If you have not yet put in place protections against cybercrime, you may want to take in this chilling statistic from an IBM study: The average cost of a data breach for a Canadian business in 2023 was almost $7 million.
And things are not getting any better for entrepreneurs who are coming under attack from well-resourced, sophisticated players as well as independent actors using easy-to-use and low-cost tools.
Yet, despite the rising frequency, severity and cost of cybercrimes, many Canadian businesses haven’t made managing cyber risks a priority. For example, only 55% of businesses train their employees against possible cyberattacks, according to a BDC survey.
Are companies not prepared because they don’t view themselves as a target? Or is it that they lack the technical expertise? Or are they not considering the business risk?
What we do know is that many Canadian entrepreneurs are leaving themselves vulnerable to important threats.
Over 80% of Canadian consumers say they won’t buy from a company if they don’t trust it to protect their data.
How are businesses affected by online fraud?
As online attacks of high-profile companies make the news, you may feel like your smaller business can fly below the radar. But with less robust defences, you are a primary target for cybercriminals who hack their way into your system to make a quick profit, steal valuable personal information or gain access to the systems of larger partner organizations.
A Mastercard study found that businesses operating for less than five years, a category where many small businesses find themselves, are more likely to experience a breach than their peers.
An attack can be devastating for a small business. Its range of consequences can include:
legal and regulatory impacts
supplier and partner relationship impacts
security and technology costs
Another key risk is the loss of consumer trust. According to the Mastercard study, nearly 80% of consumers say they won’t buy from a company if they don’t trust it to protect their data.
Many Canadian businesses look to online platforms to increase their reach. So, it’s critical that they develop and maintain a sound cybersecurity strategy. And it should not end there. Businesses should create a robust incident response plan that is reviewed regularly.
How do businesses suffer data breaches?
Businesses can fall prey to a variety of data loss incidents or system breaches. Cybercriminals frequently send phishing emails, hoping that employees will click on them. This allows them to gain access to a company’s systems and all the sensitive information they can find.
Hackers will then sometimes hold that information for ransom. This is called ransomware.
Ransomware is one of the most common threats to Canadian businesses today. It is responsible for four out of five data loss incidents, according to a recent Verizon study.
A few tips to help you spot a fraudulent message
Fraudsters use a range of platforms to try to dupe their targets, including emails, text messages, phone calls and QR codes. As fraudulent messages get increasingly sophisticated, spotting them also gets more difficult. However, you can often spot one or more of the following clues:
1. Strange domain name or website
Fraudulent messages are typically meant to look or sound like they’re from a trusted source. They may have a domain name (the part after the “@”) or include a website address from what appears to be a legitimate organization. Be on the lookout for such things such as a typo in the domain name, a fake sub-domain (e.g., company.xyz.com), or use of a public domain such as Gmail.
2. Unusual context
Messages may include spelling or grammar mistakes and be written in a tone not typical of official correspondence. Increasingly, tools exist to help craft and review email content, leaving them with no glaring errors. Users should therefore be vigilant of messages received in an unusual context.
3. Suspicious attachments or links
Typically, threat actors are either trying to engage with the recipient to gain information, encourage them to disclose their username and password or take an action that can compromise their systems. In the latter two cases, the message will typically include a malicious link or attachment, often appearing to be from a legitimate site.
Always verify a link before clicking on it by hovering over the hyperlink. If you want to visit a site, enter the address manually in your search bar.
Also, be particularly careful about downloading attachments with the following file extensions (the three letters just after the dot at the end of the file name):
4. A sense of urgency
Phishing messages often try to create a sense of urgency. For example, it may say action is needed immediately to avoid an account being suspended or to be eligible for a prize. Often, these messages are playing off current events. During a natural disaster, it might claim to be from a utility, or a humanitarian relief campaign soliciting donations.
If you get a suspicious email or call, follow these three steps: stop, think and act.
Good practices to protect your business from online fraud and cyberattacks
The first step to protecting your business from online fraud and cyberattacks is to be proactive so as to prepare yourself to recognize threats and take action. Below are some basic steps to include in your company’s cybersecurity plan:
Train people to be aware of threats
Make sure that all onboarding employees receive cybersecurity training, as well as regular refreshers. Provide tailored training to groups at greater risk of being targeted, such as executives, administrative assistants and IT specialists. Reinforce a strong cybersecurity culture by providing relevant and timely updates.
Share best practices
Reach out to peer organizations, industry groups, and cybersecurity communities of practice to share lessons learned. Groups such as Cybereco and the Canadian Centre for Cybersecurity can provide entrepreneurs with information to help bolster their company’s cybersecurity.
Review regulatory requirements
Make sure you understand your regulatory and legal requirements with regard to cybersecurity, fraud and privacy since these can vary from one jurisdiction to another. Quebec’s new Law 25, for example, requires that companies take certain steps to protect the personal information of their companies. Your company needs to regularly review existing regulations and prepare for any possible change.
Build cybersecurity and privacy into your system
Try to integrate cybersecurity and privacy controls into all new processes, with the aim of ensuring confidentiality, integrity and availability requirements are taken into account. This will help avoid costly and complex rework and minimize exposed vulnerabilities.
Stay up to date
Threat actors are looking to exploit known vulnerabilities, which makes it a must to update applications and operating systems. Fortunately, many systems and applications provide automatic updates and patches.
Be prudent with access
Ensure that the access granted to new employees aligns with their roles, and for departing employees, make sure their access is immediately revoked. Implement a responsible password policy that includes multi-factor authentication around sensitive applications.
Secure files and systems
Take basic steps to safeguard your company’s sensitive information by encrypting devices such as laptops and smartphones. It’s essential too to routinely back up important files and have them in a secure offline location, in an external hard drive or a cloud storage service.
How to ready your business for a cyber incident?
Preparing an incident response plan helps avoid costly outcomes. It should be reviewed and exercised at least once a year. This ensures everyone knows both what is expected of them and the potential impact of any changes in the threat landscape.
To build the plan, consider retaining a specialized firm to work through a basic playbook with you. The plan should be tailored to your business and systems, and your teams should be familiar with it and understand their roles in it. This can better ensure your business detects, contains and recovers from potential incidents. And it will limit the potential damage a cybercriminal can cause.
It’s important as well to decide ahead of time what to do in the event of a ransom request following a breach. Paying a ransom will rarely guarantee a good outcome and, in fact, may lead to your business becoming a future target. It is not recommended to pay a ransom to cybercriminals.
You can consult the Government of Canada’s sample playbook on responding to ransomware—the most common type of cyber attack in Canada.
Questions to answer when drafting a cyber incident response plan
What are your key assets?
Knowing what your company’s most important information is as well as where it resides is key to knowing how to respond to an incident. This includes your key systems. You need to know who has access to them and what possible threats they face.
Customer data, payment information and intellectual property typically are considered key assets, as is data used to run your business and maintain your competitive advantage.
Identify how the loss, compromise or exposure of this information or these systems would negatively impact your business. This helps you focus your effort and understand the severity of a potential breach.
Focusing on the systems that house your information and the threats they face will also help you contain potential breaches by prioritizing remediation activities to where they will be most impactful.
Ensure that a threat assessment is conducted to give you a good understanding of what needs to be done to protect these crown jewels. This will help you prioritize the investments you make in securing and controlling your company.
Who is needed around the table in the event of a breach?
When a breach happens, you typically need to include:
communications and marketing people
Some businesses will also include key external partners, notably:
your cyber incident response firm
It is vital however that you at least give an internal person the responsibility and accountability for cybersecurity.
Many companies already work with external firms that may be able to provide some or all the support needed in the event of a breach. If you’re not sure where to start, you can see if your external counsel offers breach coaching services as part of your existing retainer.
Organizations without cyber insurance should add this to their policy if at all possible.
When do you need to back up your systems?
What is the maximum downtime you can accept as a business for each critical system? Having an estimate of this will help you prioritize your investment, organize your teams’ efforts in the case of a breach and help prepare a communications plan.
Why is a cyber incident response plan important for your business?
What risks and impacts are you trying to avoid (operational, financial, regulatory, reputational, etc.)? Answering this will help you determine how cyber risk management fits within your overall business priorities, and how the managing of cyber risk supports other business functions.
If someone does click on a fraudulent link or inadvertently gives out information, this person should know quickly how to react and whom to contact. That way, action will be taken as quickly as possible.
Prompt reporting is important and reduces the risk of losses. The person in your business responsible for cybersecurity and your management team need to be informed.
You should report the incident to the local police as well as:
If you get a suspicious email or call, here are three steps you can follow to avoid the threat:
Stop: Don’t feel the need to respond immediately even if the message creates a sense of urgency.
Think: Are there any signs something is amiss? An odd sender or email address, typos, an unusual request or timing, a request for sensitive information or a high-risk transaction
Act: Don’t engage with the sender; cease communications and report the message if you’re able.
Your employees are your first firewall.
What are we doing to protect our clients?
Information security is a top priority at BDC, both in terms of controls and incident response. We’ve paid particular attention to safeguarding client information and the systems used to protect and store that data.
We also train our employees, including our client-facing team, to ensure they understand their responsibilities. They act as stewards for the information our clients entrust with us.
In addition, we strive to understand the threats that are out there and how they continue to evolve. To ensure comprehensive security, we partner with cybersecurity firms that provide 24/7 coverage for monitoring, response and detection of potential breaches.
Understanding the evolving cybersecurity landscape
As a financial institution, it’s our responsibility to participate in information-sharing forums to understand the evolving cybersecurity landscape. We strive to bring the most accurate information to bear for our clients and colleagues.
We work with Cybereco, an information-sharing consortium based in Quebec. This platform helps us share the latest trends and threats in a safe, secure and anonymized way to ensure everyone can benefit.
We are also part of FS-ISAC, the information security sharing forum for financial institutions. This is another resource that helps us stay on top of the latest trends and threats, and protect our clients.