As the owner of an online firm that helps Canadians find affordable mortgages, Alex Leduc knows that developing a strong security infrastructure is essential – at many levels.
“Of course, the system has to be secure – for a financial firm that’s a moral and ethical obligation,” says Mr. Leduc, founder and chief executive officer of Perch Finance, a Toronto-based digital mortgage broker and advisory company. “At the same time, you really have to win people over to trust your digital experience,” he says.
Small- and medium-sized enterprises (SMEs) not only need to understand the importance of security but also ensure that staff and contractors embrace pro-active cybersecurity measures. SMEs that do this can thrive with confidence, knowing that their digital assets and operations are well protected.
That doesn’t mean it’s easy. “The goalposts keep moving,” says consulting firm PwC’s 2023 Global Digital Trust Insights survey, released in July.
The report surveyed 3,500 business, security and information technology (IT) leaders, including 138 Canadian professionals. It found that 87 per cent of Canadian respondents say that they’re getting greater demands from those outside their companies (for example, customers and clients) for them to disclose cyber-incidents and provide information about their cyber-safety practices.
“But only 43 per cent [of Canadians surveyed] say they’re confident they can provide the required information about a significant incident within the required reporting time after the incident [occurred],” PwC’s report said.
Confidence in the cybersecurity practices of an SME must be built in layers, says Ali Ghorbani, professor and director of the Canadian Institute for Cybersecurity at the University of New Brunswick.
“At the first level, people want to know about the people in the organization they’re dealing with. They want to know if they have legitimate cybersecurity skills and credentials, whether they’ve gone through some training and education,” Dr. Ghorbani says. “If you can convey that this is in place, you have half of your trust issue achieved.”
The second layer involves making sure you have your cybersecurity infrastructure in place, and letting people know this, he says.
“People will want to know that your software and hardware are up to date, that all the latest patches have been installed, for example. They also should be assured that your policies and procedures are fully in compliance with all the regulations and requirements for your industry and for digital cybersecurity in general,” he explains.
“You can start with your internal practices, for example, making sure your people have strong passwords, managing the use of company e-mail and social media,” he adds. “But you also need an external perspective to anticipate, and resist threats and to respond if they do happen, so there’s minimal disruption.”
However, building both these layers is not something you can achieve on your own as a small- or medium-sized business owner, he says – “you’ll need help from outside experts.”
Randy Purse, senior cybersecurity adviser at Toronto Metropolitan University (formerly Ryerson University), agrees that SMEs benefit from outside expertise when it comes to building their cybersecurity systems.
“SMBs often lack the resources, expertise and technology needed for effective cybersecurity,” says Dr. Purse, who conducts training sponsored by the federal government’s Industrial Research Assistance (IRAP) program.
We are starting to see that organizations which have put in place effective cybersecurity measures are gaining a competitive edge.— Randy Purse, senior cybersecurity advisor at Toronto Metropolitan University
Building cybersecurity trust doesn’t need to be a crushing financial blow for a small business, Dr. Purse adds.
“There are many actions that companies can take that will go a long way toward being secure without significant investment. Training employees, making sure everyone using the platform has strong passwords, patching and updating your systems automatically and managing access to controls are just a few,” he says.
Understanding how to build cybertrust means understanding what can happen to companies that fail to establish trust, Dr. Purse says.
“Companies need to understand the potential severity and impact to their business from cyber threats. This can guide their decision-making toward those security actions that will have the most bang for their buck.”
It’s no longer enough for companies simply to comply with privacy regulations and meet the minimum cybersecurity technology standards, Dr. Purse adds. “For example, a company can comply with the privacy laws in one province, but that doesn’t indicate whether they have protected all their corporate secrets or intellectual property or whether they’re properly shielded from different types of cyberattacks.”
“It’s still mostly anecdotal, but I think we are starting to see that organizations which have put in place effective cybersecurity measures are gaining a competitive edge,” Dr. Purse adds.
At Perch Finance, Mr. Leduc agrees, adding that it’s key to a company’s cybersecurity to communicate what it’s doing to protect customers, clients and colleagues.
“For a digital finance firm like ours, it’s already hard enough to build trust in the financial sector when you’re not one of the big banks that everyone has heard of,” says Mr. Leduc. “You have to show everyone and be transparent about what you’re doing to protect them. Make sure your website conveys this too; show people that your company is taking care of cybersecurity.”