The purpose of the study is to provide business leaders ¢ Effective deterrents, responses and practices in and government offi cials with independent and credible fi ghting cybercrime. data relating to the impact of cyber crime on businesses in ¢ Global cybercrime threats and the potential impact Canada. on Canada.

The study is one of a series of studies planned by the ¢ Measures needed to combat cybercrime in Canada. ICSPA that will form a view of cyber crime in different parts of the world. This study report consists of:

The study comprises a survey of businesses in Canada ¢ Introduction. and includes commentary from the sponsors providing ¢ Executive Summary. their perspectives on cyber criminality. ¢ Survey Report. The survey was conducted across 520 small, medium and ¢ Sponsors Contributions. large Canadian businesses in the Finance, Airline/Shipping, Telecommunications, Utilities, Aerospace & Defense ¢ Conclusions. and Retail sectors.

3 Executive Summary

The following provides a brief overview of the ICSPA Cyber Sponsors Contributions Crime Study and includes the survey fi ndings and views of sponsors on cyber crime trends. The study provides the opportunity for the reader to review both the survey fi ndings and the sponsor contributions, so that they may form their own conclusions as to the impact of cyber crime on business in Canada and the rest of the world. The study Emphasizes the changes to information storage and the reinforces the need for close collaboration between the trend to use cloud services. They describe various threats, public and private sector in fi ghting cyber crime through especially DOS and DDOS attacks and their effects. They the pooling of knowledge and resources. also promote awareness and education as a key tool in the fi ght against cyber crime and identify the need for Survey Report governments to strengthen legal and regulatory systems to address cyber crime. They also promote improved The survey report shows that cyber crime is fairly prevalent business/government collaboration. among Canadian businesses, with 69% reporting some kind of attack within a twelve-month period. The types and frequency of attack vary depending on the nature and size of businesses and are crafted to the crime being perpetrated.

Malware and virus attacks are shown to be the most Highlights the growing security risks to mobile users and prevalent with phishing and social engineering coming the shift from social engineering of computer malware second. Certain cyber crimes, while impacting fewer to the distribution of third party app based malware via organizations, occur frequently among them. provider app stores. They also demonstrate the need for collaboration between communications providers and These include: cyber security companies to provide a safe and trusted ¢ Unauthorized access or misuse of corporate websites. environment for users.

¢ Misuse of social networks.

¢ Telecommunication fraud.

About a quarter (26%) of those interviewed say that attacks Explains how Advanced Persistent Threats (APT’s) pose had a considerable impact on their business both in terms a major risk to the Canadian economy through the theft of fi nancial loss and reputational damage with fi nancial of intellectual property. They describe the intelligence-driven fraud being the biggest threat. The total cost of cyber crime approach they have taken to provide their analysts with increases with revenues, which is refl ected in the survey the necessary information to combat the threat, through fi ndings between Large, Medium and Small businesses. the disruption of the Cyber Kill Chain. Lockheed Martin The majority of respondents (64%) say that senior management advocates public and private sector collaboration and the takes cyber crime threats seriously. However, there are sharing of information on threats and mitigation techniques. considerable gaps in Canadian businesses’ preparedness against cyber crime. Large businesses are somewhat better prepared than medium and small ones, but still much remains to be done to prevent and deal with such attacks.

The help of external agencies to assist with cyber crime Provides an insight into the current Canadian cyber incidents is reported by 44% of affected organizations, with crime landscape and the wider global threats that impact private agencies far more likely to be engaged than those from everyone. They give an insight into new and emerging government. This preference of private versus government cyber crime threats that will be prevalent in 2013 with an involvement appears common to all businesses irrespective of emphasis on mobile communications and the increase in size and type. Overall, few organizations (11%) ever involved malware, mobile worms and the targeting of Near Field the RCMP or other government agencies in relation to cyber Communications (NFC) transactions. Their contribution crime and the survey shows the need for greater awareness provides a seven point good practice list to safeguard and information to business from Government bodies. against cyber crime attacks.

4 Survey Report

Table of contents

I. Objectives and Methodology 6 II. Executive Summary 8 A. Scope of cyber crime in Canada 8 B. Cyber crime and corporate responsibilities 8 C. Involvement of external agencies 9 D. Public Safety Canada’s / the RCMP’s roles in raising awareness of cyber crime 9 III. Conclusions and Recommendations 9 IV. Detailed Findings 10 A. Security-related responsibilities 10 B. IT budget allocation toward cyber crime prevention 10 C. Appropriateness of current spending on IT security/What it should be 10 D. Main cyber crime threats (as perceived by businesses) 11 E. Incidence of cyber crime in the past 12 months 12 F. Types of cyber crime attacks and their impact on businesses 15 G. Financial costs / losses due to cyber crime 16 H. Reputation damage as a result of cyber crime attacks 18 I. Internal versus external cyber attacks 18 J. Cyber crime impact on various organizational aspects 18 K. Attitudes toward cyber crime incidents 19 L. Steps employed to raise awareness of cyber crime 19 M. Employment of risk assessment process 19 N. Incidence and frequency of security audits 20 O. Incidence of formal procedures to deal with cyber crime incidents 20 P. Individuals responsible for dealing with cyber crime attacks 20 Q. Familiarity with cyber crime security strategy 21 R. Involvement of external agencies 21 S. Involvement / Effectiveness / Expectations of the RCMP and / or other Government agencies in relation to cyber crime 22 T. Awareness of Public Safety Canada’s/RCMP’s roles in raising awareness of cyber crime/ Sources of awareness 22

5 I. Objectives and Methodology

¢ The International Cyber Security Protection Alliance Ltd.conducted a quantitative study among Canadian businesses to measure the following characteristics:  Prevalence of cyber crime.  Cyber crime impact on organizations.  Organizational preparedness against cyber crime.  Involvement/Effectiveness/Expectations of the RCMP and/or other Government Agencies in relation to cyber crime.  Awareness of the RCMP and Public Safety Canada’s roles in cyber crime education and prevention.

¢ A total of 520 telephone surveys were obtained from businesses across Canada, and these included a set of 10 interviews conducted by senior research staff.  400 surveys in English.  120 surveys in French.

¢ No quota by industry and business size (revenues) was set, but a reasonable spread, representative of selected industries and revenues was achieved.

¢ The study covered the following 6 sectors and completes per sector:

Industry Number of completes

Financial services n=148 (in the report referred to as Financial)

Airlines, shipping, transportation (Airlines/Shipping) n=75

Telecommunications Technology (Telecom) n=73

Utilities and critical infrastructure (Utilities) n=66

Aerospace and Defense (Aerospace/Defence) n=29

Retail n=129

¢ A representative spread of businesses by revenue size was also reached:

Revenue size Number of completes

Under $1 Million n=22

$1 Million to under $5 Million n=229

$5 Million to under $10 Million n=90

$10 Million to under $20 Million n=61

$20 Million to under $50 Million n=54

$50 Million to under $100 Million n=27

$100 Million or more n=37

6 ¢ For the purposes of more meaningful analysis, the revenue sizes were combined into, and examined as three segments:

Revenue size Number of completes

Small: revenues under $10 Million n=341

Medium: revenues of $10 Million to under $50 Million n=115

Large: revenues of $50 Million or more n=64

¢ Overall, the results are accurate ±4.38% nineteen times out of twenty.

¢ The survey was conducted between November 15 and December 15, 2012.

¢ A note on differences in responses by industry and business size identifi ed throughout the report:

¢ Because the sample sizes within each industry and business sizes are relatively small, the differences of at least 9 percentage points between a particular sub-segment and the total sample responses will be needed to be deemed statistically signifi cant. The table below specifi es what constitutes a statistically signifi cant difference between each segment and the overall results. For results between small sub-segments to be statistically signifi cant, the differences would have to be even larger than the ones indicated in the table below. All other differences should be viewed as directional.

Difference from Industry Number of completes total (n=520) that is statistically signifi cant

Financial n=148 9 points

Airlines/Shipping n=75 12 points

Telecom n=73 12 points

Utilities n=66 12 points

Aerospace/Defense n=29 19 points

Retail n=129 9 points

Difference from total (n=520) Revenue size Number of completes that is statistically signifi cant

Small: revenues under n=341 6 points $10 Million

Medium: revenues of $10 n=115 10 points Million to under $50 Million

Large: revenues of $50 Million n=64 12 points or more

7 II. Executive Summary

A. Scope of cyber crime in Canada  Because of high incidence among businesses, malware and virus attacks represent the third highest ¢ Overall, cyber crime is fairly prevalent among Canadian cost overall, at $771,937, but the average loss per businesses, with 69% reporting some kind of attack incident is relatively low, at $454. within a twelve-month period. A total of 5,866 attacks  Sabotage of data and networks is 4th in terms of were reported or 16.5 attacks per affected business. incurred costs, with $583,298 in losses, but the ¢ However, for the most part, each form of cyber crime average cost per incident is 2nd highest, $5,952. does not have high incidence among businesses, with  Total cost due to cyber crime attacks increases malware/virus attacks being an exception as they with revenues: on average, an incident costs large occurred among 51% of businesses (6.6 attacks per organizations $1,181, compared to $991 in medium, business). Phishing and social engineering attacks are a and $741 in small ones. distant second, at 18%. Although reported by a relatively low number of organizations, the frequency of phishing/ ¢ Cyber crime attacks tend to be viewed as originating social engineering attacks within these organizations is outside rather than within the organizations. very high (17.2 attacks). All other forms of attacks are reported among 15% or fewer organizations, however, it  Over half (56%) of affected businesses say that more is noteworthy that certain cyber crimes, while impacting than 60% of incidents were external and 41% believe fewer organizations, occur frequently among them. that 100% were external. These include:  Only 21% of respondents believe that over 60% of incidents were internal, and fewer (12%) believe that  Unauthorized access or misuse of corporate websites 100% of incidents are attributed to internal attacks. (13% affected, 11 attacks per organization).  Misuse of social networks (15% affected, 8 attacks). B. Cyber crime and corporate responsibilities  Telecommunication fraud (8% affected, 9 attacks). ¢ Although a majority of respondents (64%) say that senior ¢ Cyber crimes do not result in far-reaching negative management takes cyber crime threats seriously, there are consequences to organizations. Among those affected, considerable gaps in Canadian businesses’ preparedness only about a quarter (26%) say the attacks had a against cyber crime. Large businesses are somewhat considerable impact (severity of 7 to 10 on a 10 point better prepared than medium and small ones, but still much scale) on their business. They also do not signifi cantly remains to be done to prevent and deal with such attacks. affect organizational reputation. On average, only  A majority (64%) employs just one or two ways to 17% of cyber attacks cause between some (13%) to raise awareness of cyber crime in organizations, signifi cant (5%) reputational damage. mostly through emails (59%) and corporate ¢ Cyber crime attacks conducted over the past 12 guidelines/ manuals (54%). Nearly one-in-fi ve (19%) months resulted in total fi nancial losses of organizations do nothing to raise awareness of approximately $5,328,916, or $14,844 per affected cyber crime, and this is more frequent among small organization, on average. organizations than medium and large ones.  Of this sum, fi nancial fraud accounts for the largest  Risk assessment processes are not common among portion (36%, $1,892,683, or $6,438 per attack). surveyed businesses; only 22% employ them, and 77% do not. This behaviour holds across industries.  Theft of devices containing company information is Likelihood of employing such processes increases a distant second source of costs (16%, or $849,499, with revenues. $4,007 per attack).  Few organizations (6%) report accreditation of IT security standards, and this percentage is equally low 1 The average number of attacks (for malware and all other cyber crime across industries and revenue levels. types covered by the survey), was calculated by dividing the total number  Of those without accreditation, just over half (56%) of reported incidents by total number of organizations that experienced say they carry out regular security audits. Regular them (this calculation excluded organizations that were not affected). audits also increase with revenues.

8  Most organizations (69%) do not have formal  A plurality (46%) would not know who to contact, procedures in place to follow in the event of a cyber but other more often cited top-of-mind mentions crime; only 28% do. Again, such procedures are include government, not private organizations: 23% more common in large businesses than in medium or mentioned the RCMP, 20% police, and only 8% small ones. mentioned other (private) organizations.

 Similarly, only about a third (28%) has a trained ¢ Overall, few organizations (11%) ever involved the RCMP or crisis management team, and it is somewhat higher other government agencies in relation to cyber crime, and of only among organizations with the largest revenues those, two thirds (62%) felt that the organizations effectively ($100 million or more), at 41%. Typically, senior handled the situation, while 30% were dissatisfi ed. management and senior/key IT security personnel (e.g., head of IT, CIO, IT director) would deal with any D. Public Safety Canada’s/the RCMP’s roles in raising type of cyber crime incident. The same individuals awareness of cyber crime would most likely make a decision to involve external agencies in the case of cyber crime attacks. ¢ Awareness of cyber crime prevention campaigns is low, at  Canadian businesses have minimal awareness of the 12% (comparatively higher among large businesses, at 19%). 2010 Cyber crime security strategy (7%). ¢ Overall, 39% of businesses are aware that at least one of the two organizations has a role in combating cyber C. Involvement of external agencies crime, and a majority (67%) of those aware view this responsibility as relevant. ¢ Involvement of external agencies in relation to cyber ¢ Organizations expect the RCMP and other government crime is reported by 44% of affected organizations, with agencies to primarily build awareness of cyber crime private agencies far more likely to be engaged than and its prevention (45%), with active prevention, government ones (63% and 21% respectively). investigation and prosecution at a distant second (17%). ¢ In general, this preference of private versus government ¢ Media (TV, news, newspapers, internet) should be the involvement appears to hold among all businesses: A key element in the awareness building strategy, given fourth (39%) of all surveyed businesses say they would that it is the main driver of awareness (76%), with all fi rst engage a private organization and 29% would fi rst other methods trailing behind (under 10% each). reach to a government agency.  But businesses indicate that a range of other means  However, when asked to specify which organizations of educating/promotion would also be effective these would be, some confusion exists among in raising awareness of cyber crime, with events/ businesses as to which external agencies they would media coverage (69%), internet presence (62%) and be likely contact in the event of a cyber crime attack. publications (61%) being the top three suggestions.

III. Conclusions and Recommendations

¢ There are multiple gaps in cyber crime preparedness ¢ A widespread need for information and education on among Canadian businesses, from a lack of trained the subject is needed and Public Safety Canada and personnel to a lack of strategies and procedures that the RCMP are the appropriate organizations to fulfi ll could mitigate such attacks. this need by serving as the main sources of awareness, knowledge, and support in building awareness of cyber ¢ Two factors could be responsible for this situation: crime. Businesses expect these two organizations to be  The damage (fi nancial or reputational) caused by more visible in fulfi lling these roles. cyber attacks have not been signifi cant to merit shifts ¢ Mainstream media appears to be an effective choice in attitudes and behaviour, and/or, for initial awareness building; however communication  Organizations do not have enough awareness and outreach to businesses should go beyond mass and knowledge of what strategies they should be media, reaching them with more targeted publications implementing to minimize their vulnerability against and messages. such attacks.

9 IV. Detailed Findings

A. Security-related responsibilities

¢ In many surveyed organizations the individuals responsible for IT security also cover a range of other roles - 74% have three or more responsibilities.

¢ Generally a similar pattern holds across industries and revenue sizes.

Table 1: Which of the following aspects of security are you responsible for within your organization?

IT related security 79

Risk assessment 69

Business continuity and resilience 67

Development of security policy 67

Physical security of personnel & property 61

Other aspects of security 39

Don’t know/refused 4

% 0 20 40 60 80 100

B. IT budget allocation toward cyber crime prevention C. Appropriateness of current spending on IT security/ What it should be ¢ Across industries and business sizes, a majority of organizations (51%) allocate 1-5% of their IT budget to ¢ A majority of respondents (78%) fi nd the budget cyber crime prevention. allocation suffi cient, and 12% disagree.  About 6% don’t apportion any amount to cyber crime  The response pattern is the same across all industries. prevention, 8% allocate 6%-25%, 2% apportion over  The only signifi cant difference in views is among large 25% and a third (32%) does not know if anything is businesses, as 28% believe that the budget allocated allocated for this purpose, or how much. to cyber crime prevention is insuffi cient.  These proportions generally hold across industries  Among those who feel the allocation is inappropriate, and business sizes, although small businesses opinions are split: 45% say it should be 5% or less, are slightly more likely than large and medium 25% believe it should be over 5%, and 29% do not size businesses not to allocate any of its IT budget know what it should be. to cyber crime prevention (9% vs. 2% and 3%  The small base size (n=42) doesn’t allow for further respectively). reliable breakdown, but there does not appear to be any underlying pattern.

10 Table 2/3: Do you believe this is suffi cient to mitigate the threat of Cyber Crime and if not what should the percentage be? N=353

20% or more 11 78 Yes

6-10% 14

No 12 What percentage 5% 26 should it be? N=42

Under 5% 19

Don’t know/Refused 10 Don’t know/Refused 29

% 0 20 40 60 80 100 % 0 20 40 60 80 100

D. Main cyber crime threats (as perceived by businesses) ¢ Sabotage of data network is more pronounced in the Utilities (59%), Aerospace/Defense (55%), and the ¢ Malware and virus attacks are by far the highest Financial sector (51%), than in Retail (36%) or concern among Canadian businesses (75%), Airlines/Shipping (43%). regardless of size and industry.

Table 4: Which of the following represent the greatest Cyber Crime threats for your organization?

Malware, such as Trojans, worms and virus attacks 75 Sabotage of data or networks 47 Financial fraud 45 Phishing, spear phishing, social engineering 42 Theft of laptop(s)... devices with company info 40 Unauthorized access or misuse of website 38 Misuse of social networks by employees 34 Denial of service 30 Telecommunications fraud 29 Theft of other hardware 25 Advanced Persistent Threats (APTs) 22

% 0 20 40 60 80 100

11 ¢ Concerns with fi nancial fraud are more visible in the Retail (52%) and Financial industries (50% each) than in the Utilities (35%) or Aerospace/Defense (28%) sectors.

¢ As revenues increase, concerns about nearly every form of cyber crime go up, especially for large businesses, e.g. phishing/social engineering (61% vs. 42% overall), theft of devices with company info (55% vs. 40% overall), denial of service (47% vs. 30%), or Advanced Persistent Threats (36% vs. 22% overall).

E. Incidence of cyber crime in the past 12 months

¢ Nearly seven-in-ten organizations (69%) experienced some type of cyber attack over a 12 month period. Overall, 520 surveyed businesses reported a total of 5,866 cyber crime incidents, or on average 16.4 attacks per affected organization.

¢ The average number of attacks is higher in the Financial and Retail sectors (20 and 18 respectively), and lowest in Aerospace/ Defense, at 11 attacks (details in Table 7a overleaf).

Table 5: Approximately how many times have any of the incidents I just read occurred in your organization in the last 12 months?

100

80 Mean number of attacks: 16.4

60

%

40 31 23 23 20

1 1 0 None 1 to 2 3 to 5 6 to 10 Over 10

¢ The proportion of attacks is higher between medium and  Respondents reported 1,701 malware and virus large organizations (22-23 attacks compared to 13 in attacks. This represents 6.6 attacks per affected small businesses). business.

¢ As Table 6 below shows, malware and virus attacks are  Medium and large businesses reported the highest the most common form of cyber crime. Over a 12 month average number of such attacks, at 11 and 9, period, half (51%) of organizations experienced them. compared to 5 attacks among small businesses. This pattern holds across industries and business sizes. Across industries, the Financial and Telecom sectors reported the highest number of such attacks, at 8 each.

2 The average number of attacks (for malware and all other cyber crime types covered by the survey), was calculated by dividing the total number of reported incidents by total number of organizations that experienced them (this calculation excluded organizations that were not affected).

12  Phishing, Spear Phishing and Social Engineering  Unauthorized access or misuse of corporate websites are the second most frequently experienced types of – experienced only by 13% organizations, but those cyber crime attacks, although among considerably few report a large number of such incidents: 745, fewer organizations than malware. or 11 per organization, on average. This form of attacks is most prevalent in Retail, with 25 incidents ¢ Over a 12 month period, fewer than one-in-fi ve (18%) on average, followed by the Financial industry, at 14 of organizations experienced them, but they reported attacks. It is also more frequent among medium and 1,478 such incidents, or 17.2 attacks per organization, large businesses, at 17 and 18 attacks respectively, making it the most persistent form of all measured compared to 6 in small organizations. cyber crimes.  Financial fraud (at 14% incidence, 294 incidents)  Medium and small businesses were more likely to is more common in the Retail industry, at 7 attacks, be targeted, each reporting 18 attacks on average, with Telecom a distant second at 4 attacks. It is more compared to 13 among large businesses. Across prevalent among large businesses, at 9 attacks industries, the Airlines/Shipping and Financial compared to 3 and 4 between medium and small sectors had the highest average number of such businesses. attacks, at 28 and 24 respectively.  Telecommunications fraud (at 8% incidence, 414 ¢ Other noteworthy differences by industries and business sizes include: incidents) is more common in the Financial and Retail industries, at 13 and 11 incidents respectively, and much more prevalent among large businesses, at 21 attacks compared to 7 and 8 between medium and small businesses.

Table 6: Incidence of various cyber crime attacks within the last 12 months (proportion of those who experienced each attack) and frequency of each attack Total # of attacks Malware, such as Trojans, worms and virus attacks 51 1,701

Phishing, Spear Phishing, Social Engineering 18 1,478

Misuse of social networks by employees 15 578

Financial fraud 14 294

Unauthorized access or misuse of website 13 745

Theft of laptop(s), smart ‘phones, tablets and other 13 212 devices containing company information 10 Denial of Service 219 Telecommunications fraud 8 414 Sabotage of data or networks 8 98 Advanced Persistent Threats (APTs) 4 69 Theft of other hardware 3 58

% 0 20 40 60 80 100

13 Table 7: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations (mean excl. 0) and overall (mean incl. 0)

17.2 Phishing, Spear Phishing, Social Engineering 2.8 11.1 Unauthorized access or misuse of website 1.4 9.4 Telecommunications fraud 0.8 Mean (excl.0) Misuse of social networks by employees 7.9 1.1 Mean (incl.0) Malware, such as Trojans, Worms and Virus attacks 6.6 3.3 4.5 Denial of Service 0.4 4.3 Financial fraud 0.6 Advanced Persistent Threats (APTs) 4.1 0.1 Theft of other hardware 3.6 0.1 Theft of laptop(s), smart ‘phones, tablets and other 3.2 devices containing company information 0.4 2.5 Sabotage of data or networks 0.2

Mean 0 10 20 30 40 50

Table 7a: Average number of cyber crime attacks within the last 12 months as a proportion of affected organizations

Financial 20

Retail 18

Airlines/Shipping 14

Telecom 14

Utilities/Critical Infrastructure 14 Calculation: Total number of incidents per industry divided by total affected per industry Aerospace/Defense 11

% 0 20 40 60 80 100

14  There is some fl uctuation in incidence of various ¢ On average about a quarter of organizations (26%) say cyber crimes by industry, with the following showing the attacks had a considerable impact (rated 7 or more the highest dispersion: on a 10 point scale) on their organizations. The top three such cyber crimes are relatively low incidence and  Financial fraud – more common in the Retail and frequency: fi nancial fraud (37% considerable impact), Financial industries (19% and 16% respectively), and sabotage of data or networks and denial of service (36% lowest in Aerospace/Defense and Utilities (5% and each). Table 8 below provides more details. 3% respectively).  By comparison, incidents of high prevalence, such  Unauthorized access to websites – more common as malware and virus attacks and phishing/social in the Airlines/Shipping and Telecom (20% and 19% engineering have very negative impact on relatively respectively), and lowest in Aerospace/Defense (7%). fewer organizations: 23% and 22% respectively rate  Denial of service – more common in Telecom (19%), the impact as considerable (7-10 out of 10). and lowest in Retail (5%). ¢ The severity of impact of cyber crime types varies by  Unauthorized access to websites – more common industry (not so much by size), with the following being in the Airlines/Shipping and Telecom (20% and 19% most affected (severity of 7-10 out of 10): respectively), and lowest in Aerospace/Defense (7%).  Sabotage of data networks –Telecom 63%.  Denial of service – more common in Telecom (19%), and lowest in Retail (5%).  Financial fraud –Airlines/Shipping 60%, Telecom 50%.  Advanced Persistent Threats (ATPs) – Aerospace/ F. Types of cyber crime attacks and their impact on businesses Defense 50%, large businesses 50%.  Phishing/social engineering – Aerospace/Defense 50%. ¢ On average, of the 69% of organizations affected by some form of cyber crime, 46% say that the incident(s) have had at least some impact (severity of 5 or more on a 10 point scale) on their businesses.

Table 8: Impact of cyber crime attacks on organizations (measured on a scale of 1 to 10 where 1 means negligible impact and 10 means major impact).

Financial fraud 26 11 14 24 24 1 Sabotage of data or networks 18 18 15 5 40 5 Denial of Service 16 20 24 20 22 Advanced Persistent Threats (APTs) 15 10 20 35 20 Telecommunications fraud 14 7 32 18 30 Unauthorized access or misuse of website 13 10 25 21 31 Theft of other hardware 13 6 25 13 44 Phishing, Spear Phishing, Social Engineering 12 10 19 19 40 Theft of devices containing company information 11 12 20 20 36 2 Malware, such as Trojans, Worms and Virus attacks 11 12 16 24 37 Misuse of social networks by employees 10 9 15 19 47

% 0 20 40 60 80 100

(9-10) Major Impact (7-8) Considerable Impact (5-6) Some Impact (3-4) Minor Impact (1-2) Negligible Impact Don’t Know/Refused

15 G. Financial costs/losses due to cyber crime  Theft of devices containing company information is the second largest source of cost, at $849,499 or  Cyber crime attacks conducted over the past 12 16% of the total cost. Each incident cost companies months cost businesses a total of approximately $4,007 on average. $5,328,916. This translates to an average of $14,844  Because of the high incidence among businesses, per affected business. malware and virus attacks account for the third  Financial fraud accounts for the largest proportion highest cost overall, at $771,937, but the average of total cost (36%), at $1,892,683. With 294 reported loss per incident is relatively low, at $454. fi nancial fraud attacks, the average cost per attack  Sabotage of data and networks is 4th in terms of is $6,438. incurred costs, with $583,298 in losses, but the average cost per incident is 2nd highest, $5,952. Table 9: Costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers4)  More details can be found in Table 9 below.

Sum Total Cost / Average Fianancial Cost of Loss of Loss cost per Loss Recovery business {A+B+C} attack* {A} {B} {C}

Fiancial fraud $1,162,553 $155,030 $575,100 $1,892,683 $6,438

Theft of devices containing $215,700 $361,800 $271,999 $849,499 $4,007 company information

Malware, such as Trojans, $283,475 $456,259 $32,203 $771,937 $454 Worms and Virus attacks

Sabotage of data $347,499 $104,300 $131,499 $583,298 $5,952 or networks

Telecommunications fraud $178,200 $169,300 $153,000 $500,500 $1,209

Denial of Service $50,000 $172,050 $11,700 $233,750 $1,067

Phishing, Spear Phising and $123,135 $11,455 $17,445 $152,035 $103 Social Engineering

Unauthorized access or $40,510 $50,599 $28,599 $119,708 $161 misuse of website

Advanced Persistent Threats $ - $100,300 $ - $100,300 $1,454 (APTs)

Misuse of social networks by $ 39,299 $9,999 $16,098 $65,396 $113 employees

Theft of other hardware $42,300 $17,510 $ - $59,810 $1,031

Total Cost/Loss $2,482,671 $1,608,602 $1,237,643 $5,328,916

* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type.

16 ¢ Costs incurred by cyber crime attacks are comparatively ¢ Total cost due to cyber attacks increases with revenue higher in the Telecom and Airline/Shipping industries size: on average, an incident in large organizations (Table 10 below) with the average cost per incident also costs $1,181, compared to $991 in medium size higher in these sectors: about $2,364 per incident in businesses and $741 in small ones. Telecom and $1,674 in Airline/Shipping.

Table 10: Total costs incurred by businesses due to cyber crime attacks (excluding $0 and outliers) by industry and revenue size.

Number Fianancial Cost of Loss of Average Total Cost of total Industry Loss Recovery business / cost per incidents {A} {B} {C} Loss attack per industry

Telecom Technology $943,724 $547,299 $391,097 $1,882,120 796 $2,364

Airlines / Shipping $492,755 $263,410 $524,509 $1,280,674 765 $1,674

Financial $388,437 $257,248 $263,642 $909,327 2039 $446

Utilities / Critical Infrastructure $154,599 $403,349 $11,199 $569,147 625 $911

Retail $398,556 $70,096 $45,396 $514,048 1424 $361

Aerospace and Defense $104,600 $67,200 $1,800 $173,600 217 $800

Total Loss / Cost $2,482,671 $1,608,602 $1,237,643 $5,328,916

Number Fianancial Cost of Loss of Average Total Cost of total Business Size (revenues) Loss Recovery business cost per /Loss incidents {A} {B} {C} attack per industry

Under $10 Million $1,140,316 $501,842 $432,943 $2,075,101 2,800 $741

$10 Million to under $726,550 $609,860 $577,500 $1,913,910 1,931 $991 $50 Million

$50 Million or More $615,805 $496,900 $227,200 $1,339,905 1,135 $1,181

Total Loss / Cost $2,482,671 $1,608,602 $1,237,643 $5,328,916

* Average cost per attack calculation: Total cost/loss divided by number of attacks within each cyber crime type

4 Outlier is a value that is numerically distant from, or is “outside” the rest of the data (e.g., an extreme value). In larger samplings of data, a small number of extreme data points (outliers) are expected. Extreme outliers have been eliminated from the analysis in order to produce results that are not distorted.*

17 H. Reputation damage as a result of cyber crime attacks

¢ Cyber crime does not signifi cantly affect organizational reputation (Table 11). On average, 17% of cyber attacks (any form) cause some (13%) or signifi cant (5%) reputational damage.  Sabotage of data and networks cause relatively more reputational harm than any other attacks, at 30% (15% signifi cant and 15% some reputational damage).  Because of small base sizes, the data for individual forms of attacks cannot be analyzed by industry or revenue range.

Table 11: Reputation damage as a result of cyber attacks.

Sabotage of data or networks 15 15

Attacks such as Denial of Service 6 18

Financial fraud 6 15

Misuse of social networks by employees 3 18 Signifi cant Some

Unauthorized access or misuse of website 7 13

Advanced Persistent Threats (APTs) 20

Telecommunications fraud 5 14

Theft of other hardware 13

Theft of laptop(s), smart ‘phones, tablets and other 3 8 devices containing company information Malware, such as Trojans, worms and virus attacks 3 6 Attacks including Phishing, Spear Phishing 4 3 and Social Engineering % 0 20 40 60 80 100

I. Internal versus external cyber attacks ¢ Only 21% of respondents report that over 60% of incidents were internal, 17% say fewer than 30% were ¢ Cyber crime incidents tend to be originating outside internal, and 13% say that 31-60% were internal. companies.  Only 12% believe that 100% of incidents are ¢ Over half (56%) say that more than 60% of incidents were attributed to internal attacks. external, 10% believe that fewer than 30% were external,  There are no patterns in data by industry or business and 13% say that 31%-60% were external. As many as size. 41% believe that 100% of incidents were external.  Telecom reports the highest proportion of exclusively J. Cyber crime impact on various organizational aspects external attacks – 65% say 100% of attacks were external, followed by Aerospace/Defense – 47%, and ¢ Generally, businesses’ ability to operate is the most often Utilities – 44%. mentioned concern (64%) associated with cyber crime across industries and business sizes, but other aspects  Nearly half (48%) of small businesses say that 100% closely tight to businesses’ wellbeing, such as doing of incidents were external, while it is only the case for business with customers, company fi nances and public a third of medium and large businesses. image are not far behind in importance (52%-59%).  There are no other discernible patterns by business size.

18  Public image and reputation are more of a concern L. Steps employed to raise awareness of cyber crime in the Utilities, Telecom, and the Financial sectors (around 60% each), compared to about 40% for the ¢ A plurality of businesses (42%) employs only one or remaining industries. two approaches in raising awareness of cyber crime, and these are mostly emails (59%), and corporate K. Attitudes toward cyber crime incidents guidelines and manuals (54%). A quarter (26%) employs 3 or four steps, and 13% use fi ve or more. Nearly ¢ Two-thirds (64%) believe that senior management treats one-in-fi ve organizations (19%) do not do anything to cyber crime incidents with serious to considerable raise awareness of cyber threats. interest (scores 7 to 10 out of 10).  Small organizations are more likely to provide no ¢ The perceived level of concern about cyber crime information to their employees (25%) than medium among employees is lower, with 43% giving it 7 to 10 and large ones (7% and 8% respectively). out of 10 on the interest scale.  Large businesses tend to offer more opportunities  Given that individuals in senior/management positions for building awareness about cyber crime – 28% answered the survey, the results for the above employ fi ve or more methods (compared to 14% question may be biased toward management. in medium-sized and 8% in small organizations; vs. 13% overall).  Level of concern among senior management is roughly the same across industries, although its intensity (score M. Employment of risk assessment process 9, 10 out of 10) is higher in Telecom and Airlines/Shipping (49% and 47% respectively) than in Retail or Utilities (33% ¢ Overall only 22% employ risk assessment processes for and 26% respectively). cyber crime; 77% do not, and 1% don’t know.  Employees are viewed to be less concerned about  This is true across industries. Telecom tops the list, cyber crime across industries. Slightly more concern with 33% organizations reporting such processes, among employees is reported in Telecom and Utilities and only 11% of Retail organizations do so (lowest businesses (54% and 51% respectively), and lowest proportion among surveyed industries). in Retail (32%).

Table 12: Steps employed to raise awareness of cyber crime

Send e-mails round / reminding / updating 59

Corporate guidelines / manuals 54

Information on your intranet 31

Formal activities to raise awareness 21

Formal security training courses 19

Awareness seminars 17

Posters 10

Other 12

Don’t know/refused 19

% 0 20 40 60 80 100

19  Likelihood of employing risk assessment processes O. Incidence of formal procedures to deal with cyber increases with revenues: 45% of large businesses crime incidents do so, compared to 23% among medium, and 17% among small businesses. ¢ A majority (69%) of organizations do not have formal procedures that have to be followed when cyber crime ¢ Few organizations (6%) report accreditation of IT is identifi ed; only about a third of organizations (28%) do. security standards. This percentage is equally low across industries and revenue levels.  It is somewhat higher in the Aerospace/Defence, Telecom, and Financial industries (34%, 33%  In this small group, 1% each is accredited to ISO27001, respectively), and lower in Airlines/Shipping and National IT Security Standard, International IT Security Retail (25%, and 24% respectively), with Utilities on Standard, and 3% report other accreditations. par with the average, at 27%.

N. Incidence and frequency of security audits  It is also higher in large businesses, at 47% (particularly those with revenues $100 Million or more: 57%), ¢ Of those not accredited to national or international IT compared to 29% in medium, and 25% in small ones. security standards (94% of surveyed organizations), over ¢ Also only about a third of organizations (28%) have a half (56%) say that they carry out regular security audits. trained crisis management team to respond to cyber  In all but one industry, over half conduct regular crime incidents. audits. It’s highest for the Utilities organizations (68%).  It is higher in Aerospace/Defense, Telecom, and In Retail, only 42% do so. Financial industries (38%, 36%, and 34%), and lower  Incidence of regular security audits increases with in Retail and Airlines/Shipping (19% and 17%), with revenues: 84% of large businesses say they conduct Utilities at 27%, on par with the average. regular audits, compared to 66% among medium,  Presence of trained crisis management teams is and 49% among small organizations. considerably higher only in the largest revenue  A plurality (38%) conduct audits at least monthly, segment ($100 Million or more), at 41%. 17% do so every three to four months, 9% every six months, 21% annually, and 7% do so at other P. Individuals responsible for dealing with cyber crime frequency. Eight per cent do not know. attacks

¢ Senior management and individuals responsible for IT/ Information security are the key decision-makers and response teams, regardless of industry and revenue size.

¢ The same individuals are also most likely to decide whether an external agency should be involved in cyber crime attacks.

20 Table 13: Decision-makers in cyber crime attacks

50 CEO/Senior Management 51 27 IT / IS Manager 9 21 Head of IT / IT Director / CIO / CISO 21 17 General Manager/Operations... 11 7 Other 16 3 Other Security 2 3 Network Manager 1 3 Financial Director Or Equivalent 2 Human Resources 2 Decision maker in cyber crime attacks 1 Decision maker re: involvement of external agencies 2 Don’t Know 2 1 Legal / Counsel 1 1 Facilities / Group Manager 1

% 0 20 40 60 80 100

Q. Familiarity with cyber crime security strategy ¢ Of those who did, a majority (63%) engaged private and 21% government agencies. ¢ Awareness of the 2010 Canadian Cyber security ¢ In a scenario where involvement of external agencies was strategy is very small, at 7%, and it holds across necessary, a plurality (39%) of all surveyed organizations say industries and revenue sizes. they would opt to fi rst engage private organizations, and 29%  It is slightly higher in Aerospace/Defense (10%) and would fi rst turn to government organizations, with 6% saying it Utilities (9%) and lowest in Retail and Telecom (6% would depend on the type of incident, 2% would contact both, and 5% respectively). 15% wouldn’t know, 9% provided other comments.  It is also comparatively higher in large businesses  Retail and Financial organizations would be more (14%), than in medium (10%), and small ones (5%). likely to fi rst contact private agencies (47% and 45% respectively), while Aerospace/Defense, Airlines/ ¢ Although familiarity with the strategy is minimal, higher Shipping, and Utilities would fi rst reach to government awareness has potential to drive positive change in IT organizations (38%, 35% and 34% respectively). security among Canadian businesses.  Business size has no infl uence on the type of agencies  A quarter (26%, n=10) of those aware say it that would be contacted: all have a somewhat stronger infl uenced their company’s approach to cyber crime preference for private organizations. security: 80% increased IT security investments, 50% changed policies, and 20% introduced cyber crime ¢ While businesses initially show preference toward private awareness training. agencies, when asked to specify what organizations would be contacted following a cyber crime attack,  Given the small base size, the results should be used private organizations are not top-of-mind. A plurality with caution, for directional purposes only. (46%) would not know who to contact, with most other respondents citing a government organizations/agencies: R. Involvement of external agencies 23% the RCMP, 20% local/provincial police, 6% some other government organization. Only 8% would contact ¢ Over half (56%) of the organizations that experienced other organizations. These views are uniform across cyber crime attacks did not involve any external agencies, industries and business sizes. and 44% did (this represents 30% of all respondents).

21 S. Involvement / Effectiveness / Expectations of the T. Awareness of Public Safety Canada’s/RCMP’s roles in RCMP and/or other Government agencies in relation raising awareness of cyber crime/ Sources of awareness to cyber crime. ¢ Awareness of cyber crime prevention campaigns is low, ¢ The incidence of ever involving the RCMP or other at 12%. It is only comparatively higher in the Utilities government agencies is small overall (11%, n=57). industry, at 18% and among large organizations, at 19%.

¢ The RCMP and/or government agencies are primarily ¢ Overall, 39% of businesses are aware that at least one contacted to report an incidence/crime (59%), and 24% of the two organizations has a role in combating cyber do so as part of legal obligations. crime.  The top two occurrences involved fi nancial fraud and  22% are aware of only the RCMP’s role, 17% are general fraud/theft (29% each). aware of the roles of both organizations, but none are aware of Public Safety’s role only.  Of the small proportion of incidents (11%), most (61%) were recent (this is a low base of n=34 or 6%  This pattern generally holds across industries and of all respondents and results should be used with business sizes, with the exception of Utilities, where caution, for directional purposes only). awareness of both organizations’ roles is higher, at 30%.

 Half (53%) occurred within the current year, 29% ¢ Among those aware, two thirds (67%) view it as relevant, within 1 to 5 years, and 15% earlier than that. especially the Telecom industry (82%) and large businesses (75%). ¢ Of the few businesses that had recently involved the RCMP or government agencies (6%, n=34), a majority ¢ Media (news, TV, newspapers, internet) plays a pivotal (62%) agreed that the organizations effectively handled role in building awareness of Public Safety Canada’s the situation, and 30% felt that it was not addressed and RCMP’s roles in combating cyber crime: 76% of effectively. those aware say they learned about it through media. All other methods trail behind (under 10% each). ¢ But overall, virtually all businesses (90%) who have not dealt with the RCMP or other government agency do not know on  This holds true across industries and business sizes, what basis to determine the effectiveness of the RCMP or with one exception: conferences are a source of government agencies in dealing with cyber crime. awareness for 14% of large businesses, but the use of this channel is minimal in medium and small businesses  3% each list general media feedback, personal (4% and 2% respectively). experience, and success rate, with 1% mentioning speed of response.

¢ Building awareness of cyber crime and its prevention is by far the most often mentioned expectation from the RCMP and government agencies (45%), with prevention, investigation and prosecution at 17%. Other expectations, such as direct assistance, streamlining of resources are mentioned by 5% to 6% each.  Need for more prevention, investigation, and prosecution is slightly more often mentioned among large businesses (23%) and the Aerospace/Defense industry (21%).

22  While surveyed organizations indicate that events and media coverage would likely be the most effective form of building awareness of Public Safety Canada’s/the RCMP’s roles in combating cyber crime, a range of other communication avenues could be just as effective in educating businesses.

Table 14: Communication strategies to employ by Public Safety Canada / the RCMP to improve building awareness of their capabilities among Canadian Business

Events / Media coverage 69

Presence on specifi c web sites 62

Publications 61 Utilities / critical infrastructure - 61% Advertising in trade publications 56 Large businesses - 66% Involvement in specifi c professional associations 52

Aerospace - 66% Conferences 51

Case studies 48 Large businesses - 67%

Personal briefi ngs with agency staff 38 Telecom - 45% Airlines/Shipping - 45% Don’t know / Refused 5 Large businesses - 58%

% 0 20 40 60 80 100

23 Above Security Sponsor Commentary

CEO Forward Worldwide communication and nearly limitless online Through the following commentary, we wish to leverage transaction capabilities are a great benefi t to society the expertise we have gained from nearly 15 years in the and to the way businesses function. However, these fi eld in order to provide meaningful perspectives on IT technological advancements bring about new challenges security and risk management. We will share our view of that organizations and individuals must face, the most current cybercrime threats and their impact on industries troubling of which are the evolving and expanding risks and businesses, new and emerging threats that can be associated with cybercrime. expected in the next few years and effective strategies and practices to consider for combating cybercrime in Canada As one of the world’s leading IT security service providers and globally. We hope that our viewpoints will serve as an responsible for monitoring vast client networks on a daily interesting and resourceful complement to the fi ndings of basis, we see fi rsthand how cybercrime jeopardizes the the study. safety of information and the normal fl ow of business. The harsh realization that “cyberculture is growing faster than On behalf of the entire Above Security team, I would like to cybersecurity, so everything that depends on cyberspace express my gratitude and appreciation to the ICSPA and to is at risk” (Deloitte, 2009: p. 2) places greater emphasis everyone involved in the creation of this research project. and urgency on implementing systems and procedures May this study help raise awareness within the business that protect business infrastructures, and more specifi cally, community and garner widespread support, which will be the most critical and sensitive IT assets that enable crucial to successfully prevent the spread of cybercrime in businesses to operate effectively. Canada and around the world.

The rise of cybercrime is more than just our raison d’être Ray George Chehata as an IT security service provider. It is a phenomenon that affects and concerns all of us every day, be it in our President and CEO professional or in our personal environments. Ultimately, Above Security we must acknowledge that each and every one of us is a potential target for cybercriminals, for the simple reason that we are all connected via the Internet. The fi ght against cybercriminal activity through risk mitigation strategies and education is a cause that we believe in strongly and that we are proud to fully endorse within the framework of this study and beyond.

24 ¢ Company view of cybercrime in Canada today including governments are now exhibiting unethical practices, as in the threats and their impact on Industry and Business. recent case of the Chinese military that allegedly “engaged in ‘an extensive cyber espionage campaign’” (CNN, 2013). Cybercriminal activity has increased dramatically in recent years Regardless of the geographical origin of cybercriminal and can now be considered an omnipresent, even global menace activity, each individual attack potentially threatens Canada’s that will continue to affect each and every one of us. Hardly a national security and represents a substantial risk for the day goes by without cyber-related incidents hitting the headlines Canadian economy – a risk that needs to be acknowledged, of Canada’s most renowned newspapers, magazines and investigated and mitigated at all costs. blogs. According to INTERPOL (2013), “cybercrime is one of the fastest growing areas of crime” and has adopted many carefully- ¢ Company view of new and emerging cybercrime threats crafted disguises to damage information systems. The most that may impact Canada over the next 5 years and commonly-known threats include, but are not limited to, Denial of those sectors most at risk. Service (DoS) and Distributed Denial of Service (DDoS) attacks, SPAM, phishing emails, penetration of online fi nancial services, With regards to new and emerging cybercrime threats virus deployment, social engineering, identity theft and theft of that may impact Canada over the next 5 years, we are intellectual property. Although all of these threats should be treated witnessing the evolvement of DoS and DDoS attacks into with equal importance, DDoS attacks have become especially increasingly sophisticated schemes that use several attack worrisome recently due to their destructive nature and an ability vectors in an attempt to hide further nefarious activity. to affect the networks of high-profi le Canadian governmental By intentionally misusing bandwidth resources in order organizations and fi nancial institutions with relative ease. to bring down sites, networks and applications, these attacks ultimately cause substantial business impacts With regards to its impact, cybercrime is known to such as: loss of revenues, diminished brand reputation cause both tangible and intangible damages. In its 2012 and potentially long-term service interruptions. Another research report on The Impact of Cybercrime on Business, emerging trend that is already a strongly debated issue the Ponemon Institute found that data breaches cost across the globe is the rise of cloud computing offerings. on average $7.2 million per incident, with the cost per Although cloud computing is a much more convenient malicious attack exceeding $10 million in many cases, thus alternative to traditional data storage and handling, it making fi nancial losses the most severe of cybercrime’s provides a greater surface of attack that is much more numerous impacts. In addition, businesses that have complex to control. When it comes to the origin of threats, become victims of cybercriminal activity frequently report one of the most astonishing trends we have noticed is substantial losses among previously loyal clientele, a that businesses may even be attacked by their national strong decline in productivity, severe disruptions of their competitors and not exclusively by international hackers. services and operations, massive losses of proprietary and sensitive information, as well as immeasurable damages to No matter how the global cybercrime landscape evolves their brand, corporate image and reputation. in coming years, organizations that store large amounts of sensitive data and are required to comply with strict ¢ Company view of Global cybercrime threats and the standards, laws or regulations remain the primary targets potential impact on Canada. of cybercriminals. This relates mostly to governmental organizations and fi nancial institutions, but can also extend to As recently as several years ago, the global cybercrime organizations that are often considered to be devoid of major landscape was very clearly divided, with a great majority risk, such as manufacturing companies. Especially in the of cyberattacks originating from Russia, Eastern Europe, manufacturing sector, the theft of intellectual property can result China, Southeast Asia, North Korea and Brazil. As we in colossal damages. Although certain sectors are traditionally have entered the second decade of the new millennium, more at risk than others, it needs to be emphasized that “no cybercrime has become an increasingly pervasive threat business, government, nongovernmental, or other organization that cannot easily be linked to only a handful of regions. of whatever size is invulnerable to cyber attacks” (British-North As INTERPOL (2013) correctly noted, “cybercrime has no American Committee, 2007: p. 3). borders”. Not only have cybercriminals developed more sophisticated attack strategies, they have also learned how ¢ Company view of effective deterrents, responses and to blur their traces effectively and complicate the work of practices in fi ghting cybercrime + Company view of those seeking to track them down. measures needed to combat cybercrime in Canada. Compounding matters even more is the fact that security- In a 2012 Washington Post article, Alec Ross, senior adviser related laws and regulations vary from country to country for innovation at the State Department was quoted as saying (sometimes even from province to province), and thus it “If any college student asked me what career would most comes as no surprise that regions with less strict legislation assure 30 years of steady, well-paying employment,” Ross are prone to a higher degree of cybercrime. Even foreign said, “I would respond, ‘cybersecurity’”. The simple reasoning

25 behind this is the growing number of cyber-related crimes. organizations can stay on the leading edge and ensure As such, companies now need to improve the quality of that their security posture remains solid and stable. protections they have in place as legislative compliance requirements increase, security environments age, resources Lastly, governments and regulatory organizations must become scarce and internal IT security costs continueto rise. continue to prioritize, strengthen and assess cybercrime- related laws and regulations on a regular basis. Laws Fighting cybercrime begins with raising the awareness level have barely caught up with today’s reality and must be of both the business community and the general public. This amended to better protect corporations and individuals can be achieved by large-scale research initiatives, such as from the disastrous effects of cybercrime. To put it simply, it the ICSPA study, as well as through education campaigns is much easier to fi nd a remedy after a physical corporate originating from public and private organizations. In addition, asset such as a car or a machine has been stolen than everyone who connects to cyberspace, a space that is to take action against data theft and virus deployments. expanding at the speed of light, should learn as much as Canadian businesses must adopt best practices and make they can about the threats that they are exposed to and their information security an integral part of their corporate potential impact. Only if individuals and organizations alike culture (British-North American Committee, 2007). In our fully comprehend the extent to which cybercriminal attacks opinion, Canada has already taken initiative and is in a can expose information and impair business operations, position to be a leader in establishing legal precedents to can adequate measures be taken to manage and mitigate protect organizations, which can ultimately be emulated the risk associated with cybercrime (British-North American throughout the world. Committee, 2007). In conclusion, with continued, timely exposure to the Organizations can strengthen their defenses by employing issues and growing public awareness, organizations and tactics that have already proved successful, such as individuals need to take the next step and join forces, so allocating a budget specifi cally to IT security, establishing they can work together to wage a persistent and formidable clear policies and controls, performing regular IT security battle against cybercrime. audits, assessing current security measures in place and, most importantly, developing a concise risk mitigation and incident response plan (CERT, 2009; Deloitte, 2009a; PricewaterhouseCoopers, 2013). Moreover, by following an organized plan for IT security and risk management that includes partnerships with cybersecurity specialists and obtaining sound recommendations from third-party experts,

Bibliography British-North American Committee (2007) Cyber Attack: A Risk Management Primer for CEOs and Directors. CERT (2009) Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1. CNN (2013) Report: Chinese military engaged in ‘extensive cyber espionage campaign’ [online] Available at: http://security.blogs.cnn.com/2013/02/19/report-chinese-military-engaged-in-extensive-cyber-espionage- campaign/?iref=allsearch. Accessed: 5 March 2013. CSI (2009) 14th Annual CSI Computer Crime and Security Survey. Comprehensive Edition. Deloitte Touche Tohmatsu (2009a) Cybersecurity: Everybody’s Imperative. Protecting our economies, governments, and citizens. Deloitte Touche Tohmatsu (2009b) Protecting what matters. The 6th Annual Global Security Survey. INTERPOL (2013) Tackling cyber security threats focus of INTERPOL workshop [online] Available at: http://www.interpol.int/News-and-media/News-media-releases/2011/N20110707. Accessed: 27 February 2013. Ponemon Institute (2012) The Impact of Cybercrime on Business. Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil. PricewaterhouseCoopers (2012) Changing the game. Key fi ndings from The Global State of Information Security® Survey 2013. The Washington Post (2012) Cybersecurity experts needed to meet growing demand. [online] Available at: http://articles.washingtonpost.com/2012-05-29/business/35458606_1_cybersecurity-college-students-visit-colleges. Accessed: 6 March 2013.

26 BlackBerry Sponsor Commentary

How safe is your smartphone

The BlackBerry Focus on Cyber Security.

Contents

A. An Introduction from Michael K. Brown, Vice-President, BlackBerry Security Product Management & Research 2 7 B. Executive Overview on Anti-Malware Security Approach 28 C. Today’s Mobile Landscape – Safeguarding Security and Privacy 28 D. A Signifi cant Threat – Malware on Mobile Devices 28 E. Combating Mobile Malware and Privacy Implications Associated with Third-Party Apps 29 F. Legal notice 30 An Introduction from Michael K. Brown, Vice-President, BlackBerry Security Product Management and Research. Security was built into the heart of the BlackBerry secure infrastructure from the very beginning. From the battlefi eld to the boardroom, our customers have come to rely upon the unique level of protection BlackBerry offers through its layered approach to security. Nothing is more secure than a BlackBerry device running on the BlackBerry platform. Over the past decade, this has evolved – from our fi rst Mobile Device Management (MDM) controls to let administrators manage the new thing called “mobile,” to more advanced technologies like process separation, stack cookies, and ASLR. We’re very excited to keep pushing the envelope and providing an enjoyable experience along the way. BlackBerry is committed to partnering with industry leading organizations to deepen the importance of data responsibility and secure infrastructure practices. 90% of Fortune 500 companies and countless government agencies rely on BlackBerry products and services each day because of our embedded security practices. This level of trust is something we take very seriously.

At BlackBerry, we have more security certifi cations than any other smartphone on the market. BlackBerry has always built security into everything we do – from silicon to software. Our industry leading encryption, networking and data security practices are recognized world-wide for their robust abilities to keep customer data safe and secure.

For more information on BlackBerry security, visit www.blackberry.com/security, and if you have a security issue you would like to discuss with us, please email us at [email protected].

Warm regards,

Michael K. Brown Vice President BlackBerry Security Product Management and Research

27 With the increased prevalence of smartphones and tablets becoming a common part of how we share information with our Executive Overview on Anti- family, friends and co-workers, there is a growing potential for increased risks related to data security and privacy. This isn’t Malware Security Approach the fi rst time we’ve watched the computing threat landscape evolve. Over the last decade, as more users leveraged the power of personal computers, attackers began focusing on Maintaining a leadership position in mobile security ways to steal users’ data and take control of their computers. requires deep integration of security at the product Their methods included using vulnerabilities in the software development stage, but it also requires listening to the and creating malicious software, known as malware, which is needs of customers, and working collaboratively across designed to trick a user into installing these programs in order the industry. At BlackBerry, these are some of the core for the attacker to gain control of a user’s system. Now, as we tenets that have led to the unique level of security the move toward a mobile computing society, we’re seeing that BlackBerry solution delivers and that our customers same trend happening across the mobile industry. depend upon. BlackBerry anti-malware strategy is built upon fi ve core pillars that focus on our smartphone’s built-in protections, analyzing third-party applications, transparent customer communications, educating A Signifi cant Threat – Malware developers and having an anti-malware team embedded in the security response group. By developing an on Mobile Devices anti-malware strategy based on fi ve, key pillars of security, we provide BlackBerry customers an unparalleled level of protection from emerging security and privacy issues. At BlackBerry, we’re committed to protecting customers and their data, and also to providing greater transparency into the unique level of protection we offer customers. We recognize that customers want and need access to apps Today’s Mobile Landscape that do not infringe on their privacy or impact their security. With such a signifi cant challenge facing the mobile industry, – Safeguarding Security and we determined adding additional layers of protection are Privacy crucial to helping protect BlackBerry customers. One of the signifi cant security concerns facing the mobile industry is how to address the skyrocketing amount of Today, mobile devices have similar capabilities and malware on mobile devices. This concern is especially characteristics of modern desktop computers, with challenging because instead of attackers trying to trick one exception– the amount of personal data on the computer users to install malware, attackers have shifted device. Unlike computers, applications downloaded on their focus and tactics by offering what appear to be mobile phones and tablets have the ability to broadcast safe apps. They are placing their malicious apps within your location, private conversations, pictures, banking smartphone app stores and bypassing protections that information and other sensitive data, even when these these app store vendors may have in place to help mobile devices are not in use. Just as mobile customers’ prevent malware. While most smartphone users have expectations vary widely about privacy and security, so do heard of malware, and know about its potential to harm the approaches that mobile vendors take in safeguarding their devices, they don’t expect that any app downloaded customers’ security and privacy. from their smartphone’s app store is malicious. As a result, smartphone users may not be as careful or discerning when deciding which third-party apps to download, and these choices can lead to users being vulnerable to potential security and privacy implications associated with these apps. In order to bolster our own internal, proprietary application analyzing system, we are incorporating Trend MicroTM’s industry-leading anti-malware technology into our

28 app vetting process. This collaboration will help ensure “The volume of malicious and high-risk mobile apps BlackBerry customers have access to apps that do not are on the rise across the industry, which is why we infringe on their privacy or impact their security. applaud BlackBerry’s commitment to protecting their customers against these emerging mobile threats,” said Kevin Simzer, Vice President of Corporate Development and Alliances, Trend Micro. “With the speed that Combating Mobile Malware and cybercriminals are targeting new platforms and Privacy Implications Associated applications, Trend Micro and BlackBerry’s strategic collaboration is natural and timely for the security of end with Third-Party Apps users. Together, the two companies can further secure and enhance BlackBerry customers’ mobile experience.”

Given that both malware and privacy concerns span Trend Micro has scanned and evaluated over 2 million across the breadth of the mobile industry, it’s not practical mobile applications. Mobile Application Reputation to believe that any one company can thoroughly address Service is Trend Micro’s next generation cloud-based these issues on their own. By working with an industry technology for mobile operating systems that analyzes leader, such as Trend Micro, we’re establishing a unique application code and behavior to identify risks from level of protection for BlackBerry customers, and we malware and data leaks. It also detects the abuse of believe the rest of the industry should also consider battery, memory, and data resources. This service working collaboratively in order to address the signifi cant leverages the Trend Micro Smart Protection Network increase in mobile malware and privacy implications infrastructure to provide meaningful mobile app reputation associated with third-party apps. ratings. The Smart Protection Network is built upon unique “in-the-cloud,” technologies that naturally fi t with As part of our comprehensive approach, BlackBerry is cloud-based security services like the Mobile Application incorporating Trend Micro’s industry-leading anti-malware Reputation Service. By checking URLs, emails, fi les, and technology with our current internal, proprietary system for applications against continuously updated and correlated analyzing apps. “BlackBerry is working with Trend Micro to threat databases, customers always have immediate implement a more robust approach for addressing privacy access to the latest protection. and security concerns related to third-party applications,” said Adrian Stone, Director, BlackBerry Security Response Every smartphone and tablet vendor uses a different and Threat Analysis at BlackBerry. “By incorporating Trend strategy for protecting customers from both malware and Micro’s advanced mobile scanning and detection capabilities privacy concerns, and customers do not typically have with our own internal, proprietary application analyzing insight into how they may or may not be protected from system, we can provide another layer of protection and these issues. BlackBerry is taking an innovative approach assurance for BlackBerry customers. Together, BlackBerry for enhancing third-party app security, which is recognized and Trend Micro are developing an innovative and as one of the fastest growing security concerns for the comprehensive solution for protecting BlackBerry customers mobile industry. against emerging mobile security concerns.” Through this collaboration, BlackBerry will use Trend Micro’s suite of app scanning technology to help enhance anti-malware capabilities, including industry-leading app analyzing techniques and built-in permission settings on BlackBerry devices. By vetting apps against Trend Micro’s extensive library of known malicious software, we will help ensure both current and new apps submitted to the BlackBerry World storefront are scanned for potential malicious behavior.

29 Legal Notice ©2013 Research In Motion Limited. All rights reserved. BlackBerry®, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN RIM®, Research In Motion®, and related trademarks, names, and logos YOUR JURISDICTION, IN NO EVENT SHALL RIM BE LIABLE FOR are the property of Research In Motion Limited and are registered ANY TYPE OF DAMAGES RELATED TO THIS DOCUMENTATION and/or used in the U.S. and countries around the world. OR ITS USE, OR PERFORMANCE OR NON- PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY All other trademarks are the property of their respective owners. PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY OF THE FOLLOWING DAMAGES: This documentation including all documentation incorporated by DIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, INDIRECT, reference herein such as documentation provided or made available SPECIAL, PUNITIVE, OR AGGRAVATED DAMAGES, DAMAGES at www.blackberry.com/go/docs is provided or made accessible FOR LOSS OF PROFITS OR REVENUES, FAILURE TO REALIZE “AS IS” and “AS AVAILABLE” and without condition, endorsement, ANY EXPECTED SAVINGS, BUSINESS INTERRUPTION, LOSS OF guarantee, representation, or warranty of any kind by Research BUSINESS INFORMATION, LOSS OF BUSINESS OPPORTUNITY, In Motion Limited and its affi liated companies (“RIM”) and RIM OR CORRUPTION OR LOSS OF DATA, FAILURES TO TRANSMIT assumes no responsibility for any typographical, technical, or other OR RECEIVE ANY DATA, PROBLEMS ASSOCIATED WITH ANY inaccuracies, errors, or omissions in this documentation. In order APPLICATIONS USED IN CONJUNCTION WITH RIM PRODUCTS to protect RIM proprietary and confi dential information and/or trade OR SERVICES, DOWNTIME COSTS, LOSS OF THE USE OF RIM secrets, this documentation may describe some aspects of RIM PRODUCTS OR SERVICES OR ANY PORTION THEREOF OR OF ANY technology in generalized terms. RIM reserves the right to periodically AIRTIME SERVICES, COST OF SUBSTITUTE GOODS, COSTS OF change information that is contained in this documentation; however, COVER, FACILITIES OR SERVICES, COST OF CAPITAL, OR OTHER RIM makes no commitment to provide any such changes, updates, SIMILAR PECUNIARY LOSSES, WHETHER OR NOT SUCH DAMAGES enhancements, or other additions to this documentation to you in a WERE FORESEEN OR UNFORESEEN, AND EVEN IF RIM HAS BEEN timely manner or at all. ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

This documentation might contain references to third-party sources TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW IN of information, hardware or software, products or services including YOUR JURISDICTION, RIM SHALL HAVE NO OTHER OBLIGATION, components and content such as content protected by copyright DUTY, OR LIABILITY WHATSOEVER IN CONTRACT, TORT, OR and/or third-party websites (collectively the “Third Party Products OTHERWISE TO YOU INCLUDING ANY LIABILITY FOR NEGLIGENCE and Services”). RIM does not control, and is not responsible for, any OR STRICT LIABILITY. Third Party Products and Services including, without limitation the content, accuracy, copyright compliance, compatibility, performance, THE LIMITATIONS, EXCLUSIONS, AND DISCLAIMERS HEREIN trustworthiness, legality, decency, links, or any other aspect of Third SHALL APPLY: (A) IRRESPECTIVE OF THE NATURE OF THE CAUSE Party Products and Services. The inclusion of a reference to Third OF ACTION, DEMAND, OR ACTION BY YOU INCLUDING BUT Party Products and Services in this documentation does not imply NOT LIMITED TO BREACH OF CONTRACT, NEGLIGENCE, TORT, endorsement by RIM of the Third Party Products and Services or the STRICT LIABILITY OR ANY OTHER LEGAL THEORY AND SHALL third party in any way. SURVIVE A FUNDAMENTAL BREACH OR BREACHES OR THE FAILURE OF THE ESSENTIAL PURPOSE OF THIS AGREEMENT EXCEPT TO THE EXTENT SPECIFICALLY PROHIBITED BY OR OF ANY REMEDY CONTAINED HEREIN; AND (B) TO RIM AND APPLICABLE LAW IN YOUR JURISDICTION, ALL CONDITIONS, ITS AFFILIATED COMPANIES, THEIR SUCCESSORS, ASSIGNS, ENDORSEMENTS, GUARANTEES, REPRESENTATIONS, OR AGENTS, SUPPLIERS (INCLUDING AIRTIME SERVICE PROVIDERS), WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING AUTHORIZED RIM DISTRIBUTORS (ALSO INCLUDING AIRTIME WITHOUT LIMITATION, ANY CONDITIONS, ENDORSEMENTS, SERVICE PROVIDERS) AND THEIR RESPECTIVE DIRECTORS, GUARANTEES, REPRESENTATIONS OR WARRANTIES OF EMPLOYEES, AND INDEPENDENT CONTRACTORS. DURABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, MERCHANTABILITY, MERCHANTABLE QUALITY, NON- IN ADDITION TO THE LIMITATIONS AND EXCLUSIONS SET OUT INFRINGEMENT, SATISFACTORY QUALITY, OR TITLE, OR ARISING ABOVE, IN NO EVENT SHALL ANY DIRECTOR, EMPLOYEE, AGENT, FROM A STATUTE OR CUSTOM OR A COURSE OF DEALING OR DISTRIBUTOR, SUPPLIER, INDEPENDENT CONTRACTOR OF RIM USAGE OF TRADE, OR RELATED TO THE DOCUMENTATION OR ANY AFFILIATES OF RIM HAVE ANY LIABILITY ARISING FROM OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF OR RELATED TO THE DOCUMENTATION. ANY SOFTWARE, HARDWARE, SERVICE, OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN, ARE HEREBY Prior to subscribing for, installing, or using any Third Party EXCLUDED. YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY BY Products and Services, it is your responsibility to ensure that your STATE OR PROVINCE. SOME JURISDICTIONS MAY NOT ALLOW airtime service provider has agreed to support all of their features. THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES AND Some airtime service providers might not offer Internet browsing CONDITIONS. TO THE EXTENT PERMITTED BY LAW, ANY IMPLIED functionality with a subscription to the BlackBerry® Internet WARRANTIES OR CONDITIONS RELATING TO THE DOCUMENTATION Service. Check with your service provider for availability, roaming TO THE EXTENT THEY CANNOT BE EXCLUDED AS SET OUT ABOVE, arrangements, service plans and features. Installation or use of Third BUT CAN BE LIMITED, ARE HEREBY LIMITED TO NINETY (90) DAYS Party Products and Services with RIM’s products and services may FROM THE DATE YOU FIRST ACQUIRED THE DOCUMENTATION OR require one or more patent, trademark, copyright, or other licenses THE ITEM THAT IS THE SUBJECT OF THE CLAIM. in order to avoid infringement or violation of third party rights.

30 You are solely responsible for determining whether to use Third Party Products and Services and if any third party licenses are required to do so. If required you are responsible for acquiring them. You should not install or use Third Party Products and Services until all necessary licenses have been acquired. Any Third Party Products and Services that are provided with RIM’s products and services are provided as a convenience to you and are provided “AS IS” with no express or implied conditions, endorsements, guarantees, representations, or warranties of any kind by RIM and RIM assumes no liability whatsoever, in relation thereto. Your use of Third Party Products and Services shall be governed by and subject to you agreeing to the terms of separate licenses and other agreements applicable thereto with third parties, except to the extent expressly covered by a license or other agreement with RIM.

Certain features outlined in this documentation require a minimum version of BlackBerry Enterprise Server, BlackBerry Desktop Software, and/or BlackBerry Device Software.

The terms of use of any RIM product or service are set out in a separate license or other agreement with RIM applicable thereto. NOTHING IN THIS DOCUMENTATION IS INTENDED TO SUPERSEDE ANY EXPRESS WRITTEN AGREEMENTS OR WARRANTIES PROVIDED BY RIM FOR PORTIONS OF ANY RIM PRODUCT OR SERVICE OTHER THAN THIS DOCUMENTATION.

Research In Motion Limited 295 Phillip Street Waterloo, ON N2L 3W8 Canada

Research In Motion UK Limited 200 Bath Road Slough, Berkshire SL1 3XE United Kingdom

Published in Canada

31 Lockheed Martin Sponsor Commentary

In a world that is becoming more connected by the minute, the opportunity for cybercrime increases exponentially. Canada is a prime target, where in recent years there has Global Cybercrime been a disturbing increase in cyber security events impacting not only government and private industry but also individual citizens. Complicating this is an expectation for Canadian As a global security company Lockheed Martin has fi rst- businesses to operate securely in an era focused on mobility hand experience defending against the most sophisticated solutions, bring your own device (BYOD) policies, and ever threats facing businesses today. We have been defending expanding social media. It is critical that steps are taken to the highly sensitive (and heavily attacked) networks of increase cyber security awareness and support an increasing both Lockheed Martin and its government and commercial uplift in capability across government and industry. Trusted customers against advanced persistent threats for more partnerships, actionable intelligence and advanced tradecraft than 10 years. Increasingly, the motivation behind cyber will be the key to success moving forward. attacks is cybercrime. Whether it’s attempting to disable mission critical networks, gain access to classifi ed Lockheed Martin greatly appreciates the opportunity that information, or steal corporate intellectual property, our ICSPA has provided to be a sponsor and contributor to this adversaries are becoming more agile, more persistent cybercrime study. Understanding the threats the Canadian and more sophisticated. These are challenges we all face industry is facing is a critical step to increasing the ability as our adversaries are not constrained by geographic, of all companies to not only defend themselves, but extend political or national boundaries. It is imperative that, those security services to government and critical national through activities such as this cybercrime study, we fi nd infrastructure. Once these threats are better understood, ways to share tools, techniques and best practices to build forming the partnerships required to share information about a stronger, truly global cyber defense. emerging threats and potential mitigations becomes critical. There is no one magic answer to help businesses address the potential threat that cybercrime poses to operations and corporate reputation. It takes a coordinated and intelligent approach to addressing these challenges the ensure success against all aspects of cyber adversaries.

Bob Eastman Vice President Lockheed Martin IS&GS-National, Global Solutions

32 Cyber Security Threats and Effective deterrents, responses Potential Impacts and practices in fi ghting cybercrime Businesses today face a myriad of threats from different, and often times coordinated, actors and vectors. Beyond the external threat, companies increasingly face threats Lockheed Martin is a major target for APT actors due to from within. Whether intentional or not, a business’ our global security work in the US, Canada and abroad. employees are both the fi rst line of defense and the Lockheed Martin’s approach to countering APT uses an fi rst risk companies face. Without proper education, intelligence focused approach that we call Intelligence- ™ employees can open attachments, click links and take Driven Defense . This approach features implementation other adverse actions that give threat actors access to of advanced processes, tools and techniques aimed at corporate networks. Through education efforts, businesses increasing the situational awareness of security operators can turn potential weaknesses into strengths as we have and executive decision makers by providing early in Lockheed Martin. Our employee campaigns have actionable intelligence. Recognizing the ever-evolving and increased employee reported security events signifi cantly adaptive nature of APT, we found that only through better over the past three years; each employee has become an intelligence capabilities could we, in fact, move beyond a additional sensor in our network. reactive Computer Network Defense (CND) capability to a more predictive one. Canadian businesses are now facing the disrupting threats At each of Lockheed Martin’s three global Security of hacktivists such as Anonymous and Lulzsec. To combat Intelligence Centers, advanced techniques such as the Cyber these types of actors, businesses have to employ a Kill Chain (described overleaf) are employed to counter APT. combination of open source analysis and denial of service attack defenses. These activists can deface websites, Advanced capabilities that analyze and correlate security cause disruptions to operations and infl ict reputational events help to characterize APT actors and track their damage to Canadian companies if not adequately campaigns over time, giving our security operation defended against. Their use of open source/social media predictive insight into evolving APT methods and patterns. platforms for communications is both a challenge and Advanced technologies such as Open Source Intelligence a benefi t for defenders. Using targeted intelligence tools, data analytics, and highly specialized APT network development techniques, companies are able to anticipate sensors provide another layer of situational awareness attacks by using this open source information against the and “actionable” intelligence. Finally, and perhaps most adversary and get ahead of the attacks. importantly, this is where the Lockheed Martin cyber intelligence analysts hone their experience and tradecraft Like many nations, the most challenging adversary in identifying and countering APT. facing Canadian business is what is typically referred to as advanced persistent threats or APTs. These are well educated, well-resourced adversaries whose focus on the theft of secrets including intellectual property poses signifi cant threats to Canadian businesses. Numerous global companies have been targeted by APT attacks over the past three years causing high-visibility, high-impact cyber events for these companies. It is imperative that Canadian industry take the steps necessary to defend themselves from APT threats. This includes using the persistent nature of these actors against them to develop the intelligence required to anticipate and mitigate their attacks.

33 Table 14: Cyber Kill Chain

Reconnaissance Harvesting email addresses, conference information, etc.

Weaponisation Coupling exploit with backdoor into deliverable payload

Delivery Delivering weaponised bundle to the victim via email, web, USB, etc.

Exploitation Exploiting a vulnerability to execute code on victim system

Installation Installing malware on the asset

Command & Control Command channel for remote manipulation of victim

Actions on Objectives With “Hands on Keyboard” access, intruders accomplish their original goals

A key element of our Intelligence-driven approach is vulnerabilities, and inform future investment prioritization, employing tools and techniques that give our analysts particularly as APT technologies and tactics continue to better insight into our adversaries, and provide a evolve. framework to track those adversaries over time. One such capability is referred to as the Cyber Kill Chain. Incorporating all of these concepts into a comprehensive Summarized in the graphic , the Cyber Kill Chain is an cyber security program will help our fellow Canadian innovative analytic process that identifi es seven unique businesses to protect themselves from cybercrime. Whether steps an attacker needs to successfully accomplish in it is the loss of intellectual property, disruption to operations order to realize the objective. Interrupting an attack at or reputational damage, the impact that cybercrime can any of these steps not only protects the enterprise, it also have on a company is swift and far reaching. exposes the attacker’s specifi c techniques (patterns over time), and provides actionable intelligence to the security analyst. Contrary to the common belief that “the attacker only has to be right once but we have to be right every time,” an adversary must be successful at every step in the Cyber Kill Chain, whereas the defender has to be positioned to disrupt them at only one. By analyzing each APT attack against the Cyber Kill Chain, we also have an effective framework for measuring our own defensive capabilities (e.g., defense-in-depth and resilience measured as ability to defend at multiple levels.)1 This 1 For more information on the Cyber Kill Chain please visit: provides an effective basis to identify gaps, risks and http://bit.ly/killchain

34 McAfee Sponsor Commentary

CEO Foreward: A Message From Luc Villeneuve, Vice President, Canada, McAfee, Inc

Here at McAfee, our mission is to protect governments, enterprises, small to medium-sized businesses and consumers and their proprietary information from the dangers of cybercrime. While McAfee initially began as a vendor of antivirus software, we soon expanded our expertise and capabilities to keep pace with the evolving cyber threat landscape to better serve our customers. McAfee has evolved over the years through a combination of strategic acquisitions and organic growth. As a wholly owned subsidiary of Intel, McAfee is able to take security beyond the operating system to deliver advanced protection against targeted attacks, while also providing security at the hardware level. Cybercrime attacks are a serious and growing problem that needs to be addressed by the security industry as a whole. Information security is everyone’s job, which is why technology companies such as McAfee must partner with each other as well as businesses, academia, government and associations. We need to work together to stay on top of the evolving threat landscape and combat malicious activity, because as our company tagline goes, “Safe Never Sleeps.” In addition to McAfee’s dedication to our Security Connected strategy to provide comprehensive, end-to-end security solutions to meet all industry needs, we are also committed to educating our communities. Through our various partnerships, such as with the International Cyber Security Protection Alliance (ICSPA), we aim to deliver and make available to the industry and Internet users, relevant information, resources and tools to help combat cybercrime. The study you are about to read is a collective effort made by the ICSPA, McAfee Canada and several other Canadian companies. It examines the nature and impact of cybercrime on Canadian businesses in several industries and sheds light on this growing and serious issue. A safer, more secure world is possible and we will endeavour to do whatever we can to ensure this happens.

Sincerely Yours,

Luc Villeneuve Vice President Canada, McAfee, Inc.

35 The Cybercrime Landscape and Future: Malware is installed onto a victim’s computer using phishing A McAfee Perspective and drive-by downloads. It waits for the victim to log onto online banking and sends the login credentials and account The advent of the Internet and the adoption and evolution information to the fraudster’s server. Once this data is obtained, of new technologies and products have made it easier for the malware automatically logs in and initiates transactions that organizations, businesses and consumers to operate on a transfer money from the victim’s account to a mule one. broader scale, while also enabling groups and individuals to be active participants in the global economy. This operation has affected and continues to impact fi nancial institutions globally. McAfee does not expect Technology offers us plenty of conveniences, but it Operation High Roller activity to cease anytime soon. also opens the door to potential security risks, threats and cybercrime – a growing concern that needs to be addressed by the global community at large. With new Mobile Threats attack vectors, methods and targets, the risk of data loss In recent years, we have seen mobile malware emerge and theft is high. as the new frontier for cybercrime. The explosion of mobile devices at home and in the workplace has led to Cybercriminal activity is motivated by any number of the growing trend of mobile workers and road warriors. factors. Profi teering is just one of the various motivations. Additionally, the availability of free public Wi-Fi has made it According to a McAfee Labs white paper titled, easier than ever for people to stay connected. However, any “Cybercrime and Hacktivism,” 1 other objectives may time users connect to an unsecured public Wi-Fi network, include the following: they are putting themselves and their devices, which often contain proprietary and sensitive information, at risk. ¢ Playing the game: Some hackers are attracted to cybercrime because it’s exciting. In the McAfee Threats Report: Fourth Quarter 2012, McAfee Labs found the number of mobile malware ¢ Gathering information: The Internet is used for industrial samples was 44 times the number found in 2011 – espionage. meaning that 95 per cent of all mobile malware samples ¢ Promoting ideology: Patriot groups, whether acting in appeared in the last year alone. Furthermore, the Android good faith or are being manipulated, conduct criminal platform has recently become by far the most popular activities against institutions they believe are related to platform for attack, with an 85 per cent increase of new the enemy. Android-based malware samples in the fourth quarter. With mobile users around the world, everyone is susceptible to ¢ Behaving foolishly: Individuals sometimes make bad choices for poor or unclear reasons. these threats.

Cybercriminals and the underground economy are Ransomware thriving. Technology companies like McAfee must continue to cooperate and partner with each other as well as Recently, cybercriminals have turned to ransomware businesses, academia, government and associations attacks that use malicious software to infi ltrate a computer in order to fully understand the threats – existing and to lock down the data. By holding the data and access to emerging – so that we can effectively protect and secure the device hostage, victims are pressured into providing a against the threats of the future. ransom in exchange for their information – however there is no guarantee that after a ransom is paid, access to

1 McAfee Labs White Paper, Cybercrime and Hacktivism, François Paget the device would be granted. As we saw in the McAfee Threats Report: Fourth Quarter 2012, ransomware has Global Cybercrime Landscape become a growing problem during the last couple of quarters, with the number of new, unique samples and Potential Impact on Canada reaching more than 200,000.

Operation High Roller Expands Financial gain remains a huge motivator behind cybercrime. In June 2012, McAfee and Guardian Analytics discovered a highly sophisticated multi-tiered, global fi nancial fraud ring dubbed Operation High Roller. It targets commercial fi nancial accounts and high net-worth individuals using active and passive automated transfer systems to steal high-value transactions from high-balance bank accounts.

36 Current Canadian Cybercrime Landscape and Impacts ¢ Whenever connecting to a public Wi-Fi network, exercise caution and avoid carrying out The Canadian cybercrime landscape is not much different fi nancial transactions. from those threats and attacks seen around the world. Threats ¢ Know what data you have, who has access to it and how to mobile devices continue to be cause for concern, especially it is being used. By prioritizing this information, it’s easier for organizations that have implemented a bring-your-own- to know what needs to be protected. device (BYOD) policy. Whenever a new device enters the corporate network, an element of risk is involved, which is why ¢ Implement and enforce a BYOD security policy to security policies and best practices must be implemented and ensure data stays safe. Consider remote wipe solutions enforced in the workplace and by its employees. in the event of device loss or theft, encrypt data on device, and ensure strong password use. According to McAfee’s 2012 Online/Mobile Shopping Habits & Security Concerns survey, 85 per cent of New and Emerging Cybercrime Threats and Industries at Risk Canadians own and use at least one smartphone and/or tablet device. Furthermore, 41 per cent of Canadians As we look at the cybercrime landscape in the months said they leave their phone open and unprotected without ahead, we expect many of the same threats to continue. a password. Cybercriminals will expand their efforts to strengthen and Additionally, as we found in our recent McAfee State of evolve their techniques to do whatever it takes to breach Security Report, 25 per cent of organizations worldwide do privacy in businesses, fi nancial institutions and homes. not have security solutions to protect their mobile devices. In our 2013 Threats Predictions Report 6, McAfee Labs 2 McAfee Threats Report: Fourth Quarter 2012, forecasted several new threats to enter the marketplace McAfee Labs this year. They include mobile worms on victims’ machines 3 McAfee 2012 Online/Mobile Shopping Habits & Security Concerns, that will buy malicious apps, malware targeting mobile September 2012 devices with near-fi eld communications (NFC) capabilities 4 McAfee Canada 2013 Love, Relationships and Technology Survey, to steal money via the tap-and-pay method, malware January 2013 that blocks security updates to mobile phones, large- 5 McAfee State of Security Report, scale attacks like Stuxnet that will attempt to destroy March 2012 infrastructure instead of attempting to steal money, and While these statistics are illustrative of Canada’s adoption many more. of a mobile culture, without adequate security solutions and measures for these devices in place, organizations At McAfee, we realize the importance of being able to and individuals put themselves at risk. effectively protect and fi ght against cybercrime. That’s why we have several awareness partnerships with industry Best Practices to Combat Cybercrime associations, and have created a Multipoint Strategy to Fight Cybercrime. Part of this strategy includes our There are certain best practices that consumers and Cybersafety Resource Portal which is accessible to anyone businesses should follow to help protect the sensitive with Internet access. Our strategy is a three-pronged information and identities of citizens and organizations. approach that encompasses technology and innovation, To help safeguard against cybercrime attacks, McAfee education and legal frameworks. recommends the following best practices: While we remain confi dent in our ongoing research and ¢ Encrypt and back up all personal and sensitive efforts to bring to market resources and solutions that information and fi les living on devices such as will protect consumers and businesses from existing, computers, smartphones, tablets and USB sticks. emerging and future threats, the security industry must also work together to stay ahead of cybercriminals and ¢ Ensure all employees are aware of and trained on effective security measures when handling customer, threats to make the world we live in, a safer, more company and other sensitive data. secure place.

¢ Do not open emails, attachments or click on URLs from 6 McAfee 2013 Threats Predictions Report, McAfee Labs, an unknown or suspicious source.

¢ Use strong authentication methods to password protect devices. Use different passwords across accounts and change them often to avoid theft and exposure to other accounts.

37 Conclusion

In this study, the Survey Report identifi ed the signifi cant The cyber crime environment is dynamic and fast moving extent and impact of cyber crime on Canadian businesses and requires continuous vigilance to provide timely, and the need for greater preparedness to mitigate the appropriate information and measures to safeguard threat. The survey demonstrates that across business Internet users. Therefore, all nations require clear communities, there is a general lack of strategy, strategies, procedures and processes to mitigate the threat procedures and trained personnel to combat cyber crime. of cyber crime through a combination of education and In addition, there is a need for improved communications defensive actions. The ICSPA believes this needs to be and education as to the threats, their effect and what coordinated with international partners from Government, actions to take. It is also clear, that awareness and law enforcement, business and academia, in order to education needs to be improved not only within businesses tackle the borderless nature of cyber crime and determine but in messaging from government to the business a more cohesive and collaborative response. community. Those surveyed believe that Public Safety Canada and the RCMP are the appropriate Department Also, in order to truly address the issue of global cyber and agency for this role. security, all users need to agree upon a level of acceptable cyber behavior and understand the repercussions and The sponsors’ contributions have provided a view of the stigma attached if not adhered too. emerging threats from the adoption of new technology and techniques; highlighting mobile communications and cloud services as today’s new targets for the cyber criminal. The distribution of application-based malware for mobile devices using cloud based services for both personal and business use will become a new threat vector of the future.

38 39 www.icspa.org email: [email protected] Tel: +44-1494-798-160

Copsham House, 53 Broad Street, Chesham, Buckinghamshire HP5 3EA United Kingdom

Twitter: @cyberprotection