For small businesses, the most significant cybersecurity threat of the next decade won’t be some highly engineered virus, a new type of malware or the threat of quantum code-breaking. In fact, according to experts, the biggest danger is already here.
“The biggest threat to the cybersecurity of any small business is humans,” says Patty McNeil, senior vice president of commercial insurance at McLean Hallmark Insurance Group Ltd., one of the largest independent insurance brokerages in Canada.
“It's usually your employees who are your biggest vulnerability when it comes to cybersecurity,” McNeil says. “You can buy the most expensive systems and programs to protect your network, but if a staff member gets an email, thinks it's valid and clicks a dangerous link, it could have disastrous results.”
Hackers rely on employee error
According to McNeil, the most frequent types of cyberattacks on small businesses are phishing and ransomware.
In a phishing scam, employees are psychologically manipulated into giving away data, transferring money or downloading malware through fake emails or appealing links.
Ransomware – which is often spread through phishing emails – encrypts or steals a business’s files, only returning them or allowing access once the victim pays a ransom, often in bitcoin.
For the most part, neither style of attack is targeted: Hackers send millions of emails in the hope that an employee at one company will mistakenly click a link or download a malicious attachment.
“A bot has no clue whether an email address or a website is tied to a large or a small business,” McNeil says. “It’s just looking for vulnerability and a point of entry. It's irrelevant whether that’s through a large organization or the retail store on the corner.”
The effects of a breach can be devastating
While large businesses generally have vigilant IT departments, employee training programs and cybersecurity insurance, small businesses are often not as prepared, and therefore less able to cope when things go wrong.
According to McNeil, a ransomware attack can force a business to forego revenue or shut down for some time, pointing to an example of a small engineering firm whose entire blueprints archive was targeted and lost forever when a ransom couldn’t be paid.
Small and medium-sized businesses are also less likely to be able to afford the costs of responding to an attack.
“For these businesses, the average cyber claim is $147,000,” says Trevor Craig, partner and vice president at McLean Hallmark. “As an owner, you have to ask yourself: Am I prepared to write a cheque for that amount if I get hit? How many businesses with revenues between $1-million and $10-million have a spare $150,000 sitting around?”
Staff education is key to prevention
If there’s any silver lining, it’s that most breaches are caused by human error rather than employee malice.
“It’s far more often someone who doesn't have enough knowledge about what a security threat is, or what a nefarious email looks like, than an angry staff member,” Craig says. “That’s not to say that there aren’t rogue employees out there, but the real concern is the employee who accidentally causes a breach.”
That means one of the most effective steps a business can take to protect itself is educating its employees. Many training resources are available online, and it’s worth asking your IT service provider if they have any educational materials or advice. Insurance brokers and companies can also help.
“Your insurance broker can oftentimes connect you to training tools,” McNeil says. “And many cyber insurance policies come with access to cybersecurity experts and resources to help you before anything awful happens.”
How does cyber insurance work?
Cyber insurance, which can be standalone or included as part of a commercial general liability policy, can help cover the financial losses related to an attack, assist with creating a response plan and provide access to technical, legal and public relations expertise that may be necessary in the aftermath of a breach.
But experts warn that not all policies are created equal.
“Cyber insurance was only introduced in Canada in the 1990s, so it’s not as mature as other insurance products,” says Donna Millingen, an underwriting expert at Northbridge Insurance. “That means there’s a lot of variability in the market. Business owners need to understand that no two policies are identical and there can be big differences in what’s covered.”
That’s why Millingen recommends talking with an insurance broker as a first step – something with which Craig agrees.
“It’s an important conversation, because it’s not a question of if you’ll get hit, it’s when,” he says. “You may be the most diligent individual, but you might have one or 10 or 100 employees who aren’t the same way.”
And while methods of cybercrime are constantly changing, McNeil says one thing remains true: It pays to be cautious.
“There are always going to be criminals who are very smart and very good at finding and exploiting human vulnerabilities,” she says. “That’s why it’s so important to take whatever steps you can to protect your business.”
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.