In 2018, hackers stole 10 gigabytes of data from a Las Vegas casino by compromising a smart thermometer in a fish tank. More than just a source of “phishing” puns, the aquarium breach shows the increasing ingenuity of cyber criminals – and serves as a warning to small- and medium-sized enterprises (SMEs) that might think cybersecurity is only something the big firms need to worry about.
“Your small business can really be a target,” says Paul Furtado, an Ontario-based senior analyst with Gartner Inc., an information-technology research-and-advisory company. He says the more connected our technology becomes, the greater the risk that a humble downstream supplier could find itself in the middle of a serious cyberheist.
“If I’m an agenda-driven hacker or a hacktivist or a nation state, I’m not going to go after the Department of Defence, for example, because chances are they’ve got a very robust cybersecurity program in place,” Mr. Furtado says. “But if Bob and Mary’s Nut and Bolt Shop is a trusted supplier to a company that assembles the frames for military vehicles that they sell to the Department of Defense, I’m going to see how deep I can go through their system to connect ultimately into the Department of Defence.”
SMEs are increasingly becoming targets of cybercrime. Daniel Tobok, a cybersecurity expert who advises corporations globally, says the past 15 months have seen “an explosion” of occurrences of two particular criminal tactics that offer a huge return on investment for criminals. The first is ransomware – malicious software that blocks companies from accessing their own systems until a ransom is paid. A 2018 report by IT company Datto found that Canadian companies face both the highest average ransom cost ($8,764) and the highest cost of downtime per ransomware attack ($65,724). The second type of attack, business e-mail compromise (BEC), uses a company’s own e-mail accounts to defraud employees or customers. In 2018, the Canadian Anti-Fraud Centre received BEC-related reports totalling more than $17-million in losses.
“It’s a real epidemic,” Mr. Tobok says. “Twenty years ago, the big criminals were really only interested in government and bankers and banking associations, because they held a lot of meaty things that they could monetize quickly. But as those enterprises grew more educated and more secure, SMEs are one of the biggest attack vectors for cybercriminals and state-sponsored attacks, because smaller enterprises are not as mature when it comes to their security. Everybody understands they need a roof and a door, but not everybody knows you have to have an alarm and a hungry German shepherd protecting their property.”
Corinne Pohlmann, senior vice-president of National Affairs and Partnerships for the Canadian Federation of Independent Business (CFIB), says many SMEs don’t have adequate cyberprotection in place, simply because they don’t know they need it.
“That’s the biggest challenge,” she says. “Many small and medium enterprises just don’t realize how vulnerable they may be.”
Ms. Pohlmann recommends that SMEs conduct a risk-exposure survey. In addition to identifying their role in supply-chain security, businesses should also look at what data they’re collecting and educate themselves about its street value.
Large data breaches of big companies make headlines – but an unprotected small customer database is equally worth a hacker’s time. According to Symantec’s Internet Security Threat report, just a name or birthday can be worth up to $1.50 on the black market. A scanned passport or driver’s license can command up to $35, and a full ID package (name, address, social insurance number, e-mail address and bank account number) can go for up to $100.
“Any small business that collects electronic customer data, even if it’s Joe Smith’s hardware store, could have hundreds and thousands of names in there,” says Gartner’s Mr. Furtado. “And that makes them a really good target.”
Once an SME knows what it needs to protect, Mr. Furtado recommends engaging the services of a managed security-service provider or a managed detection-and-response provider to help identify their gaps.
“It’s not that SMEs face special threats,” he says. “The challenge is that they usually don’t have the resources in place [to] know how to protect themselves. They need somebody to identify where the gaps are and what resources they need to bring in to fill those gaps.”
In addition to keeping security technology current, CFIB’s Ms. Pohlmann urges business owners to stay educated about the latest scams – and to train their employees to recognize and take protective action against ransomware, BECs and other risks. The CFIB recommends resources such as the Competition Bureau of Canada’s Little Black Book of Scams, which details current cyberfraud tactics.
Fifteen or 20 years ago, says Mr. Tobok, most cyber attacks were “brute force” attempts to compromise IT infrastructure. He now estimates that around 80 per cent of cybercrimes rely on human error, such as tricking someone into sharing sensitive information.
“Bad guys today are attacking people more than attacking infrastructure, because IT and digital security have evolved a lot faster than people’s education and maturity level,” he says. “After a company is breached, we often hear, for example, that it was Suzy in administration who clicked the phishing link that took the whole company down. I always ask the question ‘Did anybody actually train Suzy [on best cybersecurity practices] before pointing the finger at her?’
“We always train our kids to not talk to strangers,” Mr. Tobok says. “Now we’ve got to do the same thing in the workplace, because people don’t understand the danger.”