As the founder and president of a boutique digital ad agency, Kelsey Cole-Dodaro has learned that there’s one thing her business cannot do without – cybersecurity.
“I had to become really intimate with the realities of cybersecurity early on in our business,” says Ms. Cole-Dodaro, who co-founded Magic vs. Machine, also known as MVM Inc., with her husband, Angelo Dodaro, eight years ago.
“As far back as 2017 we had people constantly trying to hack us, impersonating us on social networks trying to take over our account, even death threats. I’ve seen people lose all kinds of money just from opening the wrong kind of email. It’s a threat we have to keep our eyes on all the time,” Ms. Cole-Dodaro says.
The threat is pervasive and growing, according to the federal government’s Canadian Centre for Cyber Security, which gathers expertise and information about cyberthreats. The agency reports that in 2022 alone, there were 70,878 reports of fraud in Canada with more than $530-million stolen.
Consulting firm PwC reports that more than two-thirds of Canadian executives consider cybercrime their most important threat, noting also that the danger “is constantly changing with threat actors embracing artificial intelligence on other innovations to enhance their attack strategies.”
Keeping up with cyberthreats is critical for small- and medium-sized enterprises (SMEs) like Magic vs. Machine, with its two founders, a handful of staff and contractors who are brought in when the workload grows. But it can be particularly challenging for SMEs too, says David Skillicorn, professor at the School of Computing at Queen’s University in Kingston, Ont.
“The biggest problem for SMEs is that they can’t afford to have full-time people who focus on cybersecurity. The threat environment is really dynamic and it’s hard to keep on top of if you don’t have dedicated people,” Dr. Skillicorn says.
The first step for small firms is to protect themselves from the biggest, most widespread threats, Dr. Skillicorn says. “Those are ransomware, phishing and spearphishing and to insulate you have to make sure you have solid backups for all your data.”
There are automated bots out there that are constantly probing. If you’re on the Internet at all, you’re probably being scanned.
— Goran Jovanovic, president, Omega Network Solutions
Ransomware is software that infiltrates a business’s computers and locks them until the business pays to get the files back. Phishing is emails or messages designed to trick users into downloading malware or to share sensitive information or personal data such as credit card numbers or confidential company material. Spearphishing refers to highly personalized attacks targeting specific individuals, companies or organizations, using personal information already scraped from the Internet.
“There are automated bots out there that are constantly probing. If you’re on the Internet at all, you’re probably being scanned,” says Goran Jovanovic, president of Omega Network Solutions in Toronto, a cybersecurity consulting firm.
Another challenge for small firms is the tendency to assume that a cyberattack will hit someone else, Mr. Jovanovic says. “A common refrain among small businesses is to say, ‘we’re too small to be noticed.’ But cybercrime is a business, and once attackers see they can get a hit into any firm, they’ll take action,” he adds.
Taking out insurance against cyberattacks is important, Dr. Skillicorn and Mr. Jovanovic agree. But both warn that the types of coverage and the costs are changing rapidly as the threats grow more sophisticated.
“And don’t think that just because you have insurance you don’t have to be careful,” Mr. Jovanovic adds. “It’s the same as if you have fire insurance – you still have to make sure your smoke detectors work.”
Making sure your SME is well protected means not only being aware of the threats, but planning and training to cope with them as they arise, says Manjit Bagri, a chartered professional accountant and vice-president of financial planning and analysis at Cyderes, a global cybersecurity company based in Toronto.
“Your firm should do a risk assessment of the potential threats to the company’s data, which will allow you to develop the right security policies. To mitigate cyberthreats, these policies should provide standards for protection that apply both to the company’s employees and also third-party partners,” she says.
Training is also important for staff and any contractors who interact with company data, Ms. Bagri adds. “Annual training, testing and assessment sessions, including cybersecurity policies in employee handbooks and quarterly update seminars can go a long way,” she says.
“You should also keep your software and firmware updated with the latest security patches. Protect your internal data with endpoint security, making sure that all your company’s devices are connected to your organization’s network, and have measures in place to secure physical access to your assets, servers and data centres,” Ms. Bagri says.
Two-step authentication, robust passwords and company-wide cybersecurity policies for those who work from home are also important, she says. Attacks happen to every business, “so even if they’re thwarted, learn from each one,” she adds.
“You always have to be aware of cybersecurity,” Ms. Cole-Dodaro says.
“We have a name for this – we call it cyber-hygiene.”