In the early hours of a fall morning in 2021, the servers and computer systems of Emblemtek Solutions Group Inc. were taken over by hackers located somewhere in southeast Asia.
The RCMP alerted the company’s internet provider, which immediately notified David Black, president of the emblem design and manufacturing company located in Vankleek Hill, Ontario.
By the time they were notified, “the damage was already done,” says Black. Upon logging in, employees were met with a pop-up window stating their system had been seized and they would need to contact the hackers if they wanted it unlocked.
“We’ve heard in our industry [about] some of our suppliers or some of our peer organizations or some of our customers being attacked in various ways, to varying degrees,” said Black. “It’s happening all the time.”
Cyber crime afflicts thousands of small businesses like Black’s each year. And the pandemic may have increased their vulnerability by precipitating a rushed transition to online e-commerce and remote work.
Cyber security spending up dramatically
Large organizations make national headlines when they suffer cyber attacks, as happened with Indigo Books & Music Inc., Maple Leaf Foods Inc. and Montreal’s Jewish General Hospital in recent years. But cyber attacks are widespread, affecting Canadian businesses of all sizes.
In 2021, nearly one in every five Canadian businesses were the victims of a cyber-security incident. But only one in ten said they reported the incident to police services, according to Statistics Canada.
“Cybercrime is an ever growing threat to all Canadians,” said Sgt. Dawn Morris-Little, the acting officer in charge of operations at the RCMP’s National Cybercrime Coordination Centre.
But smaller businesses may be seen by cybercriminals as easier targets because they lack the cybersecurity of larger companies, she says.
According to a recent survey by the Canadian Federation of Business (CFIB), 72 per cent of small business owners are more concerned with cyber security now than they were in the past.
This concern is borne out in their spending. Small businesses — those with 49 or fewer employees — increased their average spending on cyber-security measures by nearly 100 per cent in two years from 2019 to 2021.
By comparison, medium-sized businesses increased spending by just 22 per cent in the same period, and large businesses — those with greater than 250 employees — increased spending by 49 per cent, according to Statistics Canada.
Despite the greater percentage increase in spending, small businesses still lag well behind their larger peers in dollar terms. They spent a mere $19,000 on cybersecurity in 2021, while medium-sized businesses spent $83,000 and large businesses spent more than a million.
Pandemic increased vulnerability
The gap in cyber-security measures between large and small companies widened during the pandemic, according to Jasmin Guénette, vice-president of national affairs at the CFIB.
One reason is that many businesses had to abruptly transfer their operations online and accommodate remote work. Small businesses may have lacked the finances or personnel to implement robust security measures, Guénette says.
“Small business owners are also the COO, CFO, CMO and CTO,” he said. “It’s difficult for them to really understand… their IT infrastructure. Many lack the time to learn how to be properly protected from online threats.”
A vulnerability identified by the Canadian Centre for Cyber Security was the rushed rollout of virtual private network (VPN) software to workers’ personal computers. When using a VPN, a compromised personal computer can have access to a corporate network, giving a cyber criminal access to a weak entry point.
“New technology, in essence, is good. But it is making businesses more vulnerable and more attractive for people who are trying to commit cyber security, crime or fraud,” said Guénette.
Won’t ‘arrest our way out of this’
A great first step if you’ve suffered a cyber attack is to report it, says the RCMP’s Morris-Little.
However, the problem is so big “we’re not going to arrest our way out of this,” she added. This makes preventative work essential.
The Canadian Centre for Cyber Security and the Canadian Anti-Fraud Centre both offer businesses resources on how to protect themselves from scams.
Morris-Little also recommends keeping operating systems and third-party applications up to date, training employees on how to respond to hacking attempts and having backups of the business to restore if their systems do go offline.
In Black’s case, he had maintained comprehensive system backups — at an annual cost of $1,000 — which meant the team could re-build the company’s online system.
The net cost was somewhere between $8,000 and $10,000, Black estimates, plus a few days of lost business and a full weekend of work to get the systems back up.
But he recognizes it could have been much worse.
“Had we not had a backup of our data, it would [have been] earth shattering.”
Leave a comment