Unpacking the cybersecurity gap
Why so many small businesses fall victim to cyber attacks – and how to avoid them
In 2019, it seems that barely a week goes by without news of a company being hacked. In July, financial giant Capital One was the victim of a huge breach, with a hacker stealing the personal data of six million Canadians, including one million social insurance numbers. In May, it was graphic design site Canva. Popular encrypted messaging app WhatsApp was hit just days before.
But these well-publicised incidents are only the tip of the iceberg. According to the most recent data from Statistics Canada, more than a fifth of Canadian businesses experienced a cybersecurity breach that affected their operations. And it’s not just the big players: A 2019 Verizon report from the U.S. found that 43 per cent of attacks involve small businesses.
Small businesses are just as often the victims – often precisely because they’re seen as soft targets who don’t have the same level of protection or preparation.
President and CEO of the Canadian
Federation of Independent Business
According to industry leaders, small and medium-sized businesses might be better protected if it weren’t for the “cybersecurity gap”: the lack of education around cybersecurity threats facing small businesses, the misperception among owners that they’re not targets and a lack of awareness of the resources available to help them manage their risk.
“You read the news, and you see the stories, and you might think that only big businesses are targets,” says Dan Kelly, president and CEO of the Canadian Federation of Independent Business (CFIB). “But the fact is that small businesses are just as often the victims – often precisely because they’re seen as soft targets who don’t have the same level of protection or preparation.”
“I think most business owners know that cybersecurity is important, but running a business often means you’re leaping from fire to fire and when you’re trying to put them all out, cybersecurity can slip down the list,” Kelly says. “Sadly, the first time many businesses stop and think about it properly is when there’s been a breach, and by then it’s too late.”
What are the costs?
A 2018 study by IBM and the Ponemon Institute found that for Canadian companies, the average cost of a breach is approximately $5.9-million. While this figure includes costs incurred by companies of all sizes, there’s no denying that a cyber attack can be devastating for any business.
“Dealing with a breach isn’t just a nuisance,” says Donna Millingen, underwriting expert at Northbridge Insurance. “It can force you to close temporarily, forgoing revenue and impacting your reputation. At the extreme end, it can shut you down permanently, especially if you’re a smaller business without the financial resources to rebound from the incident.”
What types of cyberattacks do small businesses face?
In a ransomware attack, hackers use malware to encrypt data belonging to the victim – which might include client information or other crucial files – forcing them to pay a ransom to regain access to their own records. It’s a rapidly expanding area of cybercrime, with triple-digit growth in the number of attacks over recent years, according to a 2019 report by anti-malware software company Malwarebytes.
Phishing and social engineering
Phishing and social engineering
These types of attacks attempt to manipulate business owners and employees into revealing confidential information or transferring funds. “We see several instances of phishing on a daily basis, and it's not always financial in nature,” says Brian Dagg, an account executive with Gallagher, a global commercial insurance brokerage. “It may be ‘click this link and enter your login credentials’ and then they gain access to your entire system through a keylogger that’s part of that form.”
Last year cybersecurity firm Symantec reported a major uptick in these attacks, in which malicious code is used to harvest credit card details and other information entered into the checkout pages of e-commerce sites.
According to Millingen, not all cybersecurity breaches are high tech. “Something as simple as a lost cell phone, tablet or laptop, or a staff computer left logged in overnight, can result in outside actors gaining access to a business’ data or financial information,” she says. “That’s why password protection is so critical.”
How can businesses protect themselves?
The good news is that the cybersecurity gap is increasingly a matter of perception. There are more and more products and resources out there catering specifically to small businesses, including Cybersecure Canada, an education and certification program the federal government recently launched.
“I’d advise business owners to find as much information as they can,” Kelly says. “There’s lots online. Talk to a small business group like CFIB, talk to trusted counterparts. And speak to your insurance broker – they’ll be able to give you information about the risks you face and the products that are right for you.”
One of the big advantages of cyber insurance, especially for a small business, is the access provided to resources that may not otherwise be available to you.
Account Executive, Gallagher
Many companies now offer insurance against cyber risks, including as extensions of standard property and liability policies. However, Millingen says it’s best to check the fine print and find out what’s actually covered: Cyber-specific policies usually provide more comprehensive protection than extensions alone.
“They’d not only cover your costs of responding to and managing a breach, including data recovery, lost business income and even extortion expenses, but also liability costs to third parties such as customers and suppliers,” she says.
According to Brian Dagg, an account executive with Gallagher, a global commercial insurance brokerage serving both small and large businesses across Canada, the benefits of cyber insurance also go beyond the financial.
“In my opinion, one of the big advantages, especially for a small business, is the access provided to resources that may not otherwise be available to you—and if they are, certainly not at the same pre-negotiated rates you pay when you have a policy in place,” he says.
This includes educational and training resources, as well as guidance in the event a breach.
“That can include breach counselling through a private firm that works on your behalf and helps you navigate the response process,” says Dagg. “They can help engage forensics, public relations and other experts as needed, and provide 24/7 support so it doesn’t matter whether it’s a Saturday morning or a Tuesday night.”
Protection and access to support like this are likely why a 2018 FICO survey found that last year, 40 per cent of Canadian firms had cybersecurity insurance that covered likely risks – a 22 per cent increase from the year before. There’s still a long way to go, but it seems the cybersecurity gap is slowly narrowing.