Few Canadian small business owners believe their cybersecurity defences are up to stopping a cyber attack, a new survey suggests.
Only one-third of Canadian small business owners recently questioned were confident in their firm’s cybersecurity tools, according to a Mastercard online survey of 300 small business owners across the country.
“That’s a really small number,” said Aviva Klein, Mastercard Canada’s vice-president of digital payments and cybersecurity solutions. “I was shocked at how low it was.”
And that wasn’t the only statistic she was surprised at, considering 98 per cent of Canadian companies have few than 100 employees:
— 57 per cent of owners said they had no form of cybersecurity training. Klein found that number “shocking;”
— 53 per cent said they couldn’t spare the cost of adopting innovative new cybersecurity tools to protect customer data;
— only 51 per cent said their firm uses two-factor or multifactor authentication to protect logins;
— only 16 per cent were very confident they knew the best steps to take after a successful cyber attack;
— only 18 per cent of owners were confident their business would fully recover if an attack happened in the next six months.
The survey was released in conjunction with Cyber Security Awareness Month.
Mastercard did the survey to find out if small companies understand their cybersecurity posture. Data breaches at companies are a threat to Mastercard, Klein explained, because often the data stolen is debit/credit card information which is then leveraged for payment fraud.
That’s why Mastercard has partnered with the Canadian Federation of Independent Business (CFIB) to offer CFIB members access to a Cybersecurity Academy with short lessons and free tools for small firms. It also partners with the Global Cyber Alliance to deliver a free toolkit for small businesses.
It’s important for small business owners to have cybersecurity training, because cyber awareness “comes from the top down,” Klein said. “The importance needs to be modeled by senior leadership, including the small business owner. Without them understanding what needs to be done, what’s at stake, the trickle-down phenomenon [of knowledge] won’t happen.”
Most Canadians work for small businesses; the fact that fewer than half have cybersecurity training is “a pretty alarming statistic.”
“Many small business owners don’t necessarily understand the full offering [capabilities] the tools they have provide,” she added, such the ability to turn on multi-factor authentication for Google’s Workspace (formerly known as Gsuite).
“Small businesses have a lot of competing priorities,” she acknowledged. But, she added, Mastercard is “trying to shine a light on the state of Canadian small businesses today.”
That includes encouraging them to do “small things that have a high impact, like [mandating employees have] strong passwords, changing passwords often, enabling two-factor authentication, awareness training about the rise in phishing and urging staff to think about not clicking on things.”
It also means management thinking about where the data they have is stored, how is it secured and what would happen if the firm couldn’t access their accounting software or customer list.
“Many businesses don’t survive or would not be able to fully recover if they were attacked,” Klein said, noting that only 18 per cent of businesses believe they could fully recover form a successful attack.
Unfortunately, she echoed what many other experts have said for years: Most small businesses believe they are too small to be hit by a threat actor.
But, Klein said, “the fact of the matter is these are organized cyber criminals who work in a very lucrative business. They are highly motivated to perpetuate their crimes.”
A good cybersecurity awareness program for employees, she said, includes frequent reminders of what to do (or not to do), as well as breaking down some of the complexity of cybersecurity.
That goes the same for owners, Klein added. Cybersecurity “is scary to them. And we [experts] use these big words that they don’t understand and they sort of shut down.”
Experts need to use “plain English” to help owners understand cyber risk and to ask themselves if they know what to do if faced with a cyber attack.