Cyberattacks are no longer just a possibility for businesses. They’re an inevitability, say experts.
The rising sophistication of digital threats ranging from artificial-intelligence (AI)-powered phishing scams to voice cloning and ransomware-as-a-service (RaaS) means it’s less about avoiding cyberattacks and more about being prepared when they do happen.
“You can’t just depend on your traditional antivirus software anymore. That may have worked fine for years, but the addition of AI makes today’s threats increasingly sneaky,” says Marek Pravlik, managing director and chief technology officer at Wise Tech Corp., a Calgary-based managed IT service provider.
“Business owners need to be asking, what’s the response plan? Does our organization have a backup? Is it onsite or cloud-based? Cybercrime is a significant threat to today’s businesses, requiring robust strategies to prevent attacks and ensure preparedness in case they occur.”
Dan Carter agrees with Pravlik in that the landscape is rapidly evolving, and business owners need to take measures to protect their businesses.
The CEO of Red Cherry, a software development company based in Calgary, points to several concerning trends, notably the rise of AI-powered cyberattacks where attackers use AI to bypass traditional security measures or automate large-scale phishing campaigns.
“Supply chain attacks are also increasing, as cybercriminals target smaller vendors to infiltrate larger organizations,” says Carter, whose company specializes in custom software solutions, AI integration, blockchain development and cybersecurity.
Carter points to RaaS as an additional concern, especially given it enables even less-skilled attackers to deploy ransomware effectively, as well as the weaponization of IoT devices, which introduces vulnerabilities as more connected devices are deployed.
A Statistics Canada report issued last fall found that nationwide, the number of corporate cyberattacks, in fact, is decreasing. The Canadian Survey of Cyber Security and Cybercrime (CSCSC) found that 16 per cent of companies surveyed had fallen victim to cybercrimes in 2023, down from 18 per cent in 2021.
However, the cost of those attacks doubled during that time. Businesses spent a reported $1.2 billion on recovery efforts in 2023, compared with $600 million in 2021.
Closer to home, the Calgary Police Service (CPS) recently noted that reported cybercrime incidents increased by 50 per cent in 2024 compared to the year prior. The jump was highlighted by a 54 per cent increase in ransomware attacks, as well as a 50 per cent increase in cryptocurrency-related losses that totalled $42.8 million.
The CPS noted most of victims of cybercrime in the city were individuals and not businesses.
Despite increasingly sophisticated cyberattacks and the rising costs of recovering from such attacks, Canadian businesses are reportedly spending less money on preventing and detection. According to the CSCS, spending dropped to 56 per cent in 2023 from 61 per cent in 2021.
Meanwhile, a separate study from Mastercard noted that while 92 per cent of Canadian business leaders have adopted security measures or conducted a digital risk assessment at least once, only 39 per cent assess vulnerabilities on an ongoing basis.
The study also found just over half of businesses use network firewalls and multi-factor authentication (MFA), while less than half use fraud-protection tools or have cyber insurance.
Scott Gallupe, president at 403Tech, says most of the conversations he’s having with customers about cybersecurity are focused on education.
“What I always tell my clients is we can put in firewalls and we can put in our antivirus and all of the technical side of things, but one thing that we need to start educating them on is on the cybersecurity awareness for their staff. Their staff are their biggest vulnerability,” says Gallupe, whose Calgary-based company offers managed IT services and IT support to businesses typically ranging in size from 10 to 50 employees.
He singles out seasonal businesses and those with high staff turnover as organizations at higher risk as they often have employees who are unfamiliar with technology policies and cybersecurity risks.
“Our focus is on educating clients so their teams are well-trained in identifying threats and handling email securely,” says Gallupe.
For the past two years, 403Tech has partnered with a training partner to offer optional cybersecurity training to its clients that includes simulated phishing attacks and security awareness programs that help employees recognize threats such as phishing, and understand the importance of secure practices such as strong passwords and MFA.
The response to these training sessions has been so overwhelming that 403Tech now includes it in its standard offerings.
Gallupe says one of the biggest learnings many business owners have gained from these sessions is being able to baseline how prepared their employees in handling cybersecurity risks.
“What I’ve seen is many business owners think their staff are good, and this ends up being a wake-up call,” he says.
Pravlik says some tips that organizations can focus on when preparing for incidents such as ransomware attacks include endpoint detection and response (EDR), regular patching, data encryption and network segmentation to prevent breaches and limit the scope of attacks.
He also encourages businesses use VPNs and secure collaboration tools to ensure that remote access to company resources is also protected from external threats.
Continuous vulnerability scanning and penetration testing, meanwhile, can help identify and fix potential weaknesses before they can be exploited by attackers.
“By focusing on these areas, companies can significantly reduce their risk of cybercrime and enhance their preparedness for potential attacks,” says Pravlik. “Cybersecurity is an ongoing process requiring continual adaptation to the evolving threat landscape.”
At 403Tech, Gallupe says the mitigation strategy they typically like to focus on is making sure clients have the foundation properly set up.
“That means making sure that your files are backed up, making sure that you’re actually checking your files, making sure that your IT provider is actually checking the backups and making sure that they’re actually being backed up,” he says.
“Sometimes assumptions are made and then catastrophe happens. Then you go to restore something and it’s not there.”
Carter also emphasizes the importance of having updated cybersecurity policies in place. According to the CSCSC, only one in four Canadian business have current written policies addressing cybersecurity.
“Regularly updating employees on company policies and recognizing individuals who demonstrate strong security practices are key to fostering awareness,” he says.
Business with limited internal resources might also benefit from turning to managed security services providers for expert guidance and monitoring. Carter says that when looking for the right provider, businesses should be looking for ones that can customize training to address industry-specific risks.
“It’s important to choose companies with certified professionals who have expertise in cybersecurity, as well as a proven track record of success with other clients,” he says
“Effective providers offer not just training but also ongoing support, such as simulated attacks and continuous risk assessments. Companies that utilize AI and technology to tailor training and monitor progress bring additional value.”
