TORONTO - Canada's main cybersecurity watchdog said Wednesday that it's likely too late to prevent criminals from using a vulnerability in Microsoft Exchange email servers, unless system administrators have already installed software patches that were issued in early March.

Scott Jones, head of the Canadian Centre for Cyber Security, said after issuing an updated alert to IT professionals that “the law of probability states that it's almost certain that there are victims in Canada.”

“We just don't know who they are yet,” Jones said in an interview. “We're hoping that they know that they're victims, though, which is also another point of the alert.”

He said the organizations that are statistically most likely to be at risk are those that have Microsoft Exchange server software on their own computers or on a smaller IT service provider, rather than through a major cloud service such as Microsoft Office 365 or Google Cloud.

Jones said organizational leaders need to ask: Have the security patches been installed? Have we checked to make sure we weren't compromised? If there was a compromise, who needs to be told?

“Once you've confirmed patching and confirmed that there's no compromise of the network, then (you) can breathe a sigh of relief and say we were lucky,” Jones said.

He said there have been public reports of widespread compromises by criminals using the security gap to install a new family of ransomware called DearCry, which Microsoft warned about in a tweet last week.

“In terms of specific Canadian organizations, we would need them to report to us - meaning give us a call in let us know that they're victims,” Jones said.

He said it's the responsibility of victim organizations to inform their customers, employees or any affected parties such as suppliers and insurers if there has been a security breach.

Jones said he's not authorized to answer questions about the security of the Canadian government's own email systems but said it has “a very robust and active” patch management program in place.

The Canadian Centre for Cyber Security's March 16 alert was the third since early March 2, when Microsoft published several security updates for Exchange email servers.

The head of German government's cybersecurity agency issued a similar warning to IT system administrators on Friday.

- With a file from The Associated Press

This report by The Canadian Press was first published March 17, 2021.