Skip to main content

Securing our Small- and Medium-Sized Business from Cyberattacks

Man working while wearing headphones in the Microsoft Cyber Defense Operations Center

 

Owners of small- or medium-sized business (SMBs) often assume they are less likely than larger companies to face a cyberattack. The reality, however, is very different. A 2019 study showed that 43 percent of cyberattacks were aimed at small businesses, but only 14 percent of businesses were ready to defend themselves. The number of cyberattacks is only increasing in a post-COVID world, with the Canadian Federation of Independent Business reporting that half of businesses plan to increase or maintain their online sales after the pandemic.

“Sometimes they don’t recognize themselves as targets,” says Randy Purse, Senior Cybersecurity Advisor at the Rogers Cybersecure Catalyst. “They don’t set up the protections in order to make sure they don’t become targets. Typically, they can have few or fewer defenses. They’ll have reduced or legacy infrastructure. They’re riddled with vulnerabilities with old systems that can be exploited.”

“A lot of attacks happening on small and medium businesses are based on economies of scale,” says Sumit Bhatia, Director, Innovation and Policy at the Rogers Cybersecure Catalyst. “They don’t attack one business – they attack 100,000 businesses and see who’s accessible.”

While many SMBs may not represent major targets on their own, they could still give hackers access to those big targets. “SMBs may do business with larger enterprises or form a part of their supply chain,” says Bhatia. “You do business with other larger organizations and enterprises, and you form a part of their supply chain, which could potentially give attackers access to their vulnerabilities.”

In a growing and ever-evolving cyber landscape, it is important that SMBs not become complacent. This is why the Rogers Cybersecure Catalyst seeks to empower SMBs to protect themselves through its Simply Secure initiative. The program offers resources and e-learning modules to give organizations a better understanding of how threats happen, and the impacts of those threats – both expected and unexpected.

“One of the things that we do in our Simply Secure program is help businesses understand how to think of cyber risk as business risk,” says Bhatia. “That cyber risk translates. It translates into trust that your customers have in you. It translates into financial loss, and even a small monetary number can be catastrophic for a small or medium business. It transforms into a reputational loss. These are risks that people don’t quantify, and it’s not just a technology issue – it’s a human issue.”

“One of the things that we do in our Simply Secure program is help businesses understand how to think of cyber risk as business risk,” says Bhatia. “That cyber risk translates. It translates into trust that your customers have in you. It translates into financial loss, and even a small monetary number can be catastrophic for a small or medium business. It transforms into a reputational loss. These are risks that people don’t quantify, and it’s not just a technology issue – it’s a human issue.”

If businesses apply basic principles, of cybersecurity, they are well positioned to start laying the foundations of security in their organizations. Alongside those foundational steps, developing a program to onboard and train people an organizationis critically important. “If you have an organization of 20 people, the stats are that at least 10 percent of those people will click on that link,” says Purse. “The challenge is to train your people to be aware and detect these things.

” Other key principles include ensuring that company devices are updated, and that employees use baseline tools and software (antivirus, malware protection, VPN connections, etc.). In addition, business owners should avoid giving all employees the same level of access. “Use complex passwords and change passwords for different levels of access and to different types of users. If you’re giving one person access to one system with the same password as another system, you’re risk profile goes up,” says Bhatia.

“SMBs are an easy target,” says Purse. “There’s that saying: if you’re being chased by a bear, all you need to be is faster than your friend. It’s the same idea. Be harder than the other target