CIRA publishes an annual survey of Canadian IT security decision-makers to better understand how they are coping with cyber threats. This year’s survey, which research firm The Strategic Counsel conducted in August, collected over 500 responses from IT professionals across the country. This is the third blog post in a series of four for 2023.
New research from CIRA finds that Canadian organizations in the MUSH sector (municipalities, universities, school boards, and hospitals) are the biggest targets for cybercriminals. Why? These organizations typically possess troves of highly sensitive information. According to findings from the 2023 CIRA Cybersecurity survey, 84 per cent of MUSH sector organizations say they store the personal information of their patients, clients, students, and members of the community.
Think about all the information you give to your hospital, schools, and local governments: your birthday, home address, emails, phone numbers, banking and tax information, social insurance numbers; the list goes on. If they’re successful in getting access to this data, bad actors can enrich themselves financially by committing any number of criminal acts, whether they’re breaking into our bank accounts, running up our credit cards, or targeting us in phishing attacks to extract even more of our personal data.
Another way hackers profit from our data is by selling it to other cybercriminals. According to a dark web price list published by Private Affairs, a single hacked Canadian credit card number (including CVV) currently goes for $30 USD, while an email database dump of 2.4 million Canadian email addresses will net its seller $100 USD. Online banking login credentials at certain banks can fetch upwards of $4,000 USD, and while estimates vary, a single medical record can be worth up to $1,000 USD on the dark web. Suffice it to say, when attackers gain access to thousands or even millions of data records, the payoff can be massive.
If the stakes are high for cybercriminals, they’re even higher for the organizations that find themselves the victims of their attacks. As the data from the 2023 CIRA Cybersecurity Survey illustrates, the financial costs of recovering from an attack are rising and at least some level of reputational damage is inevitable. But for hospitals and other health care providers, any disruption to medical systems can also prevent the delivery of critical health care services, including life-saving surgical procedures.
MUSH sector organizations are poorly equipped to protect themselves
Survey data reveals that cyber attackers continue to have success breaching the defenses of organizations in this sector. More than 41 per cent of organizations say they have used their cyber incident response plan in the last 12 months, compared to 29 per cent of private sector organizations and 37 per cent of public sector organizations. As well, 22 per cent of organizations in the MUSH sector admit to being the victim of a successful ransomware attack.
These findings are especially problematic given that many municipalities, schools and hospitals lack the resources and infrastructure to fully protect themselves, a fact that cybersecurity professionals are intensely aware of. Nearly one-third (30 per cent) do not believe their organization’s budget for cybersecurity is sufficient to protect against cyber attacks. Compared to private sector firms (74 per cent), fewer MUSH organizations (59 per cent) say they have increased the resources they dedicate to cybersecurity. In addition, more than three quarters of MUSH organizations (78 per cent) are worried about cyber threats from generative AI, even though 71 per cent have not yet put an artificial intelligence (AI) policy in place.
Another fundamental challenge relates to the aging information technology (IT) and operational technology (OT) infrastructure in place in many MUSH sector organizations. In fact, most of the oldest technology used today is OT. Nearly one third (30 per cent) report the are relying on technology released prior to 2010 to run their organizations and thwart cyber attacks.
Collaboration is critical for bolstering cybersecurity defences
Despite the ongoing risks organizations in this sector face, there are some key steps they can take to protect themselves from cyber threats, including new ones driven by generative AI. For example, sector-specific partnerships allow organizations to leverage their collective buying power to acquire new cybersecurity technology, share threat intelligence, and support each other with information to improve their security posture.
CIRA is partnering with CANARIE, Canada’s National Research and Education Network to deliver bulk-purchased cybersecurity protections to at-risk and underserved higher education institutions through the CANARIE Cybersecurity Initiatives Program.
Programs such as these are extremely valuable, but additional sector-specific partnerships are needed in Canada, in particular ones that enable organizations to pool their collective resources to adopt new cyber protections at scale. These programs are especially important for resource-constrained municipalities, K-12 schools, and healthcare organizations, where there are significant security gaps that urgently need to be closed.
Government also has an important role to play, identifying vulnerable or underserved sectors and leveraging its convening power to facilitate collaboration amongst organizations facing similar challenges.
Learn how CIRA can help your organization defend against the latest wave of cyber threats with our suite of enterprise-grade cybersecurity products.
Eric is a Product Marketing Manager with CIRA Cybersecurity Services. His background in digital marketing has led him to appreciate the vital role data plays for Canadian organizations and individuals, and the need to keep it safe. Eric has an MBA in International Business from Sup de Co La Rochelle.
