This is the second blog in a two-part blog series focusing on cybersecurity for small- and medium-sized businesses (SMBs). In the first blog, we looked at the cyber risks that SMBs face. In this blog, we look at what cybersecurity assistance is available for SMBs.
“Sit down and try and think of as many things as can happen, or spend the money to have a one-time consultation to find out where you’re vulnerable. Then take steps to fix those vulnerabilities.” – Rieva Lesonsky, small business consultant and CEO of GrowBiz Media and SmallBizDaily.com
Overall, little attention has been paid to cybersecurity for SMBs, which results in them becoming prime targets for cybercriminals. Why do threat actors attempt to extort hundreds of thousands of dollars from SMBs, when large enterprises could potentially net them millions? Because they can.
According to the Government of Canada, 97.9 percent of businesses across Canada are small, and 1.9 percent are medium-sized. That’s a lot of targets, and with little attention paid to cybersecurity, it’s like shooting fish in a barrel to a hacker. As stated in the National Cyber Threat Assessment, SMBs are most likely “to face cyber threat activity in the form of cybercrime that often has immediate financial or privacy implications.”
Cyber threat actors target SMBs to obtain access to customer data, information about partners and suppliers, financial information and payment or POS systems, and proprietary information. Cybersecurity incidents affect more than data; these incidents can also result in damage to the business’ reputation, productivity loss, theft of intellectual property, time offline and operational disruptions, and financial loss resulting from recovery costs.
Ransomware, malware, phishing and whaling attacks and other social engineering courses are escalating. While major cybercriminals and state-sponsor threat actors typically focus on larger organizations, hackers tend to set their sights on the largely undefended, and therefore highly vulnerable, SMB market. Whether it’s a lack of attention, or due to a lack of cybersecurity funding, or a bi-product of the security skills shortage, SMBs are typically easier targets.
On its own, cyber insurance is not enough protection for SMBs.
You can’t just buy cyber insurance, hope for the best, and fall back on your coverage when a breach inevitably occurs. First, cybersecurity insurance is a burgeoning field and has limited experience in incident recovery. Even with cyber insurance, there are specific preventative and incident response requirements in order to qualify for coverage. Also, the rules and regulations surrounding coverage can be complicated and unclear. Finding out, after the fact, that you didn’t qualify for the policy because certain security measures weren’t in place is a harsh reality many SMBs face.
As Security Boulevard reports, “Even if a claim is fully covered, the best-case scenario is one in which a business loss is recovered through financial restitution. Essentially, if you had fire insurance for your home and your home burned to the ground, your claim would be equal to the value of the home—but your home would be lost.
In the same way, an SMB may get some financial restitution for a data breach and the subsequent data loss, but that doesn’t ensure the business’ reputation—or its actual well-being and continuation—will remain intact.”
As a result, a growing number of SMBs are shutting down in the aftermath of a cyberattack, even though they had cyber insurance in place. Cyber insurance on its own is not adequate. It, too, requires the adjunct of the appropriate technology, security skills, and employee training for a truly robust cybersecurity solution.
Good news, there’s help for your SMB’s security.
The most common cyber attacks – phishing and whaling attempts, password hacks, social engineering scams and malware attacks – can be defended against with low-level training and widely available tools. “These are the kinds of hacks that happen because people are not aware of simple security measures,” says Lesonsky. Educating your employees should be the first defence.
Not sure how to train them? The Government of Canada has a free course teaching baseline cybersecurity for SMBs. The course was designed and built collaboratively by the Cyber Centre Learning Hub at the Canadian Centre for Cyber Security (Cyber Centre) and Innovation, Science and Economic Development Canada (ISED). The site states, that “Given the scope and complexity of the issue, small organizations can feel overwhelmed in trying to address cybersecurity, and not know where to begin. This course provides an overview of basic cybersecurity terminology organizations need to be familiar with and introduces the baseline set of security practices required for a CyberSecure Canada certification.”
The CyberSecure Canada certification “is a federal cyber certification program that aims to raise the cybersecurity baseline among Canadian small and medium organizations (SMOs), increase consumer confidence in the digital economy, promote international standardization and better position SMOs to compete globally.” This course is a great starting point, and while it will not make you immune to cyber attacks, it will give you, and your employees, an understanding of the threat landscape and knowledge about baseline security controls.
Baseline controls are lower-cost and lower-burden and help SMBs get the most out of cybersecurity investments. Even adopting basic cybersecurity controls helps to thwart cyber threat actors and reduce cyber threat exposure.
SMB Baseline Controls (as per the Government of Canada):
• Develop an Incident Response Plan
• Automatically Path Operating Systems and Applications
• Enable Security Software
• Securely Configure Devices
• User Strong User Authentication
• Provide Employee with Awareness Training
• Back-Up and Encrypt Data
• Secure Mobility
• Establish Basic Perimeter Defences
• Secure Cloud and Outsourced IT Services
• Secure Websites
• Implement Access Control and Authorization
• Secure Portable Media
If you are an SMB CEO or shareholder, it’s time to make cybersecurity a priority and part of your business culture. Move forward, grow, and strengthen your business with a strong cybersecurity initiative, in addition to cyber insurance, to ensure your SMB is prepared for whatever comes next. Let ISA Cybersecurity Inc. help. We offer needs-based security consulting, incident response planning, and partner with security leaders to create solutions tailored to fit your specific needs.