It was early morning on April Fool’s Day last year when employees at Emblemtek started noticing suspicious activity on the company’s servers. Within minutes, it was obvious that it was no joke – the clothing badge and emblem maker was the target of a cyberattack.
David Black, chief executive officer of the Vankleek Hill, Ont.-based company, hadn’t yet arrived at the office but instructed staff to disconnect the computers and get everything off the internet immediately.
“But it was too little, too late,” he recalls.
Despite several layers of security, including firewalls and anti-virus software, attackers had encrypted all the company’s data and cut off access. Soon, a message appeared on workstations indicating that the data was being held hostage for payment.
Fortunately, Emblemtek had an ace up its sleeve: an off-site backup that allowed it to restore its data without giving in to the attackers’ demands.
Emblemtek’s brush with disaster is a cautionary tale for other small and medium-sized enterprises (SMEs), many of which remain worryingly underprepared for similar attacks, despite their growing frequency and sophistication.
A Canadian Federation of Independent Business (CFIB) survey released in March showed that one in four of its members had reported an increase in cyberattack attempts in the past 12 months, and one in 12 experienced one in that time period.
Yet fewer than half of those surveyed were confident they knew how to protect their business. Another survey of SMEs, conducted last year by the Insurance Bureau of Canada (IBC), was even more concerning: Half of the respondents didn’t budget a dime for cybersecurity.
According to Mandy D’Autremont, vice-president of marketing partnerships at CFIB, this is often because of a false belief that cybercriminals won’t bother with mom-and-pop businesses. But that’s never been less true, largely thanks to the rise of “cybercrime-as-a-service.”
“This is a big evolution we’ve seen in the criminal marketplace,” says Rajiv Gupta, associate head of the Canadian Centre for Cyber Security (the Cyber Centre). “[Criminals] can go to the dark web and buy what they need, allowing them to hit more targets more often. ... It makes these small businesses viable targets for the level of effort required.”
The fewer resources a company has to protect itself, the more likely it is to be victimized. And if it has no response plan, such an attack could be even more devastating.
So what can SMEs do?
The most common attacks include ransomware, password breaches and phishing e-mails (fraudulent e-mails that attempt to convince the receiver to hand over sensitive information). Luckily, there are plenty of low-cost fixes to help reduce these risks.
Passwords should be complex and frequently changed. (Password managers can help with this, experts say.) Multifactor authentication for e-mail and other online services ensures that users must provide additional information, such as a code texted to a mobile device, to gain access. Staff should also be trained on how to spot fraudulent e-mails.
That said, finding the expertise to boost security protocols can be a challenge for SMEs with limited resources, especially since demand for security experts and consulting has surged amid the pandemic, Ms. D’Autremont notes.
Still, “even if you only have three or four people, try to designate one person the security lead and equip them with what they need,” she adds.
There are also various resources SMEs can turn to for support. For instance, the CFIB Cybersecurity Academy, a partnership with MasterCard, is launching this fall and will deliver online learning modules covering topics including ransomware, identity fraud and other cyberthreats.
The Cyber Centre also provides many free resources for SMEs, including information on supply chain security, ransomware and other best practices. In addition, businesses without the ability to securely store and manage their data can (and should) also use a secure cloud provider.
Another emerging option is cybersecurity insurance.
“This is a nascent area, to help businesses recover costs after an attack,” says Mahan Azimi, a research analyst with the IBC. “It’s only one component of a strategy and shouldn’t be thought of as a replacement for vigilance, but in a worst-case scenario, it’s that extra bit of protection.”
Among the most important preparations is to always assume you’re vulnerable – and have a plan for the worst. The Cyber Centre produces a guide to developing an “incident response plan,” which includes delegating roles and responsibilities.
Quick and co-ordinated action is what saved Emblemtek. With the help of his IT provider, Mr. Black worked into the wee hours of the morning after his attack, wiping out and reformatting all of the company’s hardware and restoring it from an offline, off-site backup.
“Technically, we lost the previous day,” Mr. Black says. “And it cost about $15,000 in hardware and technical services. But the alternative was to lose 40 years of our company’s history – or give in and hand over who knows how much money and probably feel like we’d never get the traces of these guys out of our systems.”