The situation is not improving for owners who see their business attacked by sophisticated, well-equipped organizations or independent actors who use easy-to-use and inexpensive tools.
Yet despite the increasing frequency, severity and cost of cybercrime, many Canadian businesses have not made cyber risk management a priority. For example, only 55% of businesses train their staff against potential cyberattacks, according to a BDC survey .
Are companies not ready because they don’t see themselves as a target? Or because they don’t have the technical expertise? Or because they don’t consider the business risk?
We know that many Canadian businesses are vulnerable to significant threats.
More than 80% of Canadian consumers say they would not want to buy from a company that they do not trust to protect their data.
How are businesses affected by online fraud?
With online attacks on high-profile companies making headlines, you might think your smaller business could go unnoticed. However, your less robust defenses make your business a prime target for cybercriminals who could hack into your system to make a quick profit, steal valuable personal information, or gain access to the systems of larger partner organizations.
A Mastercard study found that businesses that have been in business for less than five years – a category that includes many small businesses – are more likely to be breached than others.
An attack can be devastating for a small business and have many consequences:
Operations Downtime
Financial losses
Damage to reputation
Legal and regulatory implications
Impact on relationships with supplier companies and partners
Security and technology costs
Staff stress
Additionally, customer trust can be seriously undermined. According to Mastercard research, more than 80% of consumers say they would not do business with a company that does not inspire confidence in protecting their data.
As many Canadian businesses turn to online platforms to increase their reach, it seems essential that they develop and maintain a solid cybersecurity strategy, and ideally, create a serious incident response plan that is reviewed regularly.
How do businesses suffer data breaches?
Businesses can fall victim to various incidents of data loss or system security breaches. By frequently sending phishing emails in the hope that staff will click on them, cybercriminals aim to gain access to a company’s systems and all the sensitive information that can be found there.
Hackers will then sometimes hold this information for ransom.
Ransomware, one of the most common threats facing Canadian self employed database businesses today, accounts for four out of five data loss incidents, according to a recent Verizon study.
Some tips to help you spot a fraudulent message
Fraudsters use a variety of platforms to try to trick their targets, including emails, text messages, phone calls and QR codes. Fraudulent messages are becoming more sophisticated and harder to spot. However, you can often spot one or more of the following signs:
1. Strangeness of the domain name or website
Fraudulent messages, which are usually designed to appear to come from a trusted source, may have a domain name (the part after the @) or contain a website address that appears to be a legitimate organization. Look for things like a typo in the domain name, a fake subdomain (e.g., company.xyz.com), or the use of a public domain like Gmail.
2. Unusual context
Messages may contain spelling or grammatical errors and may use a tone different from that used in official correspondence. Given the multitude of tools available to assist in writing and reviewing emails (which leave no obvious errors), recipients should therefore exercise caution with regard to messages received in an unusual context.
3. Suspicious attachments or links
Typically, threat actors attempt to contact recipients to obtain information, encourage them to disclose their username and password, or trick them into taking an action that could compromise their systems. In the latter two cases, the message will typically include a malicious link or attachment, often appearing to come from a legitimate site.
Always check a link before clicking on it by hovering over the hyperlink. If you want to visit a site, enter the address manually in your search bar.
Additionally, pay special attention to downloading attachments with the following file extensions (the three letters right after the period at the end of the file name):
exe
iso
zip
rar
msi
4. Sense of urgency
Phishing messages often try to create a sense of urgency by, for example, stating that you need to take action immediately to avoid account suspension or to qualify for a prize. Often, these messages play on current events. In the event of a natural disaster, for example, the message might appear to come from a utility company or a relief campaign asking for donations.
If you receive a suspicious email or call, stop , think, and then act.
Best practices to protect your business against online fraud and cyber attacks
To protect your business from online fraud and cyberattacks, be proactive so you can recognize threats and take action. Here are some basic steps to include in your business’s cybersecurity plan:
Train your staff to raise awareness of the threats
Ensure that all new employees receive cybersecurity training that is updated regularly. Provide tailored training to groups at higher risk of being targeted, such as management, administrative assistants, and IT specialists. Strengthen your company’s cybersecurity culture by providing timely and relevant updates.
Learn about best practices
Connect with peer organizations, industry groups, and cybersecurity communities of practice to learn about lessons they’ve learned. Groups like Cybereco and the Canadian Centre for Cyber Security can provide owners with information to help them strengthen their company’s cybersecurity.
Familiarize yourself with regulatory requirements
Make sure you understand the regulatory and legal requirements that apply to your business regarding cybersecurity, fraud and privacy, as they may vary by province or territory. Quebec’s new Bill 25, for example, requires businesses to take certain measures to protect the personal information they hold. You should regularly review the regulations in effect for your business and prepare for any possible changes.
Integrate cybersecurity and privacy into your system
Try to integrate cybersecurity and privacy controls into all your new processes so that confidentiality, integrity and availability requirements are taken into account. This will help you avoid costly and complex patches and minimize exposed vulnerabilities.
Stay up to date
As threat actors look to exploit known vulnerabilities, it’s critical to keep your applications and operating systems up to date. Fortunately, many systems and applications automatically provide updates and patches.
Exercise caution when accessing
Ensure that access granted to new employees is appropriate to their roles, and ensure that access is immediately revoked for those who leave the company. Implement a responsible password policy, including multi-factor authentication for sensitive applications.
Secure files and systems
Take basic steps to protect your business’s sensitive information by enabling encryption on devices like laptops and smartphones. It’s also essential to regularly back up important files to a secure offline location or to an external hard drive or cloud storage service.
How to prepare to respond to a cyber incident?
An incident response plan helps avoid significant expenses. It should be reviewed and exercised at least once a year. This ensures that all staff members know how to respond and are aware of the potential impacts of any changes in the threat landscape.
To prepare the plan, consider hiring a specialist firm to work with you to develop a basic guide. The plan should be tailored to your business and systems, and your teams should be familiar with it and understand their role in implementing it . This will help your business better detect, contain and recover from potential incidents, thereby limiting the potential damage caused by a cybercriminal attack.
It is also important to plan what you will do if a ransom is demanded following a breach. Paying a ransom rarely guarantees a good outcome and could make your business a future target. Paying ransoms to cybercriminals is not recommended.
