What makes SMEs vulnerable to cyberattacks (and how to protect against them)

14 November 2024 by La Presse National Bank
André Boucher and John Athanasiades leaders at National Bank

Last year, fraud-related financial losses totalling nearly $569 million were reported. While the most recent federal government data shows fewer Canadian businesses affected by cybersecurity incidents (18% in 2021, compared to 21% in 2019 and 2017¹), many SMEs could still benefit from better protection. André Boucher, Chief Information Security Officer at National Bank, and his colleague John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, present their observations and recommendations on this subject.

This article was first published in La Presse XTRA on October 28ᵗʰ, 2024.

In this article:

SMEs at greater risk

Because they lack the financial resources and expertise that large companies possess, SMEs usually don't invest a lot in cybersecurity. Their unique position within the entrepreneurial ecosystem, however, makes them prime targets.

"Precisely because an SME is small and possibly not as well protected, it can serve as a gateway for threat actors who target large client or partner companies." - André Boucher, Chief Information Security Officer, National Bank

According to sources, each cyberattack costs between $7,800² and $15,000³—losses that are disproportionate in comparison to the investment required to put some basic cybersecurity measures in place.

Basic lexicon

  • Cybersecurity: Ways to protect your company's IT systems to ensure the confidentiality, integrity, and availability of data and personal information.
  • Cybercrime: Any crime committed that primarily uses the Internet or technology for financial gain.

Three cybersecurity best practices

1. Put clear policies in place

In 2021, only 26% of companies had written cybersecurity policies in place. Implementing rigorous standards helps teams to adopt good reflexes. Many cost-free precautions can even be implemented.

“Rigorously manage access to your online banking solutions to protect your company's assets. For example, you can allow some users to initiate transactions while others approve and complete them, and limit the amount that can be transferred.”  - John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, National Bank

Phishing, social engineering, texting, phone calls, or video conferencing using deepfakes: cyber threats come in a variety of forms and are constantly evolving. Each company must therefore adapt their cybersecurity policies to their own specific risks. They should also teach teams to recognize some common warning signs, such as a sense of urgency created to get their guard down. For example, someone threatens to deactivate an account if banking information is not updated immediately, or pretends to be the company's president to create pressure.

2. Develop and implement a response plan

An effective incident response plan is like a fire safety plan. It identifies the people responsible for managing the crisis, a gathering point, the actions to take, and who to contact immediately, including the cybersecurity insurer.

“Companies are often targeted at times when they're more vulnerable, like on the weekend. The intervention plan's goal is to reduce the time window when the company can be exploited.” - André Boucher, Chief Information Security Officer, National Bank

As with evacuation drills, it is important to practice the response plan using simulations or tests to measure its effectiveness and refine it. Cybersecurity partners can even orchestrate fake cyberattacks to assess the resilience of existing systems, identify gaps, and fill in the cracks.

Raise employee awareness and provide ongoing training

In residential areas with neighbourhood watch committees, residents report any unusual presence right away. This same habit should apply for companies' digital environments, where too many people are still reluctant to report an incident. “The best tool for detecting cyber threats is usually people,” explains André Boucher. A training and awareness program for the entire team capitalizes on this potential strength.

“Training and raising people's awareness promotes their reflex to report any incident as soon as it happens, leading to an immediate intervention. The threat can be assessed quickly and the necessary measures taken to protect the company.” - John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, National Bank

This type of program should be offered on an ongoing basis and incorporate a variety of tools, including communications, informational webinars, discussions, role-playing, and hands-on workshops. For example, fake phishing emails can be sent periodically to see how many people report them.

Collective responsibility for the good of the country

SMEs make up nearly 98% of all companies in Canada. Despite often limited resources, they can count on various experienced partners such as Cybereco, a Quebec organization that helps them prevent, recognize, and report cyber threats. Cybereco also trains cybersecurity talent who are ready to be recruited.

In addition, the Research Chair in Cybercrime Prevention and the Canada Research Chair in Cybersecurity (affiliated with the Université de Montréal) recommend best practices to adopt. National Bank is also proud to collaborate with the Canadian Bankers Association to offer tangible and practical awareness kits.

Canada's entire economic ecosystem must work together to address these growing threats. "It's a societal problem, and everyone—all industries—must be part of the solution," concludes John Athanasiades.

1 Canadian Anti-Fraud Centre

2 Impact of cybercrime on Canadian businesses, 2021

3 The Cost of Fraud: How Small Business Owners Are Tackling Risks and Challenges

4 The changing landscape of cyber security following the COVID-19 pandemic

5 Key Small Business Statistics 2023

Tags :
Thought Leadership
Back
Terms of use
National Bank’s virtual assistant

When using our Virtual Assistant Service (the "Chatbot"), you accept these Terms of Use, which are subject to change without notice. Furthermore, you agree to consult these Terms of Use from time to time and acknowledge that your continuing use of the Chatbot means that you have accepted any changes that may have been made. Your continued use of the Chatbot means that you’ve read, understand and agree to these Terms of Use, the Terms of Use for our website, our Online transaction services, and to our privacy policy. You also understand any other agreements that you have with us will continue to apply when you use the Chatbot.

1. Our Services and your responsibilities

The Chatbot is an automated service which is integrated into our online banking platform.

The Chatbot is preprogrammed to answer general questions concerning the use of our online banking platform solely for informational purposes. The Chatbot is not able to answer questions on personal monetary transactions or products you hold with us.

By using the Chatbot, you understand and agree that:

  • The Chatbot does not provide financial advice or financial planning services.
  • The Chatbot does not conduct any banking transactions.
  • The Chatbot may not be able to answer all your questions. Therefore, it may not be able to provide you with the information you require. You must judge whether the answer provided responds to your question accurately. In the case of uncertainty, a customer service representative would be happy to help you. You can call us toll free at 1-888-483-5628 or 514-394-5555.
  • The Chatbot is not a complaint service. You cannot use the Chatbot to file complaints. If you have any complaints, you can contact us at the number indicated above.
  • We monitor, record and store the discussion that you have with the Chatbot to improve our interactions with our clients.
  • You will not provide the Chatbot with any confidential, personal, or private information. For example, you will not provide the Chatbot with your login information, PIN or other personal banking information.

2. Limitation of Liability

You acknowledge that we won’t be liable for any losses or damages that you may suffer as a result of your use of the Chatbot, including if the Chatbot is unavailable for any reason.

We cannot guarantee that the results obtained via the Chatbot will be accurate and reliable and that the answers provided will meet your expectations.

We will not be held liable for damages you incur as a result of:

  • Any delay, error, interruption or omission on our part or any other event beyond our control.
  • Any deficiency or technical error or any unavailability of our systems and wireless networks.
  • Your failure to meet any of your obligations.
  • Any amendment to or suspension, refusal or blockage of the Chatbot.
  • Any decision or measure you take in response to information and data obtained via the Chatbot.
  • Any other damages you may incur that are not caused by negligence on our part.

3. Language

You have requested that these Terms of Use, and related documents be drawn up in English.

4. Governing Law

These Terms of Use are governed and must be interpreted in accordance with the laws in force in the province or territory where you reside. If you reside outside Canada, the laws in force and the courts of competent jurisdiction are those of the province of Quebec.

Virtual assistant