What makes SMEs vulnerable to cyberattacks (and how to protect against them)

14 November 2024 by La Presse National Bank
André Boucher and John Athanasiades leaders at National Bank

Last year, fraud-related financial losses totalling nearly $569 million were reported. While the most recent federal government data shows fewer Canadian businesses affected by cybersecurity incidents (18% in 2021, compared to 21% in 2019 and 2017¹), many SMEs could still benefit from better protection. André Boucher, Chief Information Security Officer at National Bank, and his colleague John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, present their observations and recommendations on this subject.

This article was first published in La Presse XTRA on October 28ᵗʰ, 2024.

In this article:

SMEs at greater risk

Because they lack the financial resources and expertise that large companies possess, SMEs usually don't invest a lot in cybersecurity. Their unique position within the entrepreneurial ecosystem, however, makes them prime targets.

"Precisely because an SME is small and possibly not as well protected, it can serve as a gateway for threat actors who target large client or partner companies." - André Boucher, Chief Information Security Officer, National Bank

According to sources, each cyberattack costs between $7,800² and $15,000³—losses that are disproportionate in comparison to the investment required to put some basic cybersecurity measures in place.

Basic lexicon

  • Cybersecurity: Ways to protect your company's IT systems to ensure the confidentiality, integrity, and availability of data and personal information.
  • Cybercrime: Any crime committed that primarily uses the Internet or technology for financial gain.

Three cybersecurity best practices

1. Put clear policies in place

In 2021, only 26% of companies had written cybersecurity policies in place. Implementing rigorous standards helps teams to adopt good reflexes. Many cost-free precautions can even be implemented.

“Rigorously manage access to your online banking solutions to protect your company's assets. For example, you can allow some users to initiate transactions while others approve and complete them, and limit the amount that can be transferred.”  - John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, National Bank

Phishing, social engineering, texting, phone calls, or video conferencing using deepfakes: cyber threats come in a variety of forms and are constantly evolving. Each company must therefore adapt their cybersecurity policies to their own specific risks. They should also teach teams to recognize some common warning signs, such as a sense of urgency created to get their guard down. For example, someone threatens to deactivate an account if banking information is not updated immediately, or pretends to be the company's president to create pressure.

2. Develop and implement a response plan

An effective incident response plan is like a fire safety plan. It identifies the people responsible for managing the crisis, a gathering point, the actions to take, and who to contact immediately, including the cybersecurity insurer.

“Companies are often targeted at times when they're more vulnerable, like on the weekend. The intervention plan's goal is to reduce the time window when the company can be exploited.” - André Boucher, Chief Information Security Officer, National Bank

As with evacuation drills, it is important to practice the response plan using simulations or tests to measure its effectiveness and refine it. Cybersecurity partners can even orchestrate fake cyberattacks to assess the resilience of existing systems, identify gaps, and fill in the cracks.

Raise employee awareness and provide ongoing training

In residential areas with neighbourhood watch committees, residents report any unusual presence right away. This same habit should apply for companies' digital environments, where too many people are still reluctant to report an incident. “The best tool for detecting cyber threats is usually people,” explains André Boucher. A training and awareness program for the entire team capitalizes on this potential strength.

“Training and raising people's awareness promotes their reflex to report any incident as soon as it happens, leading to an immediate intervention. The threat can be assessed quickly and the necessary measures taken to protect the company.” - John Athanasiades, Senior Manager, Financial Crime Risk Management and Corporate Security, National Bank

This type of program should be offered on an ongoing basis and incorporate a variety of tools, including communications, informational webinars, discussions, role-playing, and hands-on workshops. For example, fake phishing emails can be sent periodically to see how many people report them.

Collective responsibility for the good of the country

SMEs make up nearly 98% of all companies in Canada. Despite often limited resources, they can count on various experienced partners such as Cybereco, a Quebec organization that helps them prevent, recognize, and report cyber threats. Cybereco also trains cybersecurity talent who are ready to be recruited.

In addition, the Research Chair in Cybercrime Prevention and the Canada Research Chair in Cybersecurity (affiliated with the Université de Montréal) recommend best practices to adopt. National Bank is also proud to collaborate with the Canadian Bankers Association to offer tangible and practical awareness kits.

Canada's entire economic ecosystem must work together to address these growing threats. "It's a societal problem, and everyone—all industries—must be part of the solution," concludes John Athanasiades.

1 Canadian Anti-Fraud Centre

2 Impact of cybercrime on Canadian businesses, 2021

3 The Cost of Fraud: How Small Business Owners Are Tackling Risks and Challenges

4 The changing landscape of cyber security following the COVID-19 pandemic

5 Key Small Business Statistics 2023

Legal disclaimer

©2020 - Any reproduction, in whole or in part, is strictly prohibited without the prior written consent of National Bank of Canada.

The articles and information on this website are protected by the copyright laws in effect in Canada or other countries, as applicable. The copyrights on the articles and information belong to the National Bank of Canada or other persons. Any reproduction, redistribution, electronic communication, including indirectly via a hyperlink, in whole or in part, of these articles and information and any other use thereof that is not explicitly authorized is prohibited without the prior written consent of the copyright owner.

The contents of this website must not be interpreted, considered or used as if it were financial, legal, fiscal, or other advice. National Bank and its partners in contents will not be liable for any damages that you may incur from such use.

This article is provided by National Bank, its subsidiaries and group entities for information purposes only, and creates no legal or contractual obligation for National Bank, its subsidiaries and group entities. The details of this service offering and the conditions herein are subject to change.

The hyperlinks in this article may redirect to external websites not administered by National Bank. The Bank cannot be held liable for the content of external websites or any damages caused by their use.

Views expressed in this article are those of the person being interviewed. They do not necessarily reflect the opinions of National Bank or its subsidiaries. For financial or business advice, please consult your National Bank advisor, financial planner or an industry professional (e.g., accountant, tax specialist or lawyer).

 

Tags :
Thought Leadership