CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the third blog post in a series of four for 2023.
New research from CIRA finds that Canadian organizations in the MUSH sector (municipalities, universities, school boards, and hospitals) are the biggest targets for cybercriminals. Why? These organizations typically possess troves of highly sensitive information. According to findings from the 2023 CIRA Cybersecurity survey, 84 per cent of MUSH sector organizations say they store the personal information of their patients, clients, students, and members of the community.
Think about all the information you give to your hospital, schools, and local governments: your birthday, home address, emails, phone numbers, banking and tax information, social insurance numbers; the list goes on. If they’re successful in getting access to this data, bad actors can enrich themselves financially by committing any number of criminal acts, whether they’re breaking into our bank accounts, running up our credit cards, or targeting us in phishing attacks to extract even more of our personal data.
Another way hackers profit from our data is by selling it to other cybercriminals. According to a dark web price list published by Private Affairs, a single hacked Canadian credit card number (including CVV) currently goes for $30 USD, while an email database dump of 2.4 million Canadian email addresses will net its seller $100 USD. Online banking login credentials at certain banks can fetch upwards of $4,000 USD, and while estimates vary, a single medical record can be worth up to $1,000 USD on the dark web. Suffice it to say, when attackers gain access to thousands or even millions of data records, the payoff can be massive.
If the stakes are high for cybercriminals, they’re even higher for the organizations that find themselves the victims of their attacks. As the data from the 2023 CIRA Cybersecurity Survey illustrates, the financial costs of recovering from an attack are rising and at least some level of reputational damage is inevitable. But for hospitals and other health care providers, any disruption to medical systems can also prevent the delivery of critical health care services, including life-saving surgical procedures.