IPC Shares Best Practices to Protect Organizations From Cybersecurity Threats and Ransomware

Cyberattacks are on the rise, making cybersecurity more important than ever for organizations as they protect the information entrusted to them by their employees and members of the public. Between 2020 and 2021, global ransomware attacks increased by 151 percent. In Canada, the Canadian Internet Registry Authority reports that 60 percent more organizations reported breaches of customer and employee data in 2021 than before the pandemic began in 2020.

Perhaps in response to this increase in cyberattacks, the Information and Privacy Commissioner of Ontario (“IPC”) issued an updated information document on protecting against ransomware attacks in October 2022 (the “Ransomware Fact Sheet”). In the Ransomware Fact Sheet, the IPC explains how ransomware functions and offers proactive best practices to reduce your organization’s exposure to cyberattacks. Cyberattacks can result in serious consequences for individuals and organizations alike, and it is vital that appropriate steps are taken to protect organizations and digital infrastructure. In this blog, we will share the highlights of the IPC’s latest guidance on this important issue.

What is Ransomware?

Ransomware is a type of malicious software or “malware.” The ransomware allows attackers to access an organization’s systems and prevent an organization from accessing their own data holdings. Ransomware attackers commonly employ lock out techniques to hold an organization ‘hostage.’ Attackers may also threaten to take damaging action (such as destroying, stealing, and disclosing information) unless they receive payment in return for release of the hostage information.  

The Lifecycle of Ransomware

Ransomware attacks commonly follow a four-step lifecycle:

1. Access - Attackers begin by using software tools to remotely enter the target’s information environment. They may process files and records to examine the organization’s information holdings.

2. Use - Attackers will use their access to information to pressure the target organization to pay a ransom. Threats may include encrypting information into indecipherable data.

3. Loss - If the attacker encrypts the information, the organization is unable to access and use it. Back-ups may also be impacted or insufficient to rectify the loss.

4. Theft - Ransomware attackers may copy the information and use it for unlawful purposes.

Impacts of Ransomware

The IPC also identifies the following potential impacts of poor cybersecurity and cyberattacks:

• Harms to health, safety, and public order: for example, hospitals with compromised systems may have delays in providing services, such as cancelling surgeries.

• Distress: losing control of sensitive information can seriously harm an individuals’ physical and mental wellbeing.

• Financial loss: attackers may gain access to critical financial information.

• Inability to exercise access to information rights: individuals may lose the ability to access their information, which in the case of health records may be irreplaceable.  

• Interruption of internal function: internal operations and the ability to provide services to the public may be disrupted.

• Reputational harm: the public and employees’ trust in the organization may be lost.

Safeguarding Against Ransomware is a Legal Obligation

Organizations subject to Ontario’s access and privacy laws are required to take reasonable steps to safeguard information from “unauthorized access and disclosure, and unauthorized or inadvertent disposal or destruction.” Health information custodians and child and family service providers are also required to retain, transfer, and dispose of personal information in a secure manner. [1]

To ensure compliance with security obligations, the IPC recommends creating and implementing a robust system for accountability that includes:

• employing reasonable measures to identify, protect, detect, respond, and recover from threats;

• establishing an overarching information security policy that sets out roles, responsibilities, reporting mechanisms, and requirements;

• ensuring compliance and regular monitoring of security policies;

• developing contractual obligations with service providers to ensure they meet appropriate cybersecurity standards; and

• continually evaluating the effectiveness of security measures.

Be Proactive

Attackers are innovative and they continuously enhance their methods. A proactive approach means that your organization will need to understand and adapt to the ever-evolving ransomware landscape to stay ahead of cyberattacks.

Attackers can use various methods to gain initial access into your organization. They may use social engineering techniques that manipulate a user to install malicious software or open a misleading link or document. Attackers can also exploit vulnerabilities in systems connected to the internet, such as using automated means to try millions of different passwords to enter an organization’s infrastructure, or compromise third party products or services to gain access into your network. These are only examples, and new techniques are being developed continuously.

In the Ransomware Fact Sheet the IPC recommends proactively engaging cybersecurity challenges by implementing the following security measures:

• Use email security controls to detect and block suspicious emails.

• Establish a vulnerability management program to monitor cyber threats, scan for vulnerabilities, and implement solutions.

• Maintain an “asset inventory” that tracks how information flows and what software and hardware are used in your organization.

• Organize information in a manner that labels and secures them according to sensitivity.

• Routinely test, review, and update strategies, policies, and procedures

• Adopt the ‘principle of least privilege’ and only grant access and authorizations that are necessary for each specific user.

• Minimize and monitor administrator accounts.

• Install security tools on all devices used to access or store sensitive information.

• Restrict employee access to suspicious websites.

• Use good authentication practices including effective password management and strong multi-factor authentication.

• Maintain regular backups and monitor the integrity of records for unusual changes.

• Configure computers and infrastructure to keep logs that can document events and information and detect unauthorized activities.

Be Responsive 

It is also important that your organization prepare for a cybersecurity incident or successful ransomware attack. Here, preparation is also key and can significantly reduce the impact of a ransomware attack.

The IPC recommends that organizations institute a formal cybersecurity incident management program that can detect and address cybersecurity incidents in a timely and effective manner. A robust program should identify the roles and responsibilities of senior leadership and an incident response team, and define clear procedures, processes, legal obligations, and timelines following a cybersecurity attack. To implement such a program, organizations will need to ensure that employees understand the program and their role in it, which may require training and information sessions.

Should an attack occur, employees and leadership need to be ready to take any immediate steps that may help to limit the impact of the attack (such as isolating an effected computer) and then contact information security, technology and legal professionals who can help respond to the incident and advise regarding next steps. If a cybersecurity incident results in the loss or theft of information, your organization may have a duty to notify affected individuals, or to report ransomware attacks to the IPC. Acquiring a cybersecurity insurance policy can help offset costs associated with responding to incidents.

Takeaways

In her introduction to the Ransomware Fact Sheet, the IPC borrows Benjamin Franklin’s famous phrase, “An ounce of prevention is worth a pound of cure.” The IPC’s message is clear - organizations are expected to take a proactive approach to cybersecurity.

Malicious online attacks are often preventable and implementing the right security safeguards today and maintaining awareness of the ever-evolving cybersecurity landscape can protect your organization from cyberattacks and prepare your organization to respond swiftly to mitigate the impacts of such an attack.

As you consider how to strengthen your organization’s cybersecurity, ask yourself: Does your organization has the procedures in place to identify, prevent and resolve cyberattacks? Are your employees equipped to prevent and respond to suspicious activity or cyberattacks? Do your policies and information security infrastructure reflect legal obligations and best practices?

If you have questions regarding cybersecurity and privacy laws, responding to a cybersecurity breach, or any matters pertaining to your privacy and information security obligations, please contact us.

[1] The Freedom of Information and Protection of Privacy Act (FIPPA); Municipal Freedom of Information and Protection of Privacy Act (MFIPPA); Personal Health Information Protection Act (PHIPA); Part X of the Child, Youth and Family Services Act (CYFSA).