It’s maddening and frustrating, particularly for small and midsize businesses (SMBs), but sometimes cybersecurity can feel like mission impossible!
The more diligent businesses get about cybersecurity, the slicker and more evil the cyber criminals get, and the more vulnerable and less protected the business is.
And there is the insult-to-panicky injury. The begrudging realization that in many cyber attack situations, the business is the cause and the problem.
The facts and figures – and case files – illustrate that with some gigantic exceptions, size really does not matter. Cybersecurity is an urgent and hot topic among most business leaders and managers, and the frequency and business costs of cyberattacks are spiking.
Simplified and generalized: cyberattacks and fraud can lead to business disruptions, financial losses, reputational damages and trust loss – all negatively impacting a business’ performance and competitive advantages, because all businesses have reams of digital assets, from company strategies, secrets, sales, cash flow, vital customer data and other confidential information.
MNP, one of the largest and most respected business advisory firms in Canada, is focused with extensive experience advising business leaders and small businesses on cybersecurity risks, trends and opportunities about improving their resilience to attack.
“There is little doubt that there is increased attention to cybersecurity over the last several years,” warns Alberta-based John McLaughlin, partner with MNP Digital. “Several high-profile breaches, international conflict and the explosion of ransomware has brought the issue front and centre. Particularly since the pandemic disruptions and more people working from home, the attack surface has expanded and cybercriminals have taken advantage of the increased vulnerability of hacking access via remote workers.
“Also, the rise of cloud computing, IoT devices and expanding networks has added new layers of complexity to the threat landscape. All things considered, it makes it more challenging for organizations to protect against cyber attacks.
“As a result, cybersecurity has become a top concern for organizations of all sizes, and it is more important now than ever to invest in strong security measures to protect against cyber threats.”
IT analysts and consultants are reluctant to imply that big corporations are better protected from cyber attacks than small and midsize businesses, but the business bottom line suggests that SMBs often have limited resources to invest in security, leaving them more susceptible.
“SMBs are particularly vulnerable to cyber attacks because, too often, the primary focus is on the organization’s operations, and IT security is something that is seen as an add-on, rather than a top priority,” McLaughlin points out. “Cybercriminals have started to focus more on SMBs, realizing that they can be an easy target with limited security measures in place.”
The alarm bells are ringing for small and midsize business owners and managers. Seven in 10 (72 per cent) of SMBs are more concerned than ever about cyberattacks, according to a recent joint survey from the Canadian Federation of Independent Business (CFIB), Canada’s largest association of small and medium-sized businesses with 95,000 members across every industry and region, and Mastercard.
One in four (24 per cent) small business owners reported an increase in cyberattack attempts against their businesses in the past year. “The last two years saw a huge number of small businesses increase the amount of business they are doing online, which has many benefits but also introduces new risks,” says Laura Jones, executive vice-president of CFIB, “It’s critical to make it easy for business owners to protect themselves in this new environment.”
According to the survey, eight per cent of SMBs were victims of a cyberattack that cost time, money and usually both. On average, these businesses lost $26,000, plus the value of lost time.
“The impact on small firms can be immense, with some losing as much as $500,000, and others reporting a long-term impact on their operations and reputation,” she adds. “Cyberattacks include attempts to damage a business’s computer system, digitally stealing money, or stealing banking or client information.”
As risky and frustrating as it may be, some otherwise efficiently run organizations cause their own cyber problems. It is resoundingly documented fact! Employees can make a business vulnerable for cyber attacks. While precise statistics vary by area and industry sector, it is undisputedly proven that a high proportion of data breaches are caused by insiders who, either maliciously or carelessly, give cybercriminals access to a business’ insider info.
As more and more employees in Calgary, and around the world, work remotely, cyber security for business has become more important than ever. Many small businesses use cloud-based technology and tools for their daily operations, including online meetings, advertising, buying and selling, communicating with customers and suppliers, banking transactions and more.
IT experts warn that, for both financial and reputational reasons, employees are the hidden culprits, and critical for businesses to protect data and cloud-based systems from hacks.
MNP’s John McLaughlin highlights some common curses, especially for SMBs with smaller teams of employees.
- Remote access and personal devices. With remote work being such a popular trend. SMBs may not have secure remote access protocols in place, making it easier for cybercriminals to get access to company information. Also, employees may use personal devices for work reasons, and their devices may not have proper security measures.
- Identity Management. Many smaller businesses do not have multifactor authentication and employees too often use weak, easily guessable passwords, making it easier for cybercriminals to gain access to the business’ systems.
- Weak passwords are a notorious cause. Research shows that 63 per cent of data breaches result from weak passwords, and most passwords take hackers seconds to crack. Email phishing is a common attack vector and one of the main sources of cyber crime, and 91 per cent of all attacks start with a phishing email. The infected email can download viruses or give access to data and possibly trigger a hack.
- Insecure home networks. Many employees may not have secure home networks, leaving them vulnerable to cyber attacks. This increases the risk to the organization, if employees are accessing corporate systems from these networks.
- Difficulties in monitoring and enforcement. It can be more challenging to monitor and enforce the company’s security policies when employees are working from home.
- Outdated applications or infrastructure can cause problems. SMBs may not have the resources to regularly update their software or configuration, making them easier targets.
- Lack of backup and disaster recovery. Unfortunately, many SMBs do not have adequate backup and disaster recovery plans in place, making them victims for data loss and downtime from a cyber attack.
“To protect against threats from within, SMBs should invest in cybersecurity training for employees,” he suggests. “The training should include the importance of using strong passwords and spotting phishing emails and establishing clear policies describing how to handle and protect customer information and other company data.
“A third-party consultant can do a detailed risk assessment of the company’s network, systems and information, to determine where and how the business’ data is stored and who has access to it.”
IT experts offer a vexing reality check. The cybersecurity bottom line is that, due to the growing frequency, sophistication and magnitude of cybercrime events, it is more and more difficult to foolproof a business from hacks and cyber attacks.
They also add an important PS. Cyber attacks are crimes of opportunity.