Meta Description: Discover how one employee’s mistake bypassed Disney’s tough cyber protection program to cause a major data breach. Learn the best protection methods for SME’s.
Canadian businesses saw a 44% increase in incidents in 2024 compared to previous years. 41% of Canadian small businesses that experienced a cyber incident suffered at least $100,000 in damage. The average ransomware attack cost in Canada now exceeds $2 million.
An Innovative Government Approach to Cybersecurity
The Government’s plan is an innovative, whole-of-society approach to fighting cybercrime at all levels. It is based on three pillars.
- Strengthening cyber defenses through all-sector partnerships. One measure is improving cybersecurity resilience with awareness programs like Get Cyber Safe.
- Positioning Canada as a global cybersecurity leader. Measures include supporting secure-by-design technologies and IoT security labelling. They also intend to tackle generative AI and deepfake risks.
- Improving the Government’s ability to detect and disrupt cyber threats.
A whole-of-society approach is essential in cybersecurity. Your defences are only as strong as your weakest link. The weak link could be an individual who becomes a victim of a phishing attack. It’s often SME’s (small and medium-sized enterprises) with limited resources. And, far too many critical infrastructure providers struggle with aging IT systems.
SME’s First Line of Defence Is Cybersecurity Fundamentals
The pandemic increased the speed of Canadian businesses’ digital transformation. Unfortunately, the haste of the transformation brought new cybersecurity risks.
People use unsecured home WiFi networks to connect to company resources. Their home networks are often loaded with unsecured IoT devices. They’re using non-standard computers and personal smartphones for business purposes. Their software can be outdated or dangerous. Most people use apps and tools without the knowledge or approval of their IT departments.
This wide range of weaknesses can be a hacker’s dream.
The Disney Software Engineer Who Caused a Major Data Breach
We can learn a lot from this explosive example of the dangers of the hybrid working model.
Last year, a Disney software engineer downloaded a free AI tool to his home computer. Five months later, he discovered that the app included malware. It contained a sophisticated infostealing tool.
The attackers had full access to his computer. The incident led to a massive data dump of Disney’s internal communications. It exposed visitor figures, revenue, and other sensitive company information.
As a result, Disney stopped using Slack for internal communication and fired the software engineer.
This incident illustrates how an employee (who should have known better) bypassed almost every recommended SME security measure.
It also underlines why the Government’s whole-of-society approach makes sense. Every employee is a potential weak link in business. The only way to counter that is by raising staff awareness. Each worker must become more knowledgeable and cyber-aware.
Recommended Standard Cybersecurity Practice for SMEs
Here is a short overview of standard recommendations for SME cyber defence mechanisms. It includes commentary on how an individual’s inadvisable actions still circumvented the rules.
Use Antivirus Software and a Firewall
Antimalware and endpoint solutions for SMEs are pretty sophisticated. They usually have intrusion detection tools and endpoint management software. Small IT departments can enforce and manage software updates. They can also check that all the devices in your business are correctly configured.
The Circumvention: The engineer downloaded the AI tool on his home computer. It had a different antivirus than the one used by Disney’s networks.
Use Only Trusted Software Sources and Keep Them Updated
Updates contain patches for recently discovered weaknesses and prevent exploits. They should only come from trusted sources.
The Circumvention: The engineer downloaded a non-approved tool of questionable origin. He unknowingly installed malware that took over his PC.
Use a Password Manager:
A password manager creates strong passwords and synchronizes them across different devices. It’s safer than writing it down or sending password notes by email.
The Circumvention: The malware was a sophisticated info stealer. It stole passwords as the engineer used them during regular business activities. The malware also gave the attacker complete control over the PC. The attacker only had to wait for the engineer to unlock the password manager to export its contents.
Use 2FA Where Possible
2FA can block a large percentage of attempts at unauthorized access. Remind employees only to approve MFA requests they initiated themselves.
The Circumvention: The Disney engineer stored many 2-factor authentication keys in this password manager. Since the attacker had full access to the PC, they also had access to the password manager contents. Additionally, the engineer did not protect his password manager’s login with 2FA.
Use a Virtual Private Network (VPN)
Home networks are often badly secured. That’s why it’s critical to encrypt home workers’ connections to your company networks. It has become standard practice for SMEs to secure on-site and remote American worker connections with a USA VPN. A VPN prevents attackers from intercepting data flowing online. For example, it stops attackers from stealing session cookies while your staff is active on your network. When an attacker steals someone’s session cookies, they can access the accounts remotely as an authenticated user.
The Circumvention: The attacker had complete control over the PC. That meant he had full access to session cookies. He used the stolen session cookies to steal Disney’s Slack communications.
Adopt a Least Privilege/Zero Trust Approach
Limit employees’ access to company resources based on the concept of least privilege. They should only have access to what is necessary to perform their roles.
The Circumvention: The network engineer was highly placed in the organization. He had more access privileges than most employees.
Businesses Should Never Become Complacent
The unfortunate network engineer knew about the daily cyber dangers facing businesses. This tale illustrates to business owners and leaders that they cannot afford to get complacent. No one is immune from cyber dangers. It is imperative to stick to the basic cybersecurity rules and arrange employee training at regular intervals. This will teach staff to recognize threats and encourage high awareness.