The race to protect data in the new normal

Text BY Bill Currie | Illustration by Carl Weins
07 July 2020

Binary code overlayed with a green and yellow gradient — Even before the COVID-19 pandemic, cybersecurity analysts were among the top 10 most in-demand digital jobs in Alberta. As cyberattacks spread, LINK explores the race to protect data in today's new digital normal.

As we fight this deadly human virus, in part by turning to the digital world in droves, our exposure to a cyber virus is rapidly increasing, threatening to expand the existing cyber risk gap.

The coronavirus is transforming our world at every turn, with a record number of people learning and working from home, internet grocery shopping — even making online visits to the doctor. The sheer explosion of video conferencing is, by itself, changing how we interact and socialize.

This shift to greater online living is adding to a world already awash with data, and in its wake comes a rising tide of security breaches.

“I think cybercriminals are probably looking at our world right now and seeing a target-rich environment,” says George Chase (CT ’97), an instructor with SAIT’s School of Information and Communications Technologies. “It’s the equivalent of walking down the street and seeing 15 cars unlocked with the windows rolled down.”

Chase says cybercriminals are willing to take more risks when the reward is higher and the opportunities are plenty. “Zoom was a minor player in video communications until COVID-19,” Chase explains. “When its popularity took off as a video conferencing tool, it attracted the attention of cybercriminals and a lot of its flaws were highlighted and fixed quickly.”

From phishing scams to ransomware attacks, criminals are exploiting the chaos of the coronavirus. At the time of writing, the World Health Organization reported an alarming increase in cyber attacks, year over year. INTERPOL warned of an increase in attacks on medical institutions and laboratories, and similar alerts have been issued to health organizations by the Canadian Centre for Cyber Security.

Cybercrime is on the rise — and it’s already coming from a pretty strong position.

Going up

Even before COVID-19, there were countless examples of cybercrime, like the eight-year-old American girl terrorized after a hacker gained access to the security camera installed in her bedroom. Or the admission from LifeLabs that it paid a ransom to regain control of the personal health information of 15 million Canadians.

Data is a commodity. It’s big business. It may not shine like gold or smell like oil, but it has immense value. It’s a resource being made even more ubiquitous by the novel coronavirus.

But is cybersecurity up to the challenge of protecting that data? Is it taken seriously enough? Are there enough cybersecurity professionals — and do they have the right skills to match the dark forces? Are businesses positioned to mitigate cyber risks, especially now?

"I think cybercriminals are probably looking at our world right now and seeing a target-rich environment."

George Chase SAIT instructor — Instructor George Chase helped create SAIT's Information Systems Security diploma program, where students learn fundamentals including malware analysis, forensics, social engineering and military strategy.

Cyber shortages

Emerging technologies such as cloud computing, robotics, artificial intelligence and 5G are major drivers in cybersecurity. Another is the Internet of Things, where smart devices control smart houses by turning on lights and setting alarms. As the number of technologies working together increases, so does the need for cybersecurity. It’s a growing field, yet there’s a workforce shortage.

As a result, many universities, colleges and polytechnics — including SAIT — are ramping up cybersecurity programs. Since 2017, SAIT has launched four, including a two-year diploma program dedicated to Information Systems Security (ISS).

“The number of hacks, the rate of ransomware incidents, and the amount of stolen personal information have gone up significantly in the last four or five years,” Chase says. “Today’s dearth of security computer people is because there was a lull for a while when security was not taken as seriously.”

In the midst of the pandemic, playing catch-up will become even harder. “I think you will see some spectacular cybersecurity failures in the months and years ahead,” says Chase.

According to The changing faces of cybersecurity: Closing the cyber risk gap, a study by professional services firm Deloitte and Toronto Financial Services Alliance, “demand for cyber talent in Canada is increasing by 7 percent annually, with organizations needing to fill some 8,000 cybersecurity roles between 2016 and 2021.” Those pre-pandemic numbers will almost certainly be revised upward.

Cyber students

SAIT’s ISS program takes a hands-on approach to teaching programming, operating systems, networks, firewalls, encryption, malware, passwords, biometric technology, and other defensive and offensive technologies. But students also learn to strengthen their arsenal of human skills.

“Curiosity is probably the number one attribute they’ll need,” says Chase. “The students who do well in this program are the students who took that alarm clock apart when they were nine years old to see how it works.”

Also critical is a student’s ability to put on their black hat, Chase says. “We ask them, ‘If you were a hacker, what would you do to break this network?’ Then we ask, ‘How would you defend against that?’”

Thinking like a hacker is the approach that ISS student, Ahmed Almass, took with his capstone project. Almass built a computer from scratch to measure password strength. Passwords are essential for protecting data but, using his password cracking machine, Almass confirmed just how easily most can be hacked.

He also demonstrated that password security increases with the number of letters and characters used.

Interestingly, Chase believes people would create stronger passwords if they were called passphrases.

“A passphrase like ‘FurryBlueRaincoatFrøm1947’ is relatively easy to remember, but — because it has 25 letters, characters and numbers — very few hackers would have any hope of cracking it quickly,” Chase argues.

Another pressing issue intensified by COVID-19 is working from home on personal devices that are not secure in a company’s network. “The line between corporate computer and your personal computer is blurring,” Chase says. “This increases the cyber gap because a company’s IT people have less ability to implement safety controls and protection.”

A student capstone by Ahmed Almass showed hackers can easily break ordinary passwords, but passphrases — like this one with 25 letters, characters and numbers — proved more difficult to crack quickl. In real life, Almass used four high-end graphics processing cards to create his password cracking machine. — A student capstone by Ahmed Almass showed hackers can easily break ordinary passwords, but passphrases — like this one with 25 letters, characters and numbers — proved more difficult to crack quickly. In real life, Almass used four high-end graphics processing cards to create his password cracking machine.

The risk of cyber risk management

According to the latest Statistics Canada report on cybercrime, “Just over one-fifth (21%) of Canadian businesses reported that they were impacted by cybersecurity incidents which affected their operations in 2017. About 19% of small businesses reported being impacted compared to 28% of medium-sized businesses and 41% of large businesses.”

Once again, those numbers are expected to increase along with the escalating use and quantity of data worldwide. In its recent article Cyber risk in an Internet of Things world, Deloitte calls for a more integrated risk philosophy in businesses of all sizes.

Catherine Loughlean is a Director of Risk Advisory Cyber Risk Services at Deloitte in Calgary. “Innovation has been happening at a very fast pace for a number of years now enabling businesses to evolve and, through that, we have learned the challenges of not making cybersecurity part of the design process.”

Fast forward to the pandemic, and the need to protect our data is shifting into hyperdrive. “It accelerates and amplifies the need to have cybersecurity professionals with diverse skills and expertise across a range of cyber areas,” Loughlean says. “In addition, with the rapid shift to remote work, there’s more landscape to attack and with this, the challenge to protect our data and systems increases.”

Risk-driven decisions are imperative to beating back the bad guys and protecting our data. But with the economic turmoil caused by the current global shutdown, many organizations are fighting just to survive.

“In these times, every single organization — small or large — is really focused on understanding what’s changed for them with the shift to remote work, along with the risks and impacts — both in the short term and long run,” Loughlean says. “The most important thing for organizations is to understand what resources they have and determine how to address the most important areas needed to manage their level of risk, and contain resource effort and costs.”

Industry associations are one resource businesses can turn to, offering valuable advice about best practices. Even volunteer cybersecurity groups have been popping up to help.

On the cyber front line

Taylor Boos (IT '19) is part of the next generation of cybersecurity professionals — a field that can't recruit fast enough.

A Calgary-based cyber risk analyst working at Deloitte, Boos says cybersecurity is "one of the most important things you can learn in IT. It's one thing to build a network, but if you are unable to secure that network, what kind of value does it bring?"

Boos is also on the frontlines as industry and post-secondary institutions recognize the need to rain more women in cyber globally. "Cybersecurity is a field that values different opinions and different ways to solve a problem — and the women I have worked with always bring that new ingenuity to what they do," she says.

A new normal

We try to get our clients to see cyber as a strategic business risk,” says Loughlean. “It’s something that cannot be left unchecked. It has to be raised to the top level of every organization — and this is even more evident today.”

Critical to narrowing the cyber risk gap, Loughlean says, is moving towards a centralized business model where every system is managed with appropriate security measures. Equally critical is to build the right workforce for today’s complex digital world.

“The talent shortage is not something we can solve with one skill set,” argues Loughlean, who says there’s a need to draw people from a broad range of disciplines including business, government, military, health care professionals and academia.

Amidst all the bad news, Loughlean and Chase see a possible silver lining: cybersecurity awareness will increase as cybercrimes intensify.

“I think what’s happening is an acceleration of the things that would have eventually happened in corporate IT,” Chase says.

“Five to eight years of change are being collapsed into six months, and this may turn out to be a good thing. Some of the questions companies have been trying to address — but maybe not as a priority — are now demanding to be addressed immediately.”

“How and where we work will be one of the most pronounced changes of the COVID-19 pandemic,” states the American SANS NewsBites, a semi-weekly summary of important news articles on computer security and hacks. “Simply put, the day when everyone needs to be able to work from anywhere is upon us.”

Chase foresees “a different kind of cybercrime — one tailored to the new reality. The way we did business using technology and networks last year will never come back. Too much has happened. There will be a new normal.”

And in that new normal, where it’s vital to remain vigilant in using physical distancing and hyper hygiene to stop the spread of COVID-19, it only makes sense to be equally vigilant in protecting our data.

This story was originally written for the Spring 2020 issue of LINK magazine — SAIT in the time of COVID.