The statistics are scary: 60 per cent of small and medium-sized businesses (SMBs) hit by ransomware attacks close within six months according to the IDC. Two-thirds of businesses are vulnerable to a cyberattack at some point during each day. Only 32 per cent have the tools to monitor their networks for malicious activity 24 hours a day, seven days a week.
Yet despite these numbers, nearly six in 10 Canadian organizations believe they’re fully prepared to stop sensitive data from being stolen or misplaced. It’s a paradox: Canadian business owners underestimate the threat of cyberattack while simultaneously overestimating how prepared they are to face one.
In some ways, this disconnect is understandable. While data breaches at large companies such as Sony and Target have grabbed headlines, when a small- or medium-sized business is attacked or forced to close, it usually goes unreported.
“The cybersecurity breaches in the news are usually about large companies, which may give other business owners false comfort that they are too small to be threatened,” says Dan Kelly, president and CEO of the Canadian Federation of Independent Businesses (CFIB). “This is unhelpful in spurring action on a serious threat that has affected thousands of SMBs.”
What many business owners don’t realize is that hackers increasingly automate ransomware and phishing attacks in the hopes that somebody – anybody – will click on a link and reveal a vulnerability. SMBs end up in the crosshairs simply because there are more of them and because their security systems are less advanced than those of their larger counterparts.
“What’s happening out there is that all the hackers are targeting small and medium-sized businesses because they know that their skill set and the technology they’re using is very basic. Just because you’ve invested in an anti-virus or a firewall doesn’t mean you’re protected,” says Martin Bélanger, national director of business development for security solutions at Telus.
“If you’re a hacker, you’ll go where the low hanging fruits are. The low hanging fruits are not a bank. It would be a high reward if you were able to hack a bank, but it’s very costly,” Bélanger says. “At the end of the day, hackers are there to make money. They’re running businesses too.”
A question of resources
According to Kelly, even companies that do realize the scope of the threat often find it hard to know where to start when it comes to taking countermeasures. Not only do they lack the technological know-how, they may be constrained by time and budgetary pressures.
“Business owners are pulled in a million directions every day,” he says. “While most are aware that there are cybersecurity threats out there, most haven’t done a deep dive to determine what might be necessary. Smaller firms often lack the expertise to properly address these challenges and budgets are often thin to find the resources to get the expert help needed.”
Adding to the difficulty is a worldwide shortage of trained cybersecurity professionals, with the non-profit IT security organization (ISC)² estimating there are currently 2.93-million cybersecurity positions unfilled around the world. That drives salaries up, and the shortfall is so acute that even the few businesses with resources to bring specialists on board may be unable to.
How business owners can find help
The good news is that even simple safety measures like greater password security, two-factor authentication and keeping software up to date can have an impact on a business’s vulnerability to attack. And additional help is available. Dan Kelly’s advice is simple: “Seek some outside advice and get started.”
“Taking action doesn’t mean you will have to drop everything else in your business,” Kelly says. “Like anything, taking the first step is usually the hardest. Business associations like CFIB can provide advice on where to start and help find appropriate resources.”
There are also cybersecurity services – including insurance, threat audits and ongoing protection – that can offer businesses peace of mind. Bélanger believes these services offer the best combination of security and value for smaller firms.
“When I started in the IT world 15, 20 years ago, businesses had their own programmers to create their websites,” he says. “In today's world, there's no such thing as an SMB that creates its own website. There are companies out there that are very skilled and are way more effective and price competitive to help them do it. That same shift is happening now in cybersecurity.”
Bélanger points to Telus’s own managed detection and response (MDR) service as an example of a solution that can be cost-effective for SMBs. After Telus conducts an audit of a business’s vulnerabilities and recommends security and training measures, MDR leverages artificial intelligence and machine learning to scan for anomalies on its network, automating the painstaking process of hunting for threats. When something out of the ordinary is detected, a cybersecurity expert in Canada is alerted.
“When you buy MDR, you buy skillset, you buy analysts, you buy people that do this day-in, day-out, 24-seven, 365, people who will proactively warn you if there's something happening on your network,” Bélanger says.
“At the end of the day, you need to know what’s coming in and out of your cloud applications, your end point devices and your network. If you have visibility of that, your risk of getting hacked is way lower. If there’s data going out at two in the morning to an IP address in Russia, you should probably be aware of that.”
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.