Canada’s small and medium sized businesses are more concerned than ever about being hit by a cyberattack on their businesses, and at last month’s MapleSEC conference, two executives with the Canadian Federation of Independent Business (CFIB) and consultant Yogi Schulz outlined in separate sessions what is and can be done to help.
The sad truth, according to conference organizers, is that “there is no such thing as an organization too small to be a target. And with smaller organizations having less resources, the impact on their business can be proportionately far greater than for large corporations.
“But the situation isn’t hopeless and the CFIB is currently working on developing tools to help their members with cybersecurity.”
Mandy D’Autremont, the organization’s vice president of marketing partnerships and Jocelyn Rhindress, senior manager of CFIB’s business resources national team, outlined the impact cyber attacks are having on SMBs.
Rhindress presented findings from a joint survey conducted by CFIB and Mastercard, released in March, that revealed one in four small business owners reported an increase in cyberattack attempts against their businesses in the last year.
The survey showed that eight per cent of the CFIB’s 95,000 members were victims of an attack that cost time or money, with one business revealing its total loss added up to $500,000.
And unfortunately, money isn’t the only thing that businesses lose as a result of cyber attacks, said Rhindress. “We know that cyber attacks, and the impact of attacks, is wide ranging. And it can include disrupted business operations, cause legal liabilities, and even damage your reputation.
“And sadly, 60 per cent of small businesses close within six months of a successful cyber attack. Those numbers are huge. We collected some comments from businesses, and we actually had a knowledge-based business owner tell us that if their office burnt down, they would be able to resume their business within 72 hours. But if a hacker were to destroy their data, the business would actually collapse.”
D’Autremont said that despite the fact the threat is real, cybersecurity is not the most approachable topic.
That is a key reason why Mastercard and the CFIB are planning to launch the CFIB Cybersecurity Academy, a targeted training initiative that will provide owners with digital lessons on assorted topics ranging from how to prevent ransomware to identifying and preventing social engineering.
D’Autremont said that when it comes to cybersecurity education, there are four critical areas that need to be looked at: Make sure everyone (and that includes the owner of the business) uses strong passwords, make sure all hardware and software used in day-to-day operations is updated on a regular basis, ensure everyone is aware of what phishing is all about and the harm it can cause, and be cognizant of all USB keys and, more importantly, where they came from.
“One of the most valuable things that you can have is a cyber incident response plan,” said Rhindress, noting that the topic will be a key part of the academy’s curriculum. “It’s actually a workbook and this is meant to help your business plan on what actions you will need to take in the event your business experiences a cyber incident. It helps you prepare for a potential future incident – how you would respond during the incident, and actually how you would recover and learn from the incident.”
In his MapleSEC session, Yogi Schulz, the founder of Calgary-based Corvelle Consulting and a senior contributor with IT World Canada, outlined how best an SMB can assess its cybersecurity defences using a comprehensive low-cost, low-effort process.
During his presentation, and in a follow-up blog on the subject, he said there are several misconceptions when it comes to developing a cybersecurity strategy. They include the notion that it will be expensive and consume too much staff time, and the belief that an organization is “too small, low-profile and inconsequential to attract the attention of cyber attackers.”
According to Schulz, the solution lies with using a series of controls developed by the Centre for Internet Security that will confirm which set of cybersecurity activities are working well, and which ones need to be revisited.
The controls themselves, he said, “have proven their value by defining a base level of cybersecurity practices that all organizations, regardless of size or mission, should embrace and incorporate into their IT operations.”