Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Cancel Anytime
Enjoy Unlimited Digital Access
Get full access to
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Cyber attacks threaten every industry in every country around the world – and Canada is not immune.


In 2018, hackers stole 10 gigabytes of data from a Las Vegas casino by compromising a smart thermometer in a fish tank. More than just a source of “phishing” puns, the aquarium breach shows the increasing ingenuity of cyber criminals – and serves as a warning to small- and medium-sized enterprises (SMEs) that might think cybersecurity is only something the big firms need to worry about.

“Your small business can really be a target,” says Paul Furtado, an Ontario-based senior analyst with Gartner Inc., an information-technology research-and-advisory company. He says the more connected our technology becomes, the greater the risk that a humble downstream supplier could find itself in the middle of a serious cyberheist.

“If I’m an agenda-driven hacker or a hacktivist or a nation state, I’m not going to go after the Department of Defence, for example, because chances are they’ve got a very robust cybersecurity program in place,” Mr. Furtado says. “But if Bob and Mary’s Nut and Bolt Shop is a trusted supplier to a company that assembles the frames for military vehicles that they sell to the Department of Defense, I’m going to see how deep I can go through their system to connect ultimately into the Department of Defence.”

Story continues below advertisement

SMEs are increasingly becoming targets of cybercrime. Daniel Tobok, a cybersecurity expert who advises corporations globally, says the past 15 months have seen “an explosion” of occurrences of two particular criminal tactics that offer a huge return on investment for criminals. The first is ransomware – malicious software that blocks companies from accessing their own systems until a ransom is paid. A 2018 report by IT company Datto found that Canadian companies face both the highest average ransom cost ($8,764) and the highest cost of downtime per ransomware attack ($65,724). The second type of attack, business e-mail compromise (BEC), uses a company’s own e-mail accounts to defraud employees or customers. In 2018, the Canadian Anti-Fraud Centre received BEC-related reports totalling more than $17-million in losses.

“It’s a real epidemic,” Mr. Tobok says. “Twenty years ago, the big criminals were really only interested in government and bankers and banking associations, because they held a lot of meaty things that they could monetize quickly. But as those enterprises grew more educated and more secure, SMEs are one of the biggest attack vectors for cybercriminals and state-sponsored attacks, because smaller enterprises are not as mature when it comes to their security. Everybody understands they need a roof and a door, but not everybody knows you have to have an alarm and a hungry German shepherd protecting their property.”

Corinne Pohlmann, senior vice-president of National Affairs and Partnerships for the Canadian Federation of Independent Business (CFIB), says many SMEs don’t have adequate cyberprotection in place, simply because they don’t know they need it.

“That’s the biggest challenge,” she says. “Many small and medium enterprises just don’t realize how vulnerable they may be.”

Ms. Pohlmann recommends that SMEs conduct a risk-exposure survey. In addition to identifying their role in supply-chain security, businesses should also look at what data they’re collecting and educate themselves about its street value.

Large data breaches of big companies make headlines – but an unprotected small customer database is equally worth a hacker’s time. According to Symantec’s Internet Security Threat report, just a name or birthday can be worth up to $1.50 on the black market. A scanned passport or driver’s license can command up to $35, and a full ID package (name, address, social insurance number, e-mail address and bank account number) can go for up to $100.

“Any small business that collects electronic customer data, even if it’s Joe Smith’s hardware store, could have hundreds and thousands of names in there,” says Gartner’s Mr. Furtado. “And that makes them a really good target.”

Story continues below advertisement

Once an SME knows what it needs to protect, Mr. Furtado recommends engaging the services of a managed security-service provider or a managed detection-and-response provider to help identify their gaps.

“It’s not that SMEs face special threats,” he says. “The challenge is that they usually don’t have the resources in place [to] know how to protect themselves. They need somebody to identify where the gaps are and what resources they need to bring in to fill those gaps.”

In addition to keeping security technology current, CFIB’s Ms. Pohlmann urges business owners to stay educated about the latest scams – and to train their employees to recognize and take protective action against ransomware, BECs and other risks. The CFIB recommends resources such as the Competition Bureau of Canada’s Little Black Book of Scams, which details current cyberfraud tactics.

Fifteen or 20 years ago, says Mr. Tobok, most cyber attacks were “brute force” attempts to compromise IT infrastructure. He now estimates that around 80 per cent of cybercrimes rely on human error, such as tricking someone into sharing sensitive information.

Bad guys today are attacking people more than attacking infrastructure, because IT and digital security have evolved a lot faster than people’s education and maturity level,” he says. “After a company is breached, we often hear, for example, that it was Suzy in administration who clicked the phishing link that took the whole company down. I always ask the question ‘Did anybody actually train Suzy [on best cybersecurity practices] before pointing the finger at her?’

“We always train our kids to not talk to strangers,” Mr. Tobok says. “Now we’ve got to do the same thing in the workplace, because people don’t understand the danger.”

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies