Skip to main content
small-business data security

Gartner Inc. recommends companies spend between 4 and 7 per cent of their IT budgets on IT security.Mal Langsdon/Reuters

With daily news about spies and even governments hacking into databases, it's more important than ever for small and medium-sized businesses (SMBs) to invest in cybersecurity, experts say.

"Cybersecurity training is so incredibly important to SMBs. The impact of a hack on an SMB could be catastrophic," says Jessica Gagner, head of communications and events strategy for BioConnect, a Toronto-based cybersecurity firm.

Ms. Gagner notes a 2011 report by security firm Symantec which said small businesses were targeted just 18 per cent of the time by hackers.

"By 2014, that number went up to 34 per cent," she says. Hackers are constantly refining their techniques.

These range from phishing [random fake e-mails asking for money or company secrets to be transferred] to spear-phishing [fake e-mails targeting particular companies and executives] to the fast-growing and pernicious incidences of ransomware – when hackers "kidnap" an SMB's database by infecting it and demanding payment to cure it.

"Ransomware is the latest scourge of the Internet, extorting millions of dollars from people and organizations and infecting and encrypting their systems," a 2017 report by U.S. communications giant Verizon says.

"It has moved from the 22nd most common variety of malware in 2014 to the fifth most common in this year's data."

For hackers, "There really is no distinction between small businesses and large ones," says Rohit Sethi, chief operating officer at Security Compass, a Toronto-based firm that works mostly with larger companies.

"One mistake small businesses often make is thinking that they're low profile and won't be targeted," he says.

"There are targeted attacks where hackers are looking for something in particular, but there are also a large number of automated attacks where hackers just go across the range to see what they come up with."

Another reason for SMBs to be vigilant is that, usually, they aspire to do business with larger firms. But bigger entities won't want to work with a leaky company.

"As a small business, you should assume that you're going to get attacked," says Michael Gagnon, regional vice-president of sales at Nubo Software, an Israeli-based company with offices in Canada and the United States. Nubo focuses on security for business's mobile devices.

"It can be a problem. If you do get hacked, what happens is, you grow, and you start having relationships with banks and bigger companies, and you're dead. They won't trust that you have the security to do business with them."

Contrary to a popular misconception, SMB data tends to be safer when it's stored in computer clouds than on individual servers, experts say. Big cloud companies have the most sophisticated security, which individual companies usually can't afford for their own servers, Mr. Gagnon says.

How much should penny-conscious SMBs be spending on cybersecurity? "Organizations spend an average of 5.6 per cent of the overall IT budget on IT security and risk management," according to a report from Gartner Inc. last year.

"However, IT security spending ranges from approximately 1 per cent to 13 per cent of the IT budget and is potentially a misleading indicator of program success," Gartner's report adds.

Pointedly, it notes that, "Many organizations simply do not know their security budget."

In Gartner's view, "Enterprises should be spending between 4 and 7 per cent of their IT budgets on IT security: lower in the range if they have mature systems, higher if they are wide open and at risk."

How you spend this budget is another issue, the experts say. "When you have a smaller IT budget of, say, $100,000, then $5,000 alone won't buy you much by way of stand-alone security products," Mr. Sethi says.

"However, it is likely enough to pay for bundled security options or more secure versions of products and infrastructure. It can also help pay for security awareness training and endpoint security software, which are both critical for any business."

He adds, "There are other less direct costs, such as ensuring you have adequate patch management processes [i.e. updating your software], particularly if you host your own systems and infrastructure."

Mr. Gagnon at Nobu suggests that it's usually better for SMBs to outsource their cybersecurity to the many companies that specialize in this field. Just as the cloud is better equipped to protect data than on-site servers, the experienced firms can provide the most up-to-date protection and economies of scale to keep costs down.

Beyond this, "There are a lot of measures a company can take," Ms. Gagner says.

"Training doesn't have to be a big expense. There are a lot of online resources that can give tips, like don't use public WiFi for company business, be mindful of phishing attacks and employee downloads of applications from suspicious websites. These are all ways that hackers can find a way into an SMB's infrastructure."