Blog /
Canadian Small Business Cybersecurity Survival Guide
Canadian Small Business Cybersecurity Survival Guide
Prioritizing foundational cybersecurity best practices can prevent the most common types of attacks. John Hewie, National Security Officer at Microsoft Canada, explains how small businesses can protect themselves in this guest blog post.
By John Hewie, National Security Officer, Microsoft Canada
According to a report from Innovation, Science and Economic Development Canada, almost 98 per cent of all employers in the country are small businesses. They are a big part of our national economy employing approximately 9.7 million Canadians. Over the past two and a half years, small businesses have endured a number of challenges. Many have demonstrated resilience by adopting technology that allowed them to reach their customers online, improve their operations and stay competitive.
Today, businesses of all sizes must continue to be vigilant to cyber attacks. The cybercriminals have professionalized considerably in recent years, improving their ability to target small and medium sized businesses at scale. This includes making it easier for more criminals with limited technical skills to illegally profit from cybercrime. Techniques such as ransomware, business email compromise (BEC) and other fraud schemes are now commonplace even for Canadian non-profit organizations with a handful of employees. Canadian law enforcement is taking steps to combat these threats, but since most cybercrime operations are launched from overseas in countries where risk of prosecution is low, their capabilities have limits.
According to a survey from the Insurance Bureau of Canada (IBC), almost half (47 percent) of Canadian small businesses do not allocate any portion of their annual operating budget to cybersecurity. The same study found that 41 percent of small businesses that suffered a cyber attack reported that it cost them at least $100,000.
The stakes are high for businesses when it comes to cyber attacks with profits, sensitive information, customer data and brand reputation all on the line.
We know it is often cost prohibitive to have an in-house IT or security expert on staff for small businesses. But what we know about cybercriminals is that they’re opportunistic. They typically look to exploit organizations with minimal security controls because it is cheap and easy for them. So with basic security hygiene, businesses can protect against 98% of cyber attacks.
Prioritizing foundational cybersecurity best practices can prevent the most common types of attacks. Let’s look at what these mean for a small business and make them practical to implement. Small businesses using Microsoft 365 are also encouraged to review their personalized Secure Score dashboard and prioritized list of recommended security configuration actions.
Cybercriminals typically don’t “break in”, they “log in” by either guessing your password or tricking you to give up your password through a phishing attack. Enable Two-Step Verification or Multi-Factor Authentication (MFA) on all of your important accounts. This single action prevents the vast majority of account compromises Microsoft sees in its online services, even with continued use of weak passwords. Most cloud services and devices offer MFA options today and should be enabled wherever possible. Use an authenticator app such as Microsoft Authenticator over SMS one-time codes, if available.
Creating and remembering passwords can seem like a full-time job. While Microsoft offers passwordless options for some services, the reality today is we still need to manage a lot of passwords. Using a password manager to ensure each user account (or at least the important ones) has a complex and unique password is a must for any small business, especially if an account doesn’t support MFA. More info on what to look for in password managers can be found at GetCyberSafe. Microsoft Edge enables you to manage multiple passwords and offers a built-in password generator with the ability to sync to mobile devices. Password managers require a master password so make sure it is strong and you protect it well.
Report Cybercrime and Fraud
Only a small percentage of cybercrimes or frauds are reported to police in Canada, making it difficult for law enforcement to keep up with the ever-changing threat landscape.
(1) If you have been a victim of a scam, fraud or cybercrime, please contact your local police as soon as possible. The Canadian Center for Cybersecurity provides detailed instructions and what to expect here.
(2) Consider reporting attempted scams or fraud to the Canadian Anti-Fraud Centre here. Reporting may help link multiple crimes together and contribute to further investments in Canada to combat cybercrime.
Avoid Becoming a Victim of a Cyber Attack
An attempted cyber attack against Canadian small businesses is inevitable in today’s world, but that doesn’t mean organizations need to become victims. Committing to applying the cyber best practices outlined above can help protect your small business against most cyber attacks.
Other Blogs
Protecting Mid-Market Businesses: Cybersecurity for Growing Enterprises
Policy Matters: Why It’s Time to Go All-In on Canada’s Economic Sovereignty
