Cyber attack threats have steadily increased since the pandemic began in SMEs, which are more vulnerable. According to Statistics Canada, one in five businesses was affected as early as 2019, and ransomware attacks have exploded since then.
• Also read: Almost half of Canadians fear becoming a victim of cybercrime
• Also read: Cyberattack: Major data theft at Bell Canada
“Ransomware attacks are up 91% this year compared to 2021. We see many attacks within SMBs,” says Guillaume Caron, CEO of VARS, RCGT’s cybersecurity subsidiary.
François Daigle, senior consultant at OKIOK
According to François Daigle, Senior Information Security Advisor at OKIOK, here is the scenario that takes place in most cases: One or more people manage the computer system of SME X in Saint-Ginglin. The IT team does a great job but is not an expert in computer security. One day a hacker finds a bug and manages to break into the computer system. For several weeks, he secretly roams computers and servers, stealing information, opening doors to other organizations and installing software that gradually encrypts data. When the task is done, it leaves a note: “You’ve been the victim of an attack, if you want to recover your data, please deposit…$ to this account.”
The company is in chaos with systems blocked or accounting database rendered unreadable and unable to continue its activities.
A new reality
“Cyberattacks are now a reality for entrepreneurs, with three out of five SMEs concerned,” said François Vincent, Chair of the Canadian Federation of Independent Business (CFIB).
The CFIB conducted a survey in March 2022 that found that 20% of SMBs had experienced more attempted cyberattacks in the past year. This corresponds to more than 50,000 attacked companies.
The increase in the risk of cyber attacks has been accelerated by the pandemic. Teleworking and the development of online sales have opened doors for SMEs that weren’t there before, explains Mr Vincent.
A decade ago, OKIOK’s customers were mostly large corporations, says Mr Daigle.
But today they are quite well secured.
Conversely, SMEs are more vulnerable and more accessible.
“That’s easy greed for hackers,” argues the computer security consultant. What we have seen since this year is not only SMEs, but also very small companies. Golf clubs, NPOs, schools because they are the poorest relatives.”
Also front doors
Not only do hackers have easier access to SMB data, but they can also be a gateway to large companies or larger-scale attacks, adds Mr. Caron.
Computer security thus becomes a prerequisite for obtaining an order. Public institutions and large companies want to be sure that a breach of confidentiality does not go through their suppliers.
Worrying Data
- 64% of Quebec SMBs have never been more concerned about the risk of cyberattacks than they are today (2022 CFIB survey)
- Almost two thirds (61%) of Canadian businesses have experienced at least one cybersecurity incident and three quarters (74%) did not report it (Communications Security Establishment survey)
- Almost half of Canadian SMEs (44%) do not have a comprehensive cybersecurity plan (KPMG survey 2021)
Very significant legal risks
A cyber attack can damage an SME financially or reputationally, and as of last week, the legal risk has only increased.
“The consequences of a cyber attack differ from SME to SME, it depends on the level of security that it put in place,” explains François Daigle. This can range from the unavailability of their services for a few hours to bankruptcy.”
The Senior Computer Security Advisor at OKIOK recalls a call from a well-known SME three years ago on a Friday evening at 6am. All accounting was encrypted (stolen) by hackers. The company is no longer able to pay its employees or receive money from its customers. “It’s important. It takes time to rebuild a database and not everyone has the capacity,” comments Mr. Daigle.
The intervention must be rapid in order to be able to restore activities and allow the company to function. Meanwhile, the financial loss can be significant.
According to a March 2022 CFIB study, the average loss from a cyber attack is $26,000. Depending on the case, the bill can be significantly higher. Insurance is available to protect against this risk.
Another unfortunate consequence of a cyber attack: reputation. A 2021 KPMG survey shows that 93% of Canadian consumers are reluctant to give their personal or financial information to a company that has already been the victim of a cyber attack or data breach.
New Bonds
Since last week, companies’ data protection obligations have also been tightened. The first stage of Law 25 went into effect on September 22nd. It aims to protect citizens from personal information leakage.
Businesses must manage data responsibly, including protecting information and being able to destroy it upon request. You must also disclose breaches of the confidentiality of confidential information.
“It’s no longer just a business risk, it’s also a legal risk,” concludes Mr. Daigle.
Do you have any information about this story that you would like to share with us?
Do you have a scoop that might be of interest to our readers?