As chief executive officer of a small business that has large public outreach, Rumeet Billan is used to working with peoples’ personal data – and the need to protect it. Her company, Women of Influence Inc., promotes women’s advancement through awards, events, research, articles and social media.
“We reach out to a community of nearly one million people online through our articles and posts,” Ms. Billan says. “People who engage with us give us their names, phone numbers, e-mail addresses and sometimes, their street addresses and names of other organizations they’re connected to. It’s basic, but it’s still personal information and we have to be careful with it.”
The need for small and medium businesses and enterprises (SMBs and SMEs) to protect themselves and their customers, contractors and clients has grown exponentially as the digital revolution advances, says Murat Kristal, professor of operations management and information systems at York University’s Schulich School of Business in Toronto.
“Our servers are not being attacked on a daily basis – it’s by the minute now. Attackers can scrape the screen you’re working on,” Dr. Kristal says.
The threats have become greater since the global COVID-19 pandemic led many bricks-and-mortar businesses to move online and with the advent of artificial intelligence (AI), he adds.
Jonathan Azouri, CEO of CatchCorner, says he uses security specialist companies to protect his SME from cyberattacks. The company, headquartered in Toronto, manages bookings for sports, entertainment and event facilities in about a dozen different markets, and is growing, with its 20 or so staff working in Miami and New York as well as its office headquarters.
“We gather a lot of data so we can serve our customers and build our business, because we’re expanding. We take payment information of course, but also gather information to analyze trends, such as the big rise in people looking to book pickleball courts,” Mr. Azouri says.
“We look to outside experts to manage our cybersecurity for all this data because they are better at providing the level of security that we need than we can be. You want to leverage the best technology available when you’re dealing with processing payments and you want to make sure you have the right location for the servers that hold your data,” Mr. Azouri says.
“Storing data in the cloud is generally more secure than on-site storage,” Dr. Kristal agrees. “The cloud servers have people on site whose whole job is to protect the cloud.”
SMEs should take measures beyond outsourcing cybersecurity to make sure their businesses are well protected, says Neil Desai, senior fellow at the Centre for International Governance Innovation and executive-in-residence at Rogers Cybersecure Catalyst.
“You need a cybersecurity strategy today, regardless of the size of your company,” he says. “The risks can be higher for small businesses who have many of their employees working from home. These days, it’s not only the enterprise that can be targeted for attack but employees’ private online lives as well. So, you need training.”
Dr. Kristal agrees that training is essential and “should apply to everyone who works with your company – vendors and contractors as well as employees.”
Making sure that everyone uses secure passwords and multifactor identification are good steps; he also suggests building company-wide awareness of the threats by simulating a phishing e-mail.
“This might scare people, but if you initiate it yourself if will be a harmless example and they’ll be alert to recognize real phishing scams when they show up, which they will,” he says.
“Your firm needs an entire incident response plan. It’s not as easy to develop as you might think,” he adds. “If there’s a security breach, you need to have some ability to isolate and contain it.”
Every company should consider the different ways it can harden its cybersecurity system. “If you have a castle and you find out there are holes in the walls, you’ll want to cover them. You should think about how you’ll restore data that is stolen or lost, for example,” Dr. Kristal says.
Our servers are not being attacked on a daily basis – it’s by the minute now. Attackers can scrape the screen you’re working on.
— Murat Kristal, professor of operations management and information systems, Schulich School of Business
Taking out insurance against cyberattacks is another good idea, but small companies should be aware that it can be expensive, so they should consider their options carefully, Dr. Kristal says.
One of the most important elements of a good anti-cyberattack strategy is to conduct a post-incident review – and to communicate what happened and what you’ve learned.
“You need some good public relations,” says Dr. Kristal “Provide details. You want to give people confidence that you know what happened and tell them what you’re doing about it now.”