There’s a growing concern among Canadian businesses that they’re not safe from cyberattacks.
Not surprisingly. What with stories like the Yahoo hack or the Equifax debacle dominating the headlines, and with reports such as that from the Canadian Chamber of Commerce saying cyberattacks cost Canadian business some $3 billion dollars per year, concerns are well-founded.
But it is a disturbing trend: we should be getting better at this. Unlike the ghosts and goblins at Halloween, cyber-criminals are no fun: the attacks keep coming and the fear keeps rising.
In fact, research into Canadian small and medium business (SMB) shows a seven-point drop this year over last in terms of our cyber-confidence levels (and abilities). In fact, only about a quarter (26 per cent*) of Canadian SMB staff are very confident their organization would be able to keep their business and its information safe from a cyberattack.
The research, commissioned by ESET Canada, also reveals nearly half (46 per cent) of Canadian SMB employees believe their business is at risk of experiencing a cybersecurity attack.
“Canadian businesses believe that cyberattacks are on the rise, but they don’t spend enough time and money to mitigate against them,” said Iva Peric-Lightfoot, Country Manager, ESET Canada. ESET is a European IT security company that offers anti-virus and firewall products; the company has Canadian R&D facility in Montreal, and offices in Toronto.
“If an attack were to occur, a majority of employees are not confident their organization would be able to keep their business and its information safe,” Peric-Lightfoot added in an e-mail exchange with WhatsYourTech. “Rising concern may be driven by the lack of knowledge, training and time employees feel is being spent on cybersecurity within their organization.”
ESET’s research reveals that SMBs are not doing enough to arm their employees with cybersecurity education. There’s a lack of knowledge among staff, it reports, about how their organization could be attacked (35 per cent), or how it is being protected (24 per cent). A lack of investment in cybersecurity protection systems (19 per cent) is another shortcoming identified in the research.
“So if you look at all these data points, it’s obvious that more education is needed – employees need to know that the company is taking steps to protect their organization and what their responsibility would be,” Peric-Lightfoot noted.
Education is key, and small businesses in Canada need to understand where their vulnerabilities are and how to manage them. Knowing how much time, effort, energy and IT budget an SMB might have available (or need) to bring to the cybersecurity table in order to reduce its risk takes an education, as well.
In reply to the question “How much (cyber-protection) is enough?” Peric-Lightfoot answered: “[I]t’s an evolution. As the threat landscape changes, so will the approach and the level of resources required.”
ESET Canada and other private and public entities will continue to collect Canada specific-information so stakeholders understand how to manage the threats, and Peric-Lightfoot shared some advice and best practice guidance in her replies:
Assess the risk: Consider how valuable or sensitive each set of data is, by performing a security audit, to determine the unique mix of software, solutions, and IT policies and procedures needed to achieve appropriate protection.
Educate your staff: Employees are a business’ first line of defense, so training them in cybersecurity best practices and developing a proactive security plan is integral to building confidence with staff and customers. ESET offers a free cybersecurity awareness training program for use by any organization and its employees, regardless of whether they use ESET’s software or not.
Deploy a multi-layered security solution: The best strategy is to have security at every level. Companies should opt for a cybersecurity solution that offers multiple complementary technologies, with high detection rates and a low number of false positives. Even if one security technology layer is bypassed, others are in place to take action and keep information protected.
With just a few days left in Cybersecurity Awareness Month, Peric-Lightfoot encourages Canadian businesses to look at their current cybersafety best practices and identify areas for improvement, including employee training and education.
# # #
UPDATE: At presstime, ESET announced the availability of a new Internet security tool for consumers that utilizes the layered approach Peric-Lightfoot described as critical to businesses. ESET’s Product Marketing Manager Ben Reed described the differences and similarities between it and the business offerings:
“ESET recommends our business product for SMBs as it offers the same level of protection, except it does not have the connected home monitor nor the UEFI (hackers often target the data and configuration screen that appears before your computer starts up) scanner features which are currently unique to the consumer product. The big thing the business product adds is remote management that can be very valuable to SMBs, especially as they scale. However, other smaller businesses do not have an IT staff nor any technical staff, so remote management tends to be less of a draw.”
-30-
*These are some of the findings of an Ipsos poll conducted between August 28 and September 7, 2017, on behalf of ESET. For this survey, a sample of 1,003 Canadian adults employed at small businesses (defined as companies with 5-99 employees) and medium businesses (defined as companies with 100 to less than 500 employees), who work in IT, are senior management or who have a broad knowledge of their company’s IT policies and procedures was interviewed.
Just over half (51%) of firms registered as investment fund managers, portfolio managers and market dealers suffered a cybersecurity incident last year, according to a report and survey from the Canadian Securities Administrators (CSA).
The CSA report, Cyber Security and Social Media, also indicates just over half (57%) of the firms surveyed have procedures in place to deal with a cybersecurity incident and keep operating.
But which half is which? Read more at https://www.securities-administrators.ca/aboutcsa.aspx?id=1615