Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Cancel Anytime
Enjoy Unlimited Digital Access
Get full access to
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

For online security experts, the most frustrating part of seeing small and medium businesses hit by data breaches and other cybercrimes is knowing that such attacks can often be prevented.

While many Canadian businesses expect proper cybersecurity to be costly or time-consuming, the reality is the opposite, according to the Canadian Centre for Cyber Security. SMBs can do a great deal to protect themselves by taking a few quick and simple steps.

“[The steps] deliver 80 per cent of the benefit with 20 per cent of the effort,” says CCCS head Scott Jones. “That protects a huge amount.”

Story continues below advertisement

Jones urges businesses to start with the “baseline controls” published by the CCCS on its website, a series of 13 measures ranging from developing an attack response plan and ensuring automatic software patches on computers to regularly backing up data and securing smartphones used by employees.

The most basic step any business can take, he adds, is educating employees about the fact that attacks are happening and that they can target anyone.

Employees can then be informed of some of the most common forms these attacks take, such as phishing – email messages that attempt to lure users into clicking on malicious links that can cripple a company’s network and expose its data to criminals.

Following the baseline controls and educating employees will do much do dissuade attackers, Jones says, much like installing a home alarm system. Both measures warn criminals that their potential victim is at least somewhat prepared.

“If your cybersecurity is better than the person next to you, they’re going to move on,” he says.

Cybercrime is a major problem for Canadian SMBs. A September report by the Insurance Bureau of Canada found that one in five had been affected by a cyberattack or data breach in the previous two years.

About 44 per cent said they had no defenses, while 37 per cent estimated that incidents cost them more than $100,000. Nearly two-thirds said they had no insurance to help recover.

Story continues below advertisement

Mark Gaudet, business leader of cybersecurity services at the Canadian Internet Registration Authority, says education efforts must include a shift in behaviour by companies, where reporting suspicious-looking emails and other communications – as well as possible mistakes by employees themselves who may have clicked on them – is encouraged rather than penalized.

CIRA, which administers the .ca web domain, also provides a number of security services, including the free Canadian Shield program and DNS Firewall for small businesses, which starts at $99 a year for 10 users. Both encourage employee participation in defending against possible intrusions.

“You have to make staff part of the security solution,” Gaudet says. “It’s creating a culture where it’s okay to say, ‘Hey I clicked on this and I’m not sure what happened.’”

Companies should also make sure they have a plan for what happens in the event of a breach, which includes employees knowing who to report to and what actions need to be taken, says Florian Kerschbaum, associate professor of computer science at the University of Waterloo.

The best way to avoid substantial recovery costs or even an existential threat, he adds, is for businesses to assess their most valuable assets and then back those up, either on separate hard drives that aren’t connected to a network or through third-party cloud storage providers.

Those backups should also be regularly tested – something many businesses forget to do.

Story continues below advertisement

“If you’ve gone through it once, that makes it much easier,” Kerschbaum says. “That makes for a relatively simple recovery.”

Breaches can still happen even after precautions have been taken, which can raise difficult questions on next steps – especially in the case of ransomware, or an attack that encrypts a business’s data and then sells access back for a fee.

Security experts differ in their views on ransomware, which provokes debates between practicality and ethics.

Some understand why businesses end up paying the fees demanded by criminals – doing so is often much less expensive than trying to rebuild the lost data. In such situations, reluctantly playing ball might be the only option.

“The answer is not good, they have to pay the ransom,” says Ryan Borg, director of Toronto-based security provider Borg ITS. “But it crosses the line of negotiating with terrorists, because that’s what they are.”

David Shipley, chief executive of Fredericton, N.B.-based provider Beauceron Security, says paying ransoms is becoming more problematic because such attacks are often orchestrated by organized criminal groups that are facing government sanctions in a growing number of jurisdictions.

Story continues below advertisement

That means a business could actually find itself breaking the law by giving in.

“The reality of it is increasingly questionable,” Shipley says. “Paying the ransom does not mean the end of your problems, it’s only the beginning.”

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to
Comments are closed

We have closed comments on this story for legal reasons or for abuse. For more information on our commenting policies and how our community-based moderation works, please read our Community Guidelines and our Terms and Conditions.

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies