This article was published more than 5 years ago. Some information in it may no longer be current.
Last December, the world watched as a team of hackers called Guardians of Peace brought a movie giant to its knees.
Sony Pictures Entertainment Inc. learned the hard way how something as basic as a series of leaked e-mails and direct threats could cost a global company millions of dollars. It was a startling lesson in corporate vulnerability.
Ultimately, Sony has the resources to pull through, but its survival should not lull small or medium enterprises into a false sense of security: Symantec Corp. reports that 60 per cent of small businesses will go under within six months of a cyberattack, a deadly combination created by inadequate security measures and costly consequences.
“Based on what we’re seeing, small businesses are still focusing on the bare minimum to meet the compliance requirements to stay in business,” Kevvie Fowler, security and data analytics expert and partner in forensic technology at KPMG Canada. “As a result, a lot of small and medium enterprises are finding themselves in hot water,” he adds, warning that Canadian business owners are just as vulnerable to hackers as anyone in the world.
The problems arise when companies maintain small margins and focus primarily on growth, an oversight that fails to leave a cushion in place to absorb the cost of a security breach.
PCI Security Standards Council, the governing body that oversees credit card security standards, makes no distinction between the average mom-and-pop shop and a Target-sized corporation when implementing fines for a security breach: Altogether the average cyberattack can cost a company just over $3-million – a hefty price tag that factors in loss of client trust and non-compliance fines of up to $1-million.
With reports showing a spike in targeted attacks against small businesses, a trend that shows no sign of slowing, business owners need to take cybersecurity breaches seriously.
It doesn’t help that the battlefield is uneven. Hackers are getting smarter and more creative in their methods, while many small-time CEOs have minimal resources and education to combat them.
Recent trends that should have businesses on high alert are ransomware, a virus that encrypts sensitive data and blocks access until the victim pays a substantial fee to get its information back.
A typical ransomware hacker will extort anywhere from $800 to $1,500, knowing a business can’t operate without its computer system and the fee is just manageable enough to pay.
A second threat consists of high-tech fraud, where criminals will hack company e-mails to study the organization’s work flow and use the information to send fraudulent wire transfers, which look as though the request came from an authorized source.
“A lot of times people think you’re going to get a badly worded e-mail from a foreign country and that’s not the way it is. It’s not 2003 anymore,” Mr. Fowler says.
Small businesses can’t always rely on the law to protect them. Police have limited time to fight hackers and tend to focus efforts on larger breaches. Cyber criminals rely on the fact that most organizations do not thoroughly log events or back up their data and, as a result, leave gaps for an effective forensic investigation.
Business owners are responsible for protecting themselves. According to industry guidelines, a small business should spend anywhere from three to seven per cent of its operating budget on security. Larger companies, on average, spend closer to 15 per cent.
But with hundreds of software packages available, it can be tricky to determine which solution is the right fit.
Proactive companies willing to invest more heavily in security are looking into diagnostic tools like cyber-risk forecasting, a system that uses data analytics to diagnose potential threats before they occur. This strategy allows businesses to make the proper security adjustments and implement the best solution in the event of a breach.
But this kind of risk assessment doesn’t come cheap. Fees often start in the five-figure range, making it inaccessible to most small and medium enterprises, but that could change as software improves and competition cuts prices.
Innovation may help that accessibility come sooner than later. Cytegic, Inc. is a new Israeli startup that offers cyber risk evaluation in real time, a development that could eventually phase out the current model of written risk assessment reports that don’t hit the CEO’s desk until the end of the month.
Like other diagnostic software, Cytegic’s product suite collects and analyzes data to detect potential threats, considers the company’s current security measures, and then offers the best independent solutions from thousands of options.
What sets the company apart is that its controls run directly on the CEO’s computer dashboard, giving executive management the ability to monitor up-to-the-minute trends and take immediate action in the event of a breach.
“These are not reports from a month ago, like an external risk assessment from another company that are irrelevant once you get them,” says Cytegic co-founder Shay Zandani, who created the information warfare department for the Israeli Army. “The cyberworld is too dynamic for that; it’s changing all the time.”
In the 18 months since Mr. Zandani launched Cytegic with his partner, Elon Kaplan, their software has been snapped up by two of Israel’s biggest banks and they’ve raised several million dollars in venture capital.
Their efforts also attracted the attention of Carmi Gillon, a former head of Shin Bet, Israel’s internal security service, who recently joined the company as executive chair.
Mr. Gillon liked Cytegic’s focus on working directly with company CEOs instead of delegating security concerns to the chief intelligence officer. With cybercrime on the rise, Mr. Gillon knows how dangerous it can be for the CEO to be unaware of the risks.
"The problem we saw with a lot of upper management before the Sony hack was they felt the cyber world was too technical so they left it to the experts, Mr. Gillon says."The CEO would say, 'OK, I believe I'm well protected,' but he had nothing to support him in his decision. Then he'd get surprised by a hacker that decided to infiltrate his company and destroyed not only the business but himself."
While Cytegic aims to create smarter management from the top down, another cutting-edge technology out of Silicon Valley is looking to minimize the cyber breach risk by eliminating the need for humans altogether.
Cylance, Inc. uses mathematics and artificial intelligence to root out suspicious malware features and block them from accessing computer systems.
Chief marketing officer Greg Fitzgerald likens his company’s technology to a military drone, an unmanned warplane that uses sophisticated controls to pinpoint an exact target location.
“There are hundreds of millions of malware out there every day and after 20 years, we know what bad looks like. We also know what good looks like,” says Mr. Fitzgerald, who adds that human error is responsible for 30 per cent of all cybersecurity breaches.
“We’re able to extract the features of those known goods, so just like a person, we know your hair colour, your weight, your eye colour, and we add those known goods up to 100. If something deviates from 100, we know it’s bad, and we don’t let it into your system and you won’t even know it was there.”
While most anti-malware reduces the risk of a security breach by 40 per cent, Mr. Fitzgerald says his company’s products have an efficiency rate in the high 90th percentile.
And unlike Cytegic, whose fees start at $50,000, small businesses won’t have to invest more than a few thousand dollars to install Cylance’s products.
Operating budgets may vary, but allotting more capital toward security ultimately beats filing for bankruptcy in the event of a breach.
While there’s no way for a company to safeguard itself 100 per cent from attacks, amplifying security controls and staying on top of industry dangers increases the chances a hacker will move on to a weaker victim.
“This is a race between the attackers and the defenders,” Mr. Zandani concludes, “and as long as you’re going to be proactive and prepared for the next generation of attacks, you’re going to be more protected than your competitor.”Follow Report on Small Business on Pinterest and Instagram
Join our Small Business LinkedIn group
Add us to your circles
Sign up for our weekly newsletter