A rash of ransomware attacks targeting small towns and cities across parts of Canada this year raised alarm bells for governments at all levels, not to mention owners of small and medium-sized enterprises (SMEs) across the country. If even municipalities could be extorted for tens of thousands of dollars – sometimes more – then the average cash-strapped SME must be highly vulnerable.
It’s an accurate assumption.
“The problem, in our experience, is getting worse at such an incredible rate that we’re falling further behind as an industry to fight it,” says David Redekop, the co-founder of Nerds On Site, a London, Ont.-based provider of IT and security-support services.
Worse, Mr. Redekop explains, is that the cybersecurity attacks that SMEs are trying hard to gird against are becoming far more sophisticated and commoditized. Anyone with basic coding skills can search YouTube for a guide to accessing the dark web, where they can buy ransomware and install it with minimal effort.
“It’s gotten too easy to commit this crime,” Mr. Redekop says. “Because the internet doesn’t conform to geographical borders, it sets the stage for the problem to get worse.” A 2018 survey by the Canadian Internet Registration Authority underscores the challenges facing SMEs. Among the survey’s 500 respondents – either business owners or IT employees within their organizations – 40 per cent had experienced a cyberattack in the past year, and 88 per cent were worried about another one in the future.
A whopping 37 per cent of organizations lacked anti-malware software and only 54 per cent provided cybersecurity training to their employees. Phishing attacks – a form of social engineering used to obtain information or gain access to a computer or network – were the most common forms of cybercrime the organizations faced.
And the most challenging aspect of managing a cyberattack, according to respondents: the time, labour and cost required to undo a hacker’s nefarious work.
Because technology is changing at such a rapid pace, hackers are employing increasingly sophisticated tools and techniques. As a result, entrepreneurs and their IT teams find themselves locked in a game of cybersecurity whack-a-mole. Just as they patch or address one vulnerability, another weakness pops up for criminals to exploit.
“In war, nothing is fair, but in a cyberwar, we’re facing a particular circumstance where a bad actor needs to find only one weakness,” Mr. Redekop says, “but the defenders have to find all the weaknesses.”
To complicate matters further, SMEs also typically lack the financial resources to invest in the necessary administrative or organizational controls to manage cyberrisk – an important consideration when storing data locally or in the cloud, the latter of which requires proper software implementation, configuration and management to fend off attacks.
Many business owners overlook the fact that mitigating cybersecurity risk is as much about managing people as it is deploying cutting-edge tools.
Simply put, a hacker’s easiest route into a network is with the help of an organization’s employees. Not an accomplice, but an individual that lacks training in IT security and is susceptible to phishing scams that allow a hacker to penetrate a network and lie in wait, often for months at a time, before striking.
According to the CIRA survey, only 38 per cent of respondents reported a knowledge of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s online data privacy legislation. But 59 per cent said they store customers’ personal information.
According to the Office of the Privacy Commissioner of Canada, PIPEDA “applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity.”
The law says businesses must obtain consent before collecting or using an individual’s personal information, and provide access to any personal information in their possession. It also applies strict guidelines on how personal information is used before additional consent is required.
“Privacy laws can be a burden, but they can also be a blessing because they can help organizations become more resilient to increasing cyberrisks,” says Bradley Freedman, a partner in the cybersecurity group at law firm Borden Ladner Gervais in Vancouver.
He says data privacy laws, coupled with robust enforcement and the risk of financial consequences, are driving more SMEs to be pro-active in their efforts to protect customer data and, in turn, their own IT infrastructure. And the financial risks, such as regulatory enforcement, fines, or lawsuits from failure to protect customer data, are serious.
Data security education is critical, according to Abraham Megidish, CTO of Toronto-based network security software maker Jentu Technologies Inc. He says that simply teaching employees not to click on suspicious e-mails can help thwart cyberattacks.
“An example would be an inbound e-mail saying, ‘This is your boss, I need you to click on this link,’ ” Mr. Megidish says. “Does it sound like your boss who would ask you to click on that link? Then why are you clicking?”
He recommends locking down a network when it’s not in use, including turning off company routers after hours, utilizing software that minimizes the risk of a network breach and allowing employees access only to approved websites.
If employees want the freedom to check Facebook or shop online during work hours, provide access to an unsecured network that’s firewalled from the organization’s main network, he advises. And don’t always feel safe doing business in the cloud – especially with software-as-a-service-based tools.
“You’re actually less secure [in the cloud],” Mr. Megidish stresses. “You put your private data in the hands of [companies such as] Dropbox, but who is Dropbox? I don’t know who’s there.”
As Mr. Megidish notes, once data are in the hands of a third party, that third party effectively controls the data, creating substantial risk for an organization.