For online security experts, the most frustrating part of seeing small and medium businesses hit by data breaches and other cybercrimes is knowing that such attacks can often be prevented.
While many Canadian businesses expect proper cybersecurity to be costly or time-consuming, the reality is the opposite, according to the Canadian Centre for Cyber Security. SMBs can do a great deal to protect themselves by taking a few quick and simple steps.
“[The steps] deliver 80 per cent of the benefit with 20 per cent of the effort,” says CCCS head Scott Jones. “That protects a huge amount.”
Jones urges businesses to start with the “baseline controls” published by the CCCS on its website, a series of 13 measures ranging from developing an attack response plan and ensuring automatic software patches on computers to regularly backing up data and securing smartphones used by employees.
The most basic step any business can take, he adds, is educating employees about the fact that attacks are happening and that they can target anyone.
Employees can then be informed of some of the most common forms these attacks take, such as phishing – email messages that attempt to lure users into clicking on malicious links that can cripple a company’s network and expose its data to criminals.
Following the baseline controls and educating employees will do much do dissuade attackers, Jones says, much like installing a home alarm system. Both measures warn criminals that their potential victim is at least somewhat prepared.
“If your cybersecurity is better than the person next to you, they’re going to move on,” he says.
Cybercrime is a major problem for Canadian SMBs. A September report by the Insurance Bureau of Canada found that one in five had been affected by a cyberattack or data breach in the previous two years.
About 44 per cent said they had no defenses, while 37 per cent estimated that incidents cost them more than $100,000. Nearly two-thirds said they had no insurance to help recover.
Mark Gaudet, business leader of cybersecurity services at the Canadian Internet Registration Authority, says education efforts must include a shift in behaviour by companies, where reporting suspicious-looking emails and other communications – as well as possible mistakes by employees themselves who may have clicked on them – is encouraged rather than penalized.
CIRA, which administers the .ca web domain, also provides a number of security services, including the free Canadian Shield program and DNS Firewall for small businesses, which starts at $99 a year for 10 users. Both encourage employee participation in defending against possible intrusions.
“You have to make staff part of the security solution,” Gaudet says. “It’s creating a culture where it’s okay to say, ‘Hey I clicked on this and I’m not sure what happened.’”
Companies should also make sure they have a plan for what happens in the event of a breach, which includes employees knowing who to report to and what actions need to be taken, says Florian Kerschbaum, associate professor of computer science at the University of Waterloo.
The best way to avoid substantial recovery costs or even an existential threat, he adds, is for businesses to assess their most valuable assets and then back those up, either on separate hard drives that aren’t connected to a network or through third-party cloud storage providers.
Those backups should also be regularly tested – something many businesses forget to do.
“If you’ve gone through it once, that makes it much easier,” Kerschbaum says. “That makes for a relatively simple recovery.”
Breaches can still happen even after precautions have been taken, which can raise difficult questions on next steps – especially in the case of ransomware, or an attack that encrypts a business’s data and then sells access back for a fee.
Security experts differ in their views on ransomware, which provokes debates between practicality and ethics.
Some understand why businesses end up paying the fees demanded by criminals – doing so is often much less expensive than trying to rebuild the lost data. In such situations, reluctantly playing ball might be the only option.
“The answer is not good, they have to pay the ransom,” says Ryan Borg, director of Toronto-based security provider Borg ITS. “But it crosses the line of negotiating with terrorists, because that’s what they are.”
David Shipley, chief executive of Fredericton, N.B.-based provider Beauceron Security, says paying ransoms is becoming more problematic because such attacks are often orchestrated by organized criminal groups that are facing government sanctions in a growing number of jurisdictions.
That means a business could actually find itself breaking the law by giving in.
“The reality of it is increasingly questionable,” Shipley says. “Paying the ransom does not mean the end of your problems, it’s only the beginning.”