True Patriot Love - September 10, 2025


Inside Canada’s Ransomware Problem | Jim Lang with Terry Cutler


Episode Stats

Length

18 minutes

Words per Minute

188.85443

Word Count

3,573

Sentence Count

256

Hate Speech Sentences

1


Summary


Transcript

00:00:00.740 What if I told you there was something that cost the world more than natural disasters in the illegal drug trade combined?
00:00:07.240 What if I told you that this crime, if it was a country, would have the third biggest GDP on the planet?
00:00:13.080 I'm talking about cybercrime. In 2024, it cost all of us around the world $9 trillion, and there are times we feel completely and totally helpless to stop it.
00:00:23.380 What can we do? We have someone that'll tell you what we can do.
00:00:30.000 I'm thrilled to be joined by Montreal's Terry Cutler.
00:00:41.780 Terry is an ethical hacker and a psychologist from PsyologyLabs.com and an expert on cybercrime in Canada and around the world.
00:00:49.400 Terry, thank you for joining us.
00:00:51.120 Thanks for having me. How are you?
00:00:52.640 Thank you. Very good. Thank you.
00:00:54.020 So, Auditor General Karen Hogan in 2004 warned that 30% of RCMP cybercrime posts remain unfilled, slowing incident responses and intelligence sharing.
00:01:05.300 Terry, from your vantage point, PsyologyLabs, how do these staffing gaps translate into real-world risks for Canadians when it comes to cybercrime?
00:01:14.120 Look, we have a problem in our industry where there's over 3 million personnel short in our industry.
00:01:20.180 So, the problem is you can't just jump into cybersecurity and get up to speed.
00:01:24.260 You have to have a bit of an IT background in order to jump into cyber, or else it's not going to work very well.
00:01:29.120 So, right now, they're severely understaffed and undertrained.
00:01:32.780 So, think of it as, you know, firemen responding to a fire and they show up with a garden hose.
00:01:38.840 Because cybercrime is happening so much that there's so much piling up on their desk that they just can't keep up.
00:01:45.040 Well, I know in education, they're always focusing different streams because they think the country needs physicians, engineers, accountants.
00:01:53.160 Should there not be a bigger push for computer scientists to get into IT security and cybersecurity?
00:01:58.020 There is, but there is the content that exists.
00:02:00.780 The problem is our field is very, very specialized and people burn out very, very quickly.
00:02:07.020 It's very, what's what we're looking for, it's very, a lot of stuff in our industry is not working the way it should.
00:02:15.520 Okay, so it's very discouraging because a lot of stuff that we recommend or try to implement is somewhere between not working and barely working at all.
00:02:22.840 So, it's very, very difficult to stop the cybercriminals because they can be hiding their tracks coming from anywhere in the world.
00:02:28.060 And to be able to do attribution to these guys and find out where they're coming from is very, very difficult.
00:02:32.880 And not only that, you're stuck with jurisdictional problems too because if this guy's coming in from another country, how are you going to go and prosecute?
00:02:38.880 Or how do you even know it's that guy behind the screen when it happened?
00:02:42.140 So, right now, everything favors the bad guys.
00:02:44.220 In Canada, I know there's plans for tracking cybercrime, but it's been delayed.
00:02:50.720 In your view, what steps should Ottawa and different levels of government take right now to accelerate development and reduce sort of the drag from the bureaucracy to accelerate cybercrime investigations?
00:03:03.000 Look, they're going to have to come to a point where they're going to have to start working with private companies that are vetted to work with them.
00:03:10.600 So, here's an example.
00:03:11.320 So, we just went through certification for the Canada Controlled Goods Program.
00:03:15.440 This allows us to work with the military, defense, critical infrastructure government.
00:03:19.960 It means that we've been vetted to work with this highly classified information.
00:03:23.440 And so, they're going to have to start looking at companies that have this designation that can help bring forth better technology and such.
00:03:32.280 Because we work a lot with municipalities as well, right?
00:03:34.940 And a lot of times, these guys are just so overwhelmed, understaffed, and they just can't keep up with the threats that are occurring.
00:03:41.980 And, Terry, I think it seems like every week or two weeks in Canada, there is a municipality, a public library, a government building that's been hacked, and they're held ransom.
00:03:51.620 Absolutely. And the challenge to that is that because they don't have a very large IT team, sometimes they have one person.
00:03:59.020 And, like, some of the ones we work with, maybe they have maybe three, four people.
00:04:03.780 And just when we do vulnerability scanning, as an example, so we do scanning on a weekly basis to show them what's new, what did they fix, what did they miss.
00:04:12.780 And just with that alone, they're overwhelmed by how much stuff gets found.
00:04:16.700 They just can't keep up with the updates and today's threats.
00:04:20.240 That's the unfortunate reality.
00:04:21.680 They're going to start learning to outsource this stuff to companies like ours, for example.
00:04:25.860 Absolutely.
00:04:26.460 Joined by Terry Cutler from PsyologyLabs.com and Canada's own spy agency has flagged Russia and Iran, for example, as safe havens for organized cybercrime groups.
00:04:36.160 Terry, in your opinion, how should law enforcement in this country use maybe a PsyologyLabs-style ethical hacker to collaborate and push back against these state-sponsored criminals who are affecting Canadians and people around the world every day?
00:04:49.000 I think the biggest problem is going to be bureaucracy, red tape.
00:04:52.740 That's always been an issue.
00:04:54.120 So, like, we work with some sensitive companies.
00:04:57.360 And just to get a contract signed or a document reviewed takes weeks.
00:05:02.360 There was even one we were working on.
00:05:03.880 It was two years in the making.
00:05:05.820 And it's like the legal department and all these people, they're just slowing so much things down.
00:05:13.040 And, you know, hackers aren't waiting around, waiting for you to have your contracts and stuff signed.
00:05:17.020 They're attacking you 24-7.
00:05:19.120 And a lot of times they have technology in place that is not giving them the proper alerts.
00:05:24.420 So, they don't even know that they are being attacked.
00:05:27.720 So, in one case, when we get brought in to do intrusion tests where we get hired to legally hack their business, you know, we run these attacks.
00:05:33.680 And one of the things we provide to the customers is what's called an activity report.
00:05:37.320 It's like every time we run an attack, there's a timestamp.
00:05:40.720 And their own technology is not even picking it up.
00:05:43.500 So, they never get a call from their managed provider saying, hey, are you guys under attack?
00:05:46.680 Like, what's going on there?
00:05:47.500 Or they get a call maybe three hours later saying, I think there's something going on here.
00:05:51.440 We're not sure.
00:05:52.380 So, the response time is just out of whack right now.
00:05:55.640 And, Terry, I've heard stories that in some of these state-sponsored cybercrime organizations, there's actual office buildings filled with cybercriminals working around the clock every day trying to hack into places.
00:06:07.320 They're better funded than us.
00:06:09.740 It's great.
00:06:10.060 And these scammers have 24-hour support too, right?
00:06:13.480 From other, especially, let's talk about ransomware gangs, for example.
00:06:17.500 These guys have 24-by-7 support.
00:06:20.780 It even provides like a target list of companies that are vulnerable right now because they maybe have proof of life that's on the dark web saying, we have access to this guy's infrastructure right now.
00:06:32.920 So, if you pay us $50 or $100 for this access, we'll share the profits of the ransom.
00:06:41.340 And, Terry, you brought up a good point about the red tape can take up the two years.
00:06:45.220 And, at the same time, you're saying the ransomware that's happening to Canadians around the world is happening at a lightning speed.
00:06:52.760 So, what is the current ransomware threat in Canada that we need to be concerned with?
00:06:57.860 Okay.
00:06:58.060 So, let me give you a real example.
00:06:59.800 So, this is in the public media, but I didn't want to mention a name.
00:07:03.820 What happened was, in 2023 or 2024, I believe, they got hit with a ransomware.
00:07:10.060 And they realized that the attackers have been in their system since 2019.
00:07:15.040 Okay?
00:07:15.360 So, they've been in their system the whole time, shuffling through people's emails, through the servers.
00:07:21.160 They're there to stay as long as they can undetected so they can siphon out this data right under their nose.
00:07:27.360 So, even if they ransom the municipality and say, we're not going to pay it, like they didn't pay it, they could threaten to leak the data online and still charge them for that, for them not to leak it.
00:07:39.620 And, you know, still to this day, years later, they don't have all their infrastructure still up and running.
00:07:45.820 Because once an attacker is in your environment, like, it's very, very hard to find out what did they get access to.
00:07:52.360 Are they still in here?
00:07:53.840 They're like ghosts.
00:07:55.140 So, it's very, very difficult to find out what they're doing.
00:07:58.540 And, Terry, I think of something like Hudson, Quebec or Timmons, Ontario, Prince Albert, Saskatchewan.
00:08:03.900 How in the heck are they supposed to fight and fight back against something like that?
00:08:07.920 Yeah, so the easiest way and less expensive way is to outsource this.
00:08:12.500 So, I'll mention what we do.
00:08:14.940 So, we have a managed security service where we can look at your network, your endpoint, and your cloud all in one dashboard, and it's bilingual.
00:08:22.620 Where the magic secret sauce for us is in what's called an appliance.
00:08:26.640 We ship you a physical server that does what's called a port mirror off your firewall.
00:08:30.980 So, we look at all the information coming in and out of your organization, and we see in real time what's going on.
00:08:36.440 Most companies today are using what's called log-based solutions.
00:08:40.380 They're relying on logs.
00:08:41.760 And logs get delayed, logs get modified, and logs lie.
00:08:44.600 Because as ethical hackers, we can go in there and modify this information to look like, yeah, everything's all fine, hunky-dory.
00:08:50.500 But, in fact, we're over here stealing your credit card database.
00:08:53.040 So, but when you have an appliance like this, it's real data.
00:08:58.240 Like, it's unaltered information.
00:09:00.160 So, we can see, hey, there's a large amount of data leaving your company.
00:09:03.780 That's not normal.
00:09:04.740 Or we can see things like, hey, there's an attack happening inside your network.
00:09:09.040 There's enumeration.
00:09:09.780 There's discovery occurring from this machine over here.
00:09:12.360 Are you aware of this?
00:09:13.420 Like, we can alert you on all these things.
00:09:15.180 And most companies don't have that in place.
00:09:18.240 So, for people watching this and maybe don't realize it, Terry Cutler is an ethical hacker and a psychologist from psychologylabs.com.
00:09:25.860 And it's the marriage between technical hacking skills and human psychology.
00:09:30.020 And maybe for people who are not aware, educate them on the social engineering behind what you do.
00:09:35.460 Yeah.
00:09:36.540 So, part of our job is what's called social engineering.
00:09:41.600 The psychological manipulation of people.
00:09:44.600 This is where I befriend you, gain your trust, and you're going to give me information that you typically wouldn't give out.
00:09:50.320 Then we're going to use it against you in a cyber attack.
00:09:52.700 How's that for a friend?
00:09:54.480 But we're paid to legally do this because we can walk into, let's say, City Hall and trick an employee into divulging information that they shouldn't have given us.
00:10:03.680 And we can use that to get access.
00:10:06.440 So, you know, one example, we did an attack on a retail company.
00:10:11.640 And I walked into one of their stores and I looked to see the least-looking paid employee that was stocking the shelves with his headphones on.
00:10:17.000 And I said, hey, I'm from IT.
00:10:18.200 We're doing an upgrade in your server room.
00:10:19.660 Can you bring us to the back?
00:10:21.160 So, he brings us to the back.
00:10:23.080 And that's where the equipment was.
00:10:24.840 So, we're like, okay, this is all good.
00:10:27.060 I'm going to go for lunch.
00:10:27.780 I'm going to come back with my colleagues who are also ethical hackers.
00:10:30.580 And we're going to finish the upgrade.
00:10:31.540 So, we went for lunch, strategized, came back, went to see the same guy.
00:10:35.120 And he hands us the keys.
00:10:37.860 Never asked us who we are, what we're doing there.
00:10:40.000 We had no ID.
00:10:41.340 And we're in the lunchroom.
00:10:42.980 And all of our equipment was on all the tables.
00:10:45.740 The employees couldn't even come to eat in there.
00:10:48.340 And not one single person asked us what we're doing.
00:10:51.040 And within three hours, we compromised the whole place.
00:10:53.460 Terry, is that just a human nature thing as Canadians that we're so trusting?
00:10:59.120 We assume that because you said you're with IT, oh, okay, here you go?
00:11:03.340 It is.
00:11:04.000 Because as human nature, we want to help people.
00:11:07.000 And unfortunately, sometimes…
00:11:08.480 That's helping.
00:11:09.460 Yeah.
00:11:10.040 It's not a bad thing.
00:11:11.560 But at the same time, you need to have some precautions around this stuff.
00:11:15.180 And that's an unfortunate thing with cybersecurity is that…
00:11:17.460 And I do a lot of awareness training for individuals.
00:11:20.660 And so, in my digital course, I have 42,000 students in it from 160 countries.
00:11:25.440 Most people don't care about cybersecurity until it's too late.
00:11:29.060 And then when…
00:11:29.560 It's a great point, yeah.
00:11:30.460 Yeah.
00:11:30.740 Then when they get breached, they come for help.
00:11:33.140 And to help resolve their situation could be thousands of dollars.
00:11:37.360 And, you know, they think they're just going to Best Buy for 50 bucks.
00:11:40.940 It's not going near that.
00:11:42.280 Terry, is it not like not having fire insurance because you don't think you'll ever need it?
00:11:46.300 Then your house burns down and go, I wish I had fire insurance.
00:11:49.080 That's exactly it.
00:11:49.920 People are losing their shirts.
00:11:51.220 I mean, you're seeing the stories, right?
00:11:52.360 People losing $300,000 in a scam.
00:11:55.100 You know, their retirement is gone.
00:11:58.640 And, yeah.
00:11:59.720 Like, it was one story we had.
00:12:01.420 Her name is Allison.
00:12:02.540 She was on one of my live shows.
00:12:04.380 She has what's called two-step verification turned on all of her accounts.
00:12:08.260 This is an added protection that most people need to have on there,
00:12:11.760 which you type in your username and password,
00:12:13.580 and then a six-digit code will appear on your phone,
00:12:17.040 either through the app or through a text message to enter that information.
00:12:20.320 That means that we can validate that you know the username and password,
00:12:23.780 and we can actually verify you because you have the device.
00:12:26.140 So she had this on all of her accounts except for one, her Hotmail.
00:12:29.280 And what happened was they got into her Hotmail address.
00:12:31.980 They were able to see all the security questions and the answers,
00:12:35.340 and they managed to log into her TELUS account
00:12:38.280 and transfer her line from TELUS to Bell.
00:12:39.860 And when they did that, all the codes went to the bad guy's phone.
00:12:44.120 They logged into her bank account and drained it.
00:12:46.100 They bought stuff on Amazon and eBay.
00:12:48.940 And they did this on a Friday night.
00:12:50.500 So she had to wait until the next business day to get to the banks.
00:12:54.440 So it's crazy, the scams out there now.
00:12:57.820 But, Terry, I have a mother in a retirement home in Nova Scotia in her 80s.
00:13:01.460 My sister and I, we worry about her all the time
00:13:03.400 because there's so many seniors now being taken advantage of with things like this.
00:13:07.640 There is because especially with the grandparent scams and there's so much stuff,
00:13:13.880 especially with AI occurring right now.
00:13:15.860 AI is really a beast to try and tame.
00:13:19.960 It's incredible.
00:13:21.680 Terry, we recently had a first minister's conference in the Muskoka's
00:13:24.840 with Prime Minister Carney and all the premiers.
00:13:27.000 And I think as Canadians, we assume there's one universal umbrella for cybersecurity.
00:13:31.920 But you have pointed out that it could be different in Quebec to Alberta,
00:13:36.320 to New Brunswick, to the federal government.
00:13:39.140 Yeah, we need to have a unified framework.
00:13:42.640 That's one of the problems we have.
00:13:44.440 And the other challenge we have, too, is there's not one size fits all.
00:13:47.320 Because we're moving to what's called a zero trust model,
00:13:51.100 which means that we don't trust nothing or nobody.
00:13:54.000 Everything's logged.
00:13:54.860 Everything is validated.
00:13:55.940 Everything has to be authenticated.
00:13:57.380 But when you start bringing in technology like this,
00:14:00.260 it could be tens of thousands of dollars or hundreds of thousands of dollars
00:14:04.180 to bring this tech in.
00:14:06.260 And these small businesses can't pay for that.
00:14:08.740 And unfortunately, they're left holding the bag when there's a breach.
00:14:13.560 I guess before we wrap up, Terry, I think for a lot of people,
00:14:17.260 okay, I have a family.
00:14:18.900 I have a daughter in school, in university.
00:14:21.100 I have a grandparent or parent.
00:14:23.140 What is some of the two or three most important steps
00:14:25.540 to protect people against cybercrime?
00:14:28.240 Okay, so the big one is obviously passwords.
00:14:32.340 The challenge you're going to have here
00:14:33.720 is that a lot of people create lousy, crappy passwords,
00:14:36.500 like a John 1, 2, 3, right?
00:14:38.380 So the best way to create an unbreakable password
00:14:41.260 is you want to have between 16 and 25 characters long.
00:14:44.080 Now, you know what you're thinking, right?
00:14:44.820 Is this guy nuts?
00:14:45.540 Like, how do you remember a password like this?
00:14:46.940 But your password needs to have a combination of uppercase
00:14:48.980 and lowercase and symbols in it.
00:14:50.240 So if you can think of song lyrics or phrases,
00:14:53.080 so for example, the one I always give in seminars is,
00:14:55.820 I had a great day at work, 2025 exclamation point, right?
00:14:59.740 Simple phrase.
00:15:00.740 Remove the spacing, capitalize each letter of the word,
00:15:03.620 and that password alone will take 10 years to break.
00:15:06.220 Or you can replace the O's with a zero
00:15:08.240 and the A's with a nat symbol,
00:15:09.760 and that password will take 39 centuries to crack.
00:15:12.920 So that makes it next to impossible for the hacker
00:15:15.580 to break your sort of secret code that way.
00:15:18.080 That's it.
00:15:18.500 But the problem that we're seeing is that
00:15:19.780 once the hackers get access to the server,
00:15:22.200 we can see your password in an encrypted form.
00:15:24.740 So we can do what's called a pass-to-hash attack.
00:15:27.520 And just to confirm,
00:15:28.340 I'm talking about the good old college days here.
00:15:30.080 This is where we can actually log in as you
00:15:32.600 without ever knowing what that password is.
00:15:34.780 And that's why you need that two-step verification
00:15:36.720 to add that extra layer.
00:15:38.160 And Terry, there's nothing in this world now,
00:15:42.880 in society, that isn't run by your phone
00:15:45.780 or your laptop or computer.
00:15:47.740 So everything we do now,
00:15:49.820 everything in the world is done through the computer.
00:15:51.960 Exactly.
00:15:52.580 And that's what's scary.
00:15:54.040 We're so interconnected right now.
00:15:55.960 And if there's one break in the chain,
00:15:57.700 everything can fail.
00:15:58.980 That's why humans, they always say that
00:16:00.460 the human element is always the weakest link.
00:16:02.560 It's because we can be manipulated.
00:16:03.920 We can be tricked.
00:16:04.540 And now with AI,
00:16:05.940 like some of these phishing emails that are coming in
00:16:07.460 are very, very difficult to detect.
00:16:11.800 As a matter of fact,
00:16:12.500 while we're talking,
00:16:13.260 just before our conversation, Terry,
00:16:14.780 I got a phishing text saying,
00:16:17.980 hi, dad, I lost my phone.
00:16:19.780 Here's my new number.
00:16:21.180 And she's in Ottawa.
00:16:22.120 So it's a 6-1-3 area code.
00:16:24.040 But I know it's,
00:16:24.980 but it seems so real.
00:16:26.940 Yeah, yeah.
00:16:27.700 It's because we put,
00:16:28.800 as humans, we put so much stuff online
00:16:30.620 and the AI can actually pinpoint where you are
00:16:34.220 based on your browser data,
00:16:36.520 browsing history, stuff like that.
00:16:37.780 You can look at where you're going
00:16:38.640 and formulate an email.
00:16:41.560 Unbelievable.
00:16:42.380 He is Terry Cutler,
00:16:43.680 ethical hacker and psychologist
00:16:45.140 from PsyologyLabs.com.
00:16:46.980 Please check him out
00:16:47.840 if you want to be cyber safe.
00:16:49.560 Terry, for you and everyone at PsyologyLabs.com,
00:16:52.240 what's next?
00:16:54.060 Right now,
00:16:54.820 we're focusing a lot on the managed service.
00:16:56.540 We're offering also now
00:16:57.700 what's called continuous penetration testing.
00:17:00.320 One of the situations we're seeing
00:17:01.800 with a lot of companies
00:17:02.340 is that they try to get budget
00:17:03.920 for one penetration test a year.
00:17:05.560 That's where we get hired
00:17:06.140 to legally hack their business.
00:17:07.520 And this service is pretty expensive.
00:17:09.300 So, which means that
00:17:10.400 they have to wait an entire year
00:17:11.800 to get their budget
00:17:12.380 to get that one test done.
00:17:14.240 And the moment they get that test done,
00:17:16.540 that report is a point in time test.
00:17:19.480 So once you start fixing stuff up,
00:17:21.100 that report theoretically is obsolete.
00:17:23.200 So that means you have to wait
00:17:23.960 an entire year to get your budget back
00:17:25.400 to be able to retest.
00:17:26.700 So now with the service
00:17:27.880 that we're offering,
00:17:28.520 we can launch a penetration test
00:17:29.920 every six months
00:17:30.760 or every three months
00:17:31.680 to keep your information fresh.
00:17:33.440 So you get to see what you fixed,
00:17:35.180 what you missed,
00:17:35.800 what's new.
00:17:37.200 So, and we can actually do that
00:17:38.600 for the price of one.
00:17:40.580 But Terry, as you mentioned earlier,
00:17:42.100 if you don't do it
00:17:43.040 more than once a year,
00:17:43.980 by the time you wait a year,
00:17:45.540 the technology,
00:17:46.920 the hackers are used
00:17:47.760 are way ahead of you.
00:17:49.500 Oh yeah.
00:17:49.880 So we've even seen situations
00:17:50.880 where this one company
00:17:52.420 outsources their IT
00:17:53.960 to a managed service provider.
00:17:55.180 And we came in
00:17:56.580 to do a penetration test
00:17:57.600 and we uncovered stuff
00:18:00.200 that should have been fixed
00:18:00.940 a year ago.
00:18:01.560 The IT company said,
00:18:02.700 yeah, we fixed it.
00:18:03.640 But no, they didn't
00:18:04.520 because of what was revealed
00:18:05.420 on our test.
00:18:06.080 They were really upset
00:18:07.240 with them, unfortunately.
00:18:08.860 I bet they would.
00:18:09.700 Terry Cutler,
00:18:10.280 it's an absolute pleasure
00:18:11.060 to speak to you.
00:18:11.700 Keep up the great work
00:18:12.560 and thank you for keeping us safe.
00:18:14.020 Thanks so much for having me.
00:18:15.220 Appreciate it.
00:18:15.720 Thank you.
00:18:16.220 Thank you.
00:18:25.180 We'll see you next time.