The following article, concerning cyber risks in small and medium sized businesses, appeared in La Presse on October 6th 2021.
A study conducted by the Canadian Federation of Independent Business (CFIB) reveals that in six months, one in six Canadian SMEs has been the target of an unsuccessful cyber attack[1]. "The question is no longer if or even when an attack may occur, but rather, when will the business realize it," says Benoit Marc Dufresne, underwriting and cyber risk specialist at Northbridge Insurance. While there are a number of reasons why small and medium-sized businesses are natural prey for cybercriminals, there are a few simple and cost-effective ways to deter attacks.
Why SMEs are Attractive Targets
Technology risks are evolving faster than many SMEs can adapt to them, making them easy prey. “Many don’t have security infrastructures in place, contingency plans or monitoring to detect breaches,” says Josée Lévesque, senior director, professional insurance and specialized solutions at Lussier, a leading independent insurance broker in Quebec.
The security of computer systems and networks in the home rarely compares to that of an office. “The router may be less secure. Employees who work from their home computers may not update their operating systems and software as diligently, which opens the door to potential cyberattacks,” says Dufresne.
A Brief Glossary of Cyberattacks
The “Day Zero” flaw
When the manufacturer of an operating system discovers a flaw in its product, it issues a correction to all users. In doing so, the company unwittingly announces the existence of a weakness that cybercriminals can take advantage of among those who have not yet downloaded the update. This is known as the “Day Zero” flaw. “If automatic updates are not enabled, it creates a larger window of vulnerability,” says Dufresne.
Ransomware and Service Denial
Clicking on a malicious link, being fooled by a fake email, inserting a USB drive found at the reception desk – these are all harmless actions used by cybercriminals. The most common results of these actions are ransomware, a fraudulent software that locks access to files, and denial of service, which paralyzes the network. An amount of money is then demanded to end the attack.
Ransomware and Data Sales
Today’s ransom demands are precisely defined. “Cybercriminals who have already infiltrated systems know exactly what the company can afford; they demand a price accordingly,” says Levesque.
According to a recent Northbridge study of 400 Canadian companies, nearly one-third of them have made significant changes to their business model, such as transitioning to e-commerce. In doing so, they are now accumulating new types of data. On the dark web, each credit card number can be sold for as little as 10$.
How to Protect your Business from Cyber Risks
Simple and Cost-effective Security Solutions
The notion that SMEs can’t afford to invest in cybersecurity is false. Dufresne says many precautions are available at no or minimal cost, such as:
- Enable automatic software and operating system updates.
- Require unique usernames with strong passwords (alphanumeric characters and minimum length), and change them on a regular basis
- Avoid unprotected Wi-Fi networks (ex. hotels, restaurants and public places).
- Use multi-factor authentication (confirmation code sent by email or text message)
- Perform daily system backups, ideally offline and iteratively (only files that have been modified are copied)
- Provide annual training to employees to reduce the risk of human error.
Insurance: an Additional Protection
Beyond these minimal precautions, Dufresne adds that there is a suite of affordable protection software and cyber risk insurance.
The insurance should cover the costs that the company will have to pay to manage the security incident (IT expertise, customer notification, credit file follow-up package with affected customers, etc.), the loss of revenue caused by the business interruption, civil liability in case of a lawsuit or class action, as well as fines and settlements.
The insurer and the insurance broker are also valuable allies in helping companies to understand the products and coverage available on the market. They are also there to guide them in the clauses of the insurance contract according to the applicable legislation on data protection and privacy. “If companies do business abroad, for example in the United States or in member countries of the European Union, they must also familiarize themselves with the regulations and requirements related to data protection and privacy in force in those countries,” says Josée Lévesque.
“Insurance is an additional tool to protect businesses, support them in the event of an incident and absorb potential financial losses should a cybersecurity incident occur,” Dufresne concludes. Like auto or home insurance for individuals, cyber risk insurance for businesses is a safety net. But it’s important to be as careful on the Web as in life. One could say that choosing complex passwords and changing them regularly is as important as locking your doors.
[1] Les PME et la fraude informatique, février 2021, https://content.cfib-fcei.ca/sites/default/files/2021-02/RapportFCEI-cyberfraude-F. pdf
