Small Businesses and the Threat of Cyber Crime
Insight Small businesses account for over 70 percent of data breaches. Learn how to prevent and respond to cyberattacks.
Cybercrime has skyrocketed in 2017, with ransomware attacks rising by 250 percent since 2016 and denial of service attacks also increasing in frequency. According to the Canadian Chamber of Commerce, cybercrime extracts 15 to 20 percent of the $3 trillion global internet economy, and costs Canada 0.17 percent of its GDP — equal to $3.12 billion per year.
Small businesses have the false impression that they are insignificant to cybercriminals, even though nearly half of all small and medium sized businesses (SMBs) have been the victim of a cyberattack. In fact, StaySafeOnline.org states that SMBs account for over 70 percent of data breaches, while Visa Inc. reports that 95 percent of credit card breaches are from small business customers.
“Cyberattacks on large organizations garner most of the attention,” says Ken Taylor, President of the International Cybersecurity Protection Alliance for the Americas. “However, when you dig deeper, you realize cybercriminals are penetrating small businesses and using them as a conduit into bigger organizations.”
“Small businesses are often used as a back door into global supply chains,” agrees Scott Smith, Director of Intellectual Property and Innovation Policy at the Canadian Chamber of Commerce. “But cybercriminals also realize that going after a number of small targets results in higher profits and a lower profile than going after one big target.”
Why small businesses are attractive to cybercriminals
SMBs are attractive to cybercriminals by their lack of resources, readily available information of value, and partnerships with larger businesses. As the Canadian economy is made up predominantly of small businesses, and because many do have a relationship in larger supply chains, exposure to cyberattacks at the SMB level presents a threat to the larger economy.
“The overconfidence that SMBs are not a target puts them in a very weak position, and they become a major risk to the enterprise groups that are working hard to protect their infrastructure,” says Allen Dillon, Managing Director at CyberNB. “All of the enterprise companies in some way do business through the supply chain with SMBs. Without adequate security they become the entry point for criminals into the enterprise system.”
The primary concern for SMBs when it comes to increasing cybersecurity is resources — most have limited finances available to address the challenges presented by cybercrime and little inclination to invest in protection. As a result, according to the Canadian Chamber of Commerce, 74 percent of micro-sized businesses are currently making no investments in cyber training.
This is a statistic that Dillon finds concerning. He feels that Canada must “get to a place where society and our businesses are at least fundamentally educated on how to operate in a secure and responsible way.”
The importance of a cybersecurity standard
This is the goal of the international standard Cyber Essentials certification program. Launched in Canada earlier this year, Cyber Essentials Canada, and the toolset The Cyber Highway, is a globally accepted standard to help all businesses prevent and respond to cyberattacks. Cyber Essentials Canada is cost-effective and lacks complexity, and therefore is an appealing solution for SMBs. Cyber Essentials Canada is one of a number of IT security certifications available to Canadian businesses.
“The value of earning certification is self-reliance and self-defence — the more difficult you make it, the less of a target you are,” says Smith. “The whole point is to lower your target profile and to be resilient, so if you do end up in an attack situation you’ll be able to get back up and running at the least cost in the least amount of time.”
“By addressing security issues and increasing awareness, certification can address 80 percent of the cybercrime targeting small businesses,” agrees Taylor. “But the most important thing businesses can do is take accountability and responsibility for their cybersecurity."