If you have a small business, you are most likely concerned about the many things you must do as an entrepreneur to keep the lights on. You have employees with payroll. You have marketing and advertising plans and maybe even a facility to maintain. What keeps you up at night is probably different than what keeps large business CEO’s up at night. The fact is, you’re in danger, and you probably don’t even know it.
Small businesses make up 97% of the Canadian Economy. They employ 8.9million people. And there isn’t a day that goes by that I, in the course of my work, see data on the dark web stolen from these companies. Or who have been the victim of ransomware – malware that encrypts files and demands a substantial ransom to unencrypt the files. Some well-organized groups who commit cybercrime even extort entities for profit on top of ransoms.
Say for instance your business is hit with ransomware. On top of the substantial ransom you’ll be asked to pay, the criminal will tell you that the data they have stolen will be released if you refuse to pay. Much of the time, the data is confidential documents on trade secrets, sensitive customer data, or employee data which will be harmful to your business if released, your business’ reputation, and you.
This is known as double extortion, and according to IBM, the costs of these attacks average $6.2 million. In some cases, criminals have asked for ransoms, extorted the victim organizations to not release data, and contacted regulators about their own crimes to have a sanction or fine put on the victim, going even further beyond their usual double extortion tactics.
This leaves many organizations with the only option: pay the ransom. Paying the ransom funds criminal organizations to increase their capabilities and commit additional crimes with higher frequency. In the war on cybercrime, the criminals are winning.
Social engineering has also been a concern, with criminals using these methods to jeopardize business systems. Most of them consist of BECs or Business Email Compromises. In this tactic, criminals use a trusted system to impersonate employees or suppliers who cajole others to send money or share financial information. These attacks are especially insidious because they don’t rely on malware that cyber security tools can catch.
It should be noted that consumers also feel the brunt of these breaches because the costs are passed on to them. In fact, the worldwide losses due to cybercrime will top $10.2 trillion annually in 2025, and this is more than the Gross Domestic Product of every country in the world except the United States and China. Most certainly, some of the inflationary pinch consumers face in Canada is due to cybercrime. Outside of the cybersecurity community, these things are hardly discussed.
When we approach small businesses about the need for defense-in-depth cybersecurity, a common response is that the business already buys an anti-virus or is “too small to be attacked,” so they don’t have controls in place. Anti-virus alone isn’t sufficient any longer to protect your business from cyber threats, and cybercriminals have attacked small businesses in Canada 54% of the time. All that to say, criminals know you exist, and they have no qualms about attacking you and don’t care how small you are or what personal burden will be placed on you. A defense-in-depth strategy has multiple security measures to protect your business, which makes it more difficult for criminals to breach your systems.
Nevertheless, in many cases, cyber defense is the last item on any small business budget and the first to get cut, if it is there at all. If a small business carries an information technology line item in its budget, it should also carry a cybersecurity line item in its budget as a separate entity. That is because information technology and cybersecurity, though in the same family, have different priorities and aren’t the same thing. It also should be the very last thing to get cut, as it is protecting your business from the ever-deepening spectre of cybercrime.
The government also needs to do more. Realizing the dramatic economic effect of cybercrime on our economy, measures should be taken through legislation to ensure that every small business in Canada has the tools and resources in place from both the technology and the financial perspective to thwart cybercrime. The focus, however, and rightfully because it is prescient, has been on large enterprise businesses and critical infrastructure. Two bills currently being considered in the Senate were first introduced in June 2022. It isn’t and won’t be enough, and more needs to be done.
Our police services cannot possibly investigate and remediate the thousands of annual cyber crimes on our small businesses and everyday citizens. Engaging with on-the-ground cybersecurity defenders may assist them in this venture. Finally, unless your small business has cybersecurity insurance, which is costly, you can expect that any losses you have because you have been a victim will never be recovered.
All is not hopeless. There are defense-in-depth cybersecurity solutions in the marketplace tailored to small and medium-sized businesses that are both fulsome and affordable. The government is at least acknowledging the issue through some of its initiatives in this space. Though no entity, corporation, or government in the world can say with honesty that they can 100% protect you from cybersecurity threats, there are steps you can take to limit your exposure and make you safer.
For us to collectively make Canada the best place to do business, cyber security must be at the forefront to protect our citizens and grow the economy. It starts with awareness of the issues, the desire to accelerate doing something, and the will to be vigilant in the face of what seems like insurmountable odds of fixing it.