Stepping up Canada's cyber fitness starts with protecting your accounts

By John Hewie, National Security Officer, Microsoft Canada

This past year in Canada, we continued to see numerous headlines of high-profile cyberattacks with many more that don’t end up in public reporting. A recent report from CSE’s Canadian Centre for Cyber Security (the Cyber Centre) predicts an increase in cybercrime over the next two years, with financially motivated cybercriminals continuing to target critical infrastructure at a rapid pace. Cybercrime isn't just a threat to Canada's national security; it affects individuals and businesses of all sizes. Hospitals and health care, the flow of essential goods through supply chains and countless other facets of our daily lives depend on secure digital operations. Cyber threat actors will continue to exploit Canadians and our infrastructure unless we continue to take additional steps to protect ourselves.

The good news is that most cyber attacks follow common patterns that can be thwarted by focusing on a few foundational aspects of cybersecurity – most importantly protecting your accounts. Experience from Microsoft Incident Response teams helping Canadian organizations recover from a breach almost always reveal a compromised user account that allowed an attacker to explore the target network looking for ways to further compromise additional accounts with privileged or administrative permissions. This can turn into a ransomware or data theft situation. But we know fraudsters will take the easy path and won’t bother trying to break in when they can login with stolen or compromised account credentials.

Microsoft, Get Cyber Safe and CSE’s Cyber Centre and many others across the security industry continue to advocate that Canadians should take the following important steps to protect their accounts.

Multi-factor authentication

Adopt multi-factor authentication (MFA) on any account you deem to have value. This should be mandatory for all privileged or administrator accounts. MFA is capable of blocking over 99.9 percent of account compromise attacks. With MFA enabled, stealing your password won’t alone be enough for a cyber criminal to gain access to your private information. Microsoft offers a free authenticator app that provides a simple and secure way to manage MFA for most account types, including third party web apps.

You might be thinking MFA is a no-brainer but only one in three Canadians currently use MFA. A recent global study showed 55% of small and medium-sized businesses are not fully aware of MFA's benefits; 54% say they have not implemented MFA.

Use strong and unique passwords for each account

Creating and remembering passwords can seem like a full-time job. While Microsoft offers password-less options for some services, the reality today is we still need to manage a lot of passwords. Using a password manager to ensure each user account (or at least the important ones) has a complex and unique password is recommended for everyone, especially if an account doesn’t support MFA. More info on what to look for in password managers can be found at Get Cyber Safe. Microsoft Edge enables you to manage multiple passwords and offers a built-in password generator with the ability to sync to mobile devices. After some initial effort to get your existing passwords organized into a password manager, you will find doing this not only improves security of your accounts but makes it much faster to get logged into the websites you want to use.

Your privileged accounts need extra care

Cyber attacks all have one common objective – obtain access to one or more privileged accounts within the organization that will give them the ability to wreak havoc on the environment. Businesses of all sizes are encouraged to prioritize efforts that put strict controls in place to secure privileged accounts. Microsoft’s Secure Privilege Access guidance provides an implementation framework that is based on Zero Trust Principles.

Know the most common scams

Understanding the common tactics cybercriminals deploy is a crucial first step to protect yourself against scams both at home and the office. Hollywood movies give the impression that security breaches are the result of hackers breaking into computer systems using sophisticated techniques, but the reality is much less complicated. Most cyber scams happen because humans are tricked into providing access.

Phishing: If you have an email address or a cell phone, or social media accounts or browse the internet, you’ve likely seen a phishing attempt – it's one of the most common cyber threats. Phishing (pronounced “fishing”) is when an attacker contacts you pretending to be somebody you know or an organization you trust, in an attempt to steal your login credentials or gain access to your computer by opening a malicious website or file. They usually arrive over email but can also come via text message, direct message on social media or even a phone call, disguised as someone you trust. The phishing attempt will typically seem urgent – like a message from your internet provider saying your service will be shut off if you don’t act immediately – and might include an attachment or a link to correct the problem. This is almost always malware.

Malware: is malicious software and is sometimes referred to as a "virus". It can be designed to do many different things including stealing your personal data, identity theft, using your device to quietly attack other machines, using your computer’s resources to mine cryptocurrency, or any number of other malicious tasks. Aside from phishing attempts, you can also get infected with malware by opening a file or installing an app that appears to be useful but is actually malicious. Free software download sites often host apps that include this type of “Trojan Horse” malware.

One type of malware that is common today is called “Ransomware.” This is a particular kind of malware that encrypts your files then demands you pay the cyber criminals to unlock the files so that you can access them. If you get infected with ransomware, the RCMP recommends that you do not pay the ransom. There's no guarantee that even if you pay the ransom that you'll get your data back, and by paying the ransom you may make yourself a target for additional ransomware attacks in the future.

Tech Support Scams: Have you ever received a suspicious phone call or seen a pop-up from an “agent” telling you they’ve spotted an issue with your computer or account? These scammers try to gain access to your personal information by convincing you that they can help, sometimes by posing as a trusted company like Microsoft or Amazon.

Remember that real error messages from tech companies never include phone numbers for you to call them. They will also never cold call you to tell you that there is a problem with your device. If you are contacted by anyone offering unsolicited tech support, hang up on them or close your browser. If you’re worried your device may actually have a problem, reach out to a trusted advisor or family member.

Time to make the bad guys sweat

To avoid phishing, malware and other scams, be extra cautious of messages asking you to take urgent action and be thoughtful about which apps you install. Only install apps from reputable providers. Check email addresses to ensure it’s from the stated sender and look for small changes – perhaps there’s extra letters or an underscore that’s not typically there. Be careful when opening unexpected attachments or links even if they’re from a trusted source. Don’t hesitate to call the sender, by looking up their official phone number, to confirm actions.

Protection happens in small steps

Protecting yourself and your organization from cyber threats is an ongoing process. Here are some additional impactful actions you can take today to reduce your risk.

• Be defended: Have an active, current, anti-malware program running on your computer.
  • Windows 10 includes Microsoft Defender that’s turned on by default and great for individuals. Business should look to a more fully-featured solutions such as Microsoft 365 Defender.
• Keep your devices up to date: Ensure your operating systems and software are regularly patched and updated to fix security vulnerabilities.
• Back up your data: Regularly back up your data to prevent data loss in case of a cyberattack.
• Secure your home and business network: Stay protected while you work remotely, stream TV shows, shop online or connect with friends by keeping your WI-FI router and network secure.
  • Start by changing the default name on your network, updating your router’s software and encrypting your network. Find more tips online on the Microsoft 365 blog.

If you are the victim of a cyber attack, don’t feel embarrassed or ashamed. Today’s attacks are sophisticated and even seasoned cybersecurity professionals can be duped. But by following the steps above, individuals can better protect themselves.

Report cybercrime and fraud

Only a small percentage of cybercrimes or frauds are reported in Canada. This makes it difficult for law enforcement to keep up with the latest threats and keeps criminals in the shadows which they want.

1. If you have been a victim of a scam, fraud or cybercrime, please contact your local police as soon as possible. The Canadian Center for Cyber Security provides detailed instructions and what to expect.
2. Report attempted scams or fraud to the Canadian Anti-Fraud Centre. Reporting may help link multiple crimes together and contribute to further investments in Canada to combat cybercrime.

Conclusion

Remember that cybersecurity is a collective effort and even small steps can make a big difference. Stay informed, stay vigilant, and empower yourself with the knowledge and tools to protect against cyber threats. Everyone plays a role in ensuring our digital world remains secure, resilient, and thriving.

Visit the Government of Canada’s Get Cyber Safe website or Microsoft’s CISO website for more helpful tips on ways to secure your technology.