The Plan for Attack: SMEs Should Assess Security Risks, Conduct Cyber Drills

By: Lee Rickwood

November 15, 2024

It’s not if, but when. It’s not them, it’s you.

There’s no safe spot, no business is too small, it’s just not possible to avoid the realities of cybercrime. Or the costs.

A recent survey by the Canadian Federation of Independent Business (CFIB) found that nearly half of small businesses in Canada (45 per cent) were hit by a random cyberattack in the previous year; 27 per cent were hit by a targeted attack.

The attacks cost at least $100,000, say almost half of those companies affected, and that’s a potentially devastating expense for many SMEs.

So, business owners need to prepare for what seems inevitable.

man in business suit smiles at camera

Alvin Madar, a Cyber Security Partner in the Vancouver offices of PricewaterhouseCoopers

That’s the concern and the response voiced by Alvin Madar, a Cyber Security Partner in the Vancouver offices of PricewaterhouseCoopers, the multinational business and professional services firm. With more than 20 years of experience in information security, solutions architecture, threat and vulnerability management, Madar’s been involved in several IT transformation projects and has supported many companies as they develop their information security programs.

“More organizations are paying more attention, especially small and medium businesses,” he says. “Many SMBs once figured that cybercriminals were not targeting them; they felt most breaches would happen to bigger companies. But now, with cybercriminals casting such a wide net, SMBs are definitely affected.

“In a way, they are being targeted, as SMBs are often seen as ‘easier to penetrate’ because they have fewer cyber controls, fewer IT protections.

“But a lot of times, cybercriminals are not actually targeting a specific company; what they do is target a wide area, they do a port scan across a whole range of IP addresses, and if they then find a weakness, they start hacking it. They do not know who or what the organization is, they just see if they can get a bite.”

He cites briefly a recent cybercrime case on which he was consulted – unfortunately, after the fact. A small not-for-profit organization was hit by a ransomware attack. “A non-profit!” he still exclaims with some surprise and much outrage at the ‘choice’ of victim. “The impact was very high, and I was not too happy.”

Ransomware continues to be one of the most widespread and disruptive cyberthreats facing Canadian organizations. Twenty-eight per cent of respondents to a recent cybersecurity survey said their organization was the victim of a successful ransomware attack—that’s up more than ten per cent from the previous year.

While it’s true that some companies are unlikely to have all the resources necessary to protect against every threat, they can all take the first steps to a more secure cyber environment, Madar says.

“Because there’s no 100 per cent protection, it’s about risk mitigation, risk reduction,” he explains. All organizations, especially small businesses, should adopt a risk-based approach when it comes to cybersecurity.

The first step is determining ‘What is our risk tolerance?’. Understand what’s most important to protect, determine where that is in the business. Identify the specific risks related to that information, and the specific business processes – or people – at risk. Then, build your cyber programs accordingly. It’s one way to prioritize needed cybersecurity controls and investments.

Risk assessments should identify both evolving external threats and internal dangers across the entire business, including those that may come through employees or third party contractors who may—unintentionally or not – create vulnerabilities.

Most companies are IT-dependent across their operations, so a cyber event can impact all aspects of the business. The risk assessment is like a business continuity plan in that it should treat cyber disruptions as not just an IT issue, but an organizational one. Risk mitigation identifies how the company should respond overall, not just from the tech perspective.

And that’s where cyber training, employee education and awareness come in – admittedly, still a challenge for many companies in terms of time, money and resource allocation, but an “absolutely critical” step to take, Madar says.

“You must make sure that employees are aware of all the threats that are out there,” he explains. And all the responsive steps to be taken, all the protective controls to be implemented, as cyber threats continue to evolve.

“Years ago, IT may have made changes to the system without informing anyone. But being transparent is most important in managing risk and fighting cyber crime. As part of change management, you have to make sure employees are aware.”

Awareness of the risks and responses to a cyberattack can be built up through cyber drills or crisis simulations that test the readiness and decision-making capabilities of everyone who may be involved – and in a safe, controlled environment.

To be effective, aspects of cyber training should look and feel like an actual event as much as possible, Madar describes. That could mean launching a simulated attack without warning or conducting a one-time phishing exercise to see how many clicks are made. Analyzing the results of mock exercises like these can identify areas for needed added training, which should be conducted on a regular, on-going basis, he says.

“Not the same training as two years ago,” he warns, citing new forms of attack that emerge, new red flags to be aware of, such as the threats from AI and deepfakes.

Madar describes working with another client to identify risks of identify fraud at their organization. Concerned about an existing single-factor identification log-in system, they made use of an AI-powered voice emulation software package to test – and dupe – help desk operators. Saying he was in a bad cell area, Madar was able to smooth over the sometimes glitchy, not totally real-time deep fake audio to the point he was allowed to change passwords on the system.

While 2FA, or dual factor authentication – as well as preset security questions and confirmation answers – could be used in defence of such attacks, it’s still employee training and awareness that has a vital role to play in cybersecurity.

“That goes for the whole team,” Madar says. “The whole company, not just IT. Executives, even the Board. Everyone has a role to play. If there’s a breach in the system, everyone should know what to do. Sometimes there are business decisions and actions that must be taken; the IT team cannot decide those.”

It’s a step-by-step process for everyone involved to know how a cyberattack will impact the business, its customers, its employees, its revenue.

Madar recommends that SMEs prioritize cyber risk management with a proactive plan that includes step-by-step actions for all employees, not only IT. When it comes to cyber breaches, the best response comes from people right across the organization.  Madar adds that these days, more than ever because of the changing threat landscape, companies often have a trusted cybersecurity partner that can provide timely and actionable threat intelligence.

Investing in data security is not just about business efficiency, it is about reducing the hefty reputational and financial risks that come with falling victim to ransomware attacks, data leaks and other forms of cyberattack.

The cost of cyber protecting a company does not have to break the bank; careful risk assessment and continuing employee education is the essential investment.

And that’s a step many Canadian companies are taking. Almost half (43 per cent) of cybersecurity decision-makers say they have made changes to their organization’s cybersecurity approach in response to news about major cyberattacks in the past year, according to the Canadian Internet Registration Authority (CIRA).

# #  #

hands at computer keyboard with safety shield hovering above

Cyber criminals have access to more sophisticated malware tools and technologies, so cyberattacks are expected to become more targeted and potentially more damaging, says PwC Canada.

-30-


Leave a Reply

Your email address will not be published. Required fields are marked *