According to Industry Canada’s 2012 analysis of small and medium enterprises in Canada, over 7.7 million employees, or 69.7 percent of the total private labour force, worked for small businesses; 2.2 million employees, or 20.2 percent of the labour force, worked for medium-sized businesses.
In total, SMEs employed about 10 million individuals, or 89.9 percent of employees. In that same year, Statistics Canada reported “Almost nine out of 10 (87 per cent ) of Canadian enterprises reported using the Internet…. Among enterprises with 10 or more employees, Internet use was almost universal, at 96 per cent.”
In its 2013 study on the impact of cybercrime on Canadian businesses, The International Cyber Security Protection Alliance (ICSPA) found that over a 12-month period in 2012, 69 per cent of 520 Canadian businesses surveyed reported some kind of cyber-attack. The cost: approximately $5.3 million or about $15 thousand per attack. The study found that while almost 70 per cent report taking cyber security seriously, only 60 per cent undertake steps to raise awareness of cyber security among employees. They often do so passively, by use of emails and/or company manuals. Only 22 per cent reported having a rigorous, pro-active risk assessment process.
Taken all together, it would seem that in Canada, almost all medium and many small enterprises use the internet and so are vulnerable to security threats. The breakdown of respondents in the ICSPA report makes it clear Canadian SME’s are being hit by cyber-crime events and other security breaches. A survey of current security literature warns of an increase in these kinds of attacks with SME’s gaining favour as targets. This is due to their perceived ease of compromise, due to nonexistent or less sophisticated, security systems.
No business, SME or otherwise, wants to be a target and find itself subjected to cyber-attack, perhaps losing valuable information and revenue. It is safe to say not many SME’s have the personnel with the expertise to properly decide, develop, implement and manage the necessary security solutions. Even those that have strong technical teams, have to answer the question of how best to deploy them. The increasing range of security vulnerabilities makes that a question not easily answered. Should the focus be on the network? Should user education and password management get the most attention? Should resources be concentrated on catching those emails that deliver more misery than message? What about mobile and BYOD? The list will only continue to grow.
While I do not have a complete answer for Canadian SME’s, there just may be a tool that can be used to provide a roadmap and solid starting point for improving their security state The Government of Canada’s ‘Cyber Security Strategy’ has three strategic objectives: 1) securing government systems; 2) working with the private sector and governments to protect critical infrastructure; 3) helping Canadians to be secure on line.
While the debate continues on how the government of the day is performing on meeting these objectives, the Public Safety Canada December 2013 publication ‘Get Cyber Safe Guide for Small and Medium Businesses’, developed on behalf of the Government of Canada, is aligned with objective number three. In an easy to understand format, its a logically presented explanation of the risks to SME’s, with suggestions of how they might be mitigated.
The authors state the guide “is designed to help Canadians who own or manage a small or medium business understand the cyber security risks they face, and provide them with practical advice on how to better protect their business and employees from cyber-crime.” It attempts to cover a broad range of security topics from basic management issues and policy, through web security, email, data, remote access, mobile device and even employee security. The appendices provide useful information, links, and tools including a security self-assessment for SME’s and a glossary of security terms that will help everyone speak the same language.
Security is and will continue to be a concern – a moving target for all of us. In the case of SME’s at least, Canada’s Cyber Security Strategy has provided a practical tool with potential to help improve their cyber security situation. If you have used this guide, it would be great to hear about your experience. If you have not yet seen it, and do decide to use it, please send along your thoughts on its usefulness for your company. Spreading the word helps everyone.