In 2018, nearly one in five Canadian small- to medium-sized businesses was negatively affected by a cybersecurity breach.
If that statistic seems alarming, consider the fact that these known incidents only represent the tip of the iceberg: Many successful attacks are never reported and leave no evidence behind.
For small- and medium-sized businesses (SMBs), the consequences of a cyberattack can range from mildly inconvenient to financially disastrous. The stakes are high, but for busy business owners with limited resources it can be difficult to know where to start when it comes to cybersecurity.
“At the end of the day, it’s about what you have to lose,” says Shri Kalyanasundaram, director of cybersecurity and digital identity solutions at Telus.
“If your business has anything sensitive that’s being stored digitally or if you’re using digital tools, you’re exposing yourself to cyber threats. Ultimately, your level of investment in cyber security should be such that it reduces the business risk you are exposed to a level where you are comfortable.”
Luckily, according to Kalyanasundaram, there are some relatively simple steps you can take to reduce your business’s vulnerability to an attack.
Start with your employees
“Employees can either be one of the best lines of defense or a significant gap in your cybersecurity posture,” Kalyanasundaram says.
Whether the attack comes in the form of phishing, where fraudulent e-mails attempt to con users into revealing confidential information; ransomware, where a link allows hackers to take control of a system until a ransom is paid; or physical vulnerability, where bad actors gain control of a laptop, tablet or other hardware — human negligence is responsible for a huge number of cybersecurity breaches. Medium-sized companies can be particularly vulnerable because they employ dozens of people, but often lack the IT protocols and resources typically in place at large firms.
“We all get spam e-mails that appear to be from legit sites,” Kalyanasundaram says. “Employees aren’t necessarily trained to spot what might be out of order, what might be suspicious. Building awareness is the way to address that risk.”
Various operators provide online training to help instruct staff, but Telus recommends implementing an ongoing education program that takes a programmatic approach to security awareness training. Building a culture of security for your employees will ensure their everyday work is done with security in mind.
As part of its cybersecurity offerings, Telus provides various training and simulation program options, such as one that occasionally sends increasingly difficult dummy phishing e-mails that will require the employee to complete an additional phishing training module if they are duped (think of it as ransomware for good).
Get the right tools
Kalyanasundaram encourages business owners to think of cybersecurity the way they do physical security. If you want to secure your premises, your first step should be identify possible areas of attack and build appropriate protections. In a building, that’s akin to identify the entry ways and installing strong doors and locks. If you want to secure your network and data, your first step should be to get the right tools.
Depending on the business, this might include a next generation firewall, e-mail protection or two-factor authentication. Keeping software up to date is also key. Software manufacturers release patches to address security vulnerabilities, so enabling automatic updates and making sure employees approve manual ones helps keep the business secure.
“But it needs to be more than that,” Kalyanasundaram says. “For most businesses, strong doors and locks aren’t enough, and they invest in intrusion detection and security monitoring services. In the digital world, the equivalent would be a managed detection and response service.”
Speak to the managed detection and response experts
Cybersecurity professionals are highly sought after. For many businesses, it’s neither affordable nor efficient to keep them on staff, so most companies who take cybersecurity seriously outsource.
That’s where managed detection and response (MDR) comes in. This increasingly popular form of cybersecurity service leverages developments in artificial intelligence and machine learning to scan for threats, alerting trained operators of breaches or potential threats.
Kalyanasundaram says that where traditionally cybersecurity practices have focused on strong doors and locks, “MDR is akin to having security guards on patrol, looking for signs of suspicious activity.”
“For example, the MDR service might look at why there's a login from a region where a business doesn't operate. It's out of pattern,” Kalyanasundaram says.
“Our service establishes a baseline for what is considered normal or regular behaviour, and when something out of pattern happens we investigate and determine whether it’s an actual threat or not.”
Automation means that MDR more efficiently sorts through data and identifies threats, requiring less work on the part of SMB owners. Telus’s recently launched MDR service is specifically designed to meet the needs of these companies, Kalyanasundaram says.
“Part of the reason why this solution is more cost effective is that it’s made in Canada. If you look at most of the other solutions today, none of them come in at this price point or cater to SMBs specifically,” Kalyanasundaram says.
“We have a bilingual team of trained cybersecurity experts right here in Canada that are available 24/7. We've invested in smart people who are skilled at identifying the needle in the haystack.”
To Kalyanasundaram, Telus’s experience as a telecom company means it’s ideally placed to defend Canadian firms.
“We offer many organizations their connection to the internet and beyond, and we even help create their internal networks,” he says. “So naturally cybersecurity is a place where Telus has expertise. For us, security isn’t an afterthought. It’s baked into our DNA.”
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.