The annual CIRA Cybersecurity Survey** confirms that the cyber threat landscape continues to evolve and intensify in 2023, particularly with the arrival of ChatGPT, DALL-E2 and other generative AI platforms last year.  What’s more, organizations in Canada are still giving in and paying ransomware gangs after successful cyberattacks; a finding that highlights how unprepared businesses are for cyberattacks, particularly in certain sectors.

Fittingly, ‘step up your cyber fitness’ was the theme for last month’s cyber security awareness push, which is a world-wide and annual initiative to help the public learn more about the importance of cyber security.

I asked Lead Cyber Security Instructor Jake Munro at Lighthouse Labs to share how Canadians can safeguard themselves from advanced cyber threats and scams and to explain how Canada is investing in cyber security technologies and training.

“Cyberattacks have always been a part of the tech world in Canada, but they have become increasingly more popular and sophisticated within recent years,” began Munro.

“Cybercriminals not only in Canada but the entire world have evolved with their skills, knowledge, creativity and tactics used in these cyberattacks. This has forced organizations around the world, but more importantly, in Canada to shift their focus to become more cyber-aware.”

Said Munro, “The biggest areas in Canada that have seen this impact directly have been some of the most important — finance, government, energy, and healthcare. All of these sectors have seen an exponential increase in cyberattacks in recent years since they are a part of the critical infrastructure of Canada’s economy, and they also bring in a lot of money – which is commonly the attacker’s motive. More importantly, these sectors of Canada’s workforce have had to step up to improve security measures, awareness, training, and planning.”

“The government of Canada,” said Munro, “has taken steps to improve Canada’s overall cybersecurity landscape. They have brought in the Canadian Centre for Cyber Security (CCCS) to provide guidance and support to all sectors in Canada to improve their cybersecurity posture. The government of Canada is also investing in programs through initiatives such as the ICT Boost program  through the Sectoral Workforce Solutions Program (SWSP), to help fund companies such as Lighthouse Labs to provide training to individuals in the tech sector. Munro summarized, “… Canada is investing in cybersecurity technologies and the development of people with cybersecurity knowledge are a top priority to combat these cyber threats.”

What is Cyber Security Fitness? 

“Cybersecurity fitness can be considered more of a metaphor,” explained Munro. “This metaphor likens cybersecurity practices to physical fitness routines. Just like you can stay fit physically, you can stay fit within the cybersecurity world.”

“We can consider these three topics (warm-up, workout, and self-defense) and group them out [as follows],” shared Munro.

1. To warm-up, Canadians can consider this as basic cybersecurity hygiene.
“The first tip to warm-up would be to have a good password management system in place. This means by first starting with using secure/strong passwords. Changing these passwords every so often ensures that if they have been leaked somewhere, they aren’t being reused anywhere else within your accounts. You could also consider using something like a password manager to help you create and store your complex passwords securely.”

“The next tip would be to ensure your software is always up to date. Companies provide software updates with security fixes once they are found. Many people disregard these as they are time-consuming and/or interrupt daily work. In reality, these updates are what help us stay protected from attackers.”

Munro also commented, “One of the best ways Canadians can improve their advanced cybersecurity practices is to invest in some cybersecurity training. There are many online resources and courses that are both free and paid.”

2. To workout, Canadians can consider this as having advanced cybersecurity practices.
“The first tip I would give is only to use secure Wi-Fi connections. Most of the time, people will sit in a cafe or in a hotel and use their public Wi-Fi which is usually not secured properly and attack certain users who connect through the same Wi-Fi connection. The best thing to do while on these public Wi-Fi networks is to use something to protect yourself, such as a VPN. If you don’t have one, I’d recommend not entering any banking information on your devices and try not to login to any accounts on your devices.”

“Another way to practice advanced cybersecurity is to back-up your data. You can do this by using some backup software to back-up your data to an external drive occasionally. This ensures that if anything happens to your computer or the data on it, you have a separate copy of it that you can use.”

Added Munro,“One of the most important things to consider when talking about advanced cybersecurity practices is to consider what you post on social media and your social media privacy settings. I recommend making your accounts private, and only allow friends to see your information online. A lot of attackers will prey on the information you post online to gather information about you and use it against you. Being mindful of who can see what you post, and what you post in general will help keep you protected.”

3. For self-defense, Canadians can consider this as having advanced cybersecurity measures in place.

“One of the ways Canadians can implement advanced cybersecurity measures is to consider what sites they are purchasing from while online shopping. This means taking a few extra minutes to check reviews and forums about the site if you’re unsure. See what other people are saying about it and if anything has happened to them in the past from using the site. You can also check for things in the URL such as if it has ‘HTTPS’ before the link, or if there is a padlock icon in the top left corner. Some sites that aren’t secure might allow attackers to steal any information you enter there, including your credit card information and address.”

“Another way we can protect ourselves by using advanced cybersecurity measures is to use more than just passwords. This means that using something alongside a password to login to your accounts will make it more secure. This is considered Multi-Factor Authentication. It can be your password alongside a code sent to your phone, your thumbprint, an email verification etc. Having more than one requirement to login to your accounts makes it harder for attackers to access your accounts.”

“One of the more important tips here is to have email/text awareness. Majority of cyberattacks are caused due to some sort of phishing email or text. Meaning that attackers pretend to be a reputable company or person and try to trick you into giving them your information such as email/password combinations, credit card info etc. or to have you click on a harmful link. Having the awareness and ability to verify if an email is real or not helps protect you from giving information to someone who shouldn’t have it. You can practice by checking your junk folder and there will most likely be some emails in there that sound a lot like what I just described.”

AI and Cybersecurity

I asked Munro about the impact of AI on cyber security to which he explained, “In relation to AI, cyber defense teams have been using it to help protect physical cybersecurity assets such as our computers, systems, networks, etc., but the one thing that still lacks is the human aspect of cybersecurity. Humans always have been, and always will be the weakest links, but there are ways we can improve as Canadians.”

“On the other hand, attackers have leveraged AI to help them with their tactics and techniques used in their attacks. Attackers are using AI to find other ways into our systems and using AI to do a lot of the dirty work for them.”

“One of the things attackers have leveraged AI to do is to draft phishing emails for them. They are using AI to create the emails themselves so that there aren’t any spelling or grammatical errors within the email. They can also make the emails look more professional to seem like the phishing emails they’re sending are from a reputable source.”

“When it comes to these AI-crafted phishing emails, Canadians are going to have to keep an eye out even more for more sophisticated phishing emails. One of the main tells of a fake email is the email address it is being sent from. This can be different from what the display name is. So, while an email may have come from “Google Support,” make sure that the email address is associated with a reputable email sender. We can search online for the email address that emails are coming from and find out if it is real or not.”

“Another thing that Canadians need to be on the lookout for is AI-Generated deepfake videos. Which are videos created by AI that look and sound real. These videos can be of famous people, government officials, etc. These videos aim to provide people with false information from what seems to be a reputable person. It’s sometimes hard to tell when a video is fake or not, but it’s always best to do your research and not to take any videos like this at face value. When these videos are found, it’s always best to report them via the social app you are using, or to authorities. It’s also recommended not to engage with or share these videos since it will cause them to gain more attention.”

“Overall, when it comes to AI, it can be very helpful or very dangerous. If you think you’ve become victim of an AI-related cyberattack (or any cyberattack), you should always report it to the proper authorities and protect yourself using the methods above.”

-30-

**The 2023 CIRA Cybersecurity Survey was conducted by The Strategic Counsel in August of 2023, collecting 500 online responses from cybersecurity decision-makers across Canada. The goal was to identify industry trends in perceptions and attitudes.

 

More on Cybersecurity