Is your small business vulnerable to a cyber attack? Ottawa cybersecurity experts say the answer is probably “yes.”
Already an Insider? Log in
Get Instant Access to This Article Become an Ottawa Business Journal Insider and get immediate access to all of our Insider-only content and much more.
Learn More and Become an Insider
Critical Ottawa business news and analysis updated daily. Immediate access to all Insider-only content on our website. 4 issues per year of the Ottawa Business Journal magazine. Special bonus issues like the Ottawa Book of Lists. Discounted registration for OBJ’s in-person events.
Click here to purchase a paywall bypass link for this article.
Is your small business vulnerable to a cyber attack? Ottawa cybersecurity experts say the answer is probably “yes.”
Nowadays, everything is reliant on the internet, according to Guy-Vincent Jourdan, an engineering professor and co-director of the new uOttawa-IBM Cyber Range training facility.
“Do you have a landline? Most businesses don’t either,” said Jourdan. “They probably don’t deal with cash anymore. We as a society are moving towards dependencies on this type of technology. If the internet goes down, we cannot operate. Even our thermostats can be attacked.”
Opened in October, the Cyber Range is a top-of-the-line facility on uOttawa’s main campus that immerses trainees in an interactive cyberattack simulation to teach them how to respond in a real-life scenario.
While the facility offers more technical training for cybersecurity students and experts, it also will soon start working with businesses and government organizations to help everyday employees understand how cybercriminals work and what they can do when a security breach occurs.
Keeping up to date with current cyber-risks has become increasingly important, he said, especially as an increase in remote work since the pandemic has accelerated the challenges.
“Almost everyone is moving part or all of their operation to the cloud,” said Jourdan. “I’m not shaming anyone: it’s a lot easier, you can do a lot of things better, and it might be cheaper. But in terms of exposure now, all of a sudden, you don’t own anything. It’s outside and it can be attacked.”
For small and medium-sized businesses, there’s an added layer of concern, said Paul Vallee, founder and CEO of Kanata cybersecurity platform Tehama, which provides an all-in security solution for hybrid and remote workplaces.
“Cybercriminals target the lowest-hanging fruit,” he said. “They’re going to target what’s easy. Since the pandemic, large enterprises have really elevated their game. They’ve adopted a lot of cybersecurity technologies and adapted their overall security posture. That means medium-sized enterprises are now becoming the targets of choice. They don’t have the scale or bandwidth to keep up.”
Microsoft’s Digital Defence Report for 2023 also found that the most targeted sectors last year were those with the fewest resources, including the education and non-profit sectors.
“They’re hitting us where we’re weakest,” he said. “They’re not going after the financial sector anymore.”
When it comes to fending off cyberattacks, awareness is an important first step, according to Scott Wright, CEO of Click Armor, an Ottawa-based company that does security awareness training for employees using a gamified platform.
“Especially for small and medium businesses,” he said. “They don’t always have the budget for advanced security technologies like large enterprises do. It turns out the employees are really the first and last line of defence.”
While many SMEs have basic password protection and firewalls in place, it can be easy for attackers to get around those if the business’s employees lack training.
“Anywhere from 85 to 95 per cent of cyber attacks involve employee decisions at one point or another,” said Wright. “Whether they’ve clicked a phishing link, or provided information through a social engineering call or text message. When you’re managing risks, what you really want is to understand the most likely things people are being targeted with.”
Phishing attacks are among the most common and often originate from employee error. With a click of a link, employees can unintentionally introduce malware into a network, leaving it vulnerable to a ransomware attack, where valuable data is stolen and encrypted until the business offers up a hefty payment.
According to Wright, it’s vital to stress the importance of cybersecurity to employees, and that starts from the top down.
“The whole security culture is guided by the top-level behaviour,” he said. “If management doesn’t think it applies to them, people are going to see that and act the same way.” ‘Layers of security’ needed to protect businesses When it comes to improving a business’s cybersecurity, step one is prevention, but it shouldn’t be the be-all and end-all strategy, said Wright.
“In security, we talk about layers of protection,” he said. “No one safeguard is going to protect you against everything. At the same time, you can’t rely on anything that is only about prevention, because the attackers are eventually going to get in.”
Two things Wright said businesses should have are detection and response practices and an incident response plan.
“If something compromises our key business process, or our systems, or our data, what do we do to limit the damage?” he said. “Everybody needs to understand their part in it.”
Jourdan also recommends a multi-pronged approach.
“You need to train your employees so they don’t make the mistake, but you also have to have a system that can withstand it. If you have catastrophic consequences when someone attacks, then the problem is with your system.”
Basic protections include setting up multi-factor authentication, using a VPN, creating backups and encrypting customer data. He also said to avoid collecting valuable customer information like credit card details and social security numbers unless the business knows they can store it properly.
For businesses that don’t know where to start, Jourdan recommends getting an audit.
“Reach out to someone with good credentials who can look at your system,” he said. “Get people whose job it is to look at your reliance on this technology and they’ll come up with a plan for you.”
He added that it isn’t worth it to wait.
“This needs to be managed. You cannot just leave this. Either you have someone in-house who can take care of everything, or find a way to outsource it. Then the next step is, come here! Let’s get you in form and have a fun time at the Cyber Range. It’s going to be entertaining and it will be eye-opening.”