Ben Aung, Chief Risk Officer, Sage
Cybersecurity has evolved dramatically over the past five years, with cyber threats becoming even more prevalent and acute, while securing against them has grown increasingly complex and challenging.This is particularly true for small and midsize businesses (SMBs), which represent 98% of Canadian businesses. Despite their significance, 40% of SMBs report struggling to understand and implement the necessary cybersecurity measures to protect their organizations, according to a Sage study.
High-profile breaches and emerging cyber threats continue to dominate headlines across Canada and globally, with cybercriminal groups growing increasingly bold and sophisticated, especially in their use of ransomware and extortion techniques. It’s no surprise that 51% of Canadian businesses report that keeping up with the latest threats, patches, and advancements in cybersecurity is a significant challenge, according to the same report.
For small businesses, the impact of a cyberattack or data breach can be severe. A study by cybersecurity provider Palo Alto Networks found that the average ransom paid by Canadian organizations has surged to $1.13 million CAD. Meanwhile, Statistics Canadareported there were 41,162 incidents of cybercrime reported to police in just the first half of 2024. This underscores a critical reality: cybersecurity is no longer a risk that can be ignored. It must be viewed as an essential part of everyday business operations, just like data protection and regulatory compliance. The question is not “if” a company will experience a cyberattack, but “when.”
It’s incredibly important for SMBs to be able to strengthen their cyber-hygiene by adopting practical, cost-effective measures that are easy to implement, cause minimal disruption, and don’t require specialised IT expertise.
Getting the basics right will not only protect businesses from a wide variety of attacks but will also offer business leaders the much-needed reassurance to focus on driving profitability.
The first steps to cyber hygiene – understand the fundamental security needs
Before diving headfirst into expensive new tools and systems, businesses need to first understand where they are vulnerable. Doing this means that their finite resources will be focused and optimized for their business and unique security needs. Businesses shouldcapture what assets they have, which ones are essential for their operations and which would be most vulnerable to cyber-attacks.This process works best when it includes stakeholders from different parts of the organization. This will help ensure all important systems are included along with the business context for them and also help ensure buy-in from teams when rolling out cybersecurity measures to reduce critical risks most effectively.
Despite the variations and diversity across SMB security needs, there are practical steps that business leaders can take now to immediately bolster defences against cyber risks.
Cyber security training and culture
While technology offers many solutions, the human element remains crucial. Recent research from telecom provider Verizonfound that human error is responsible for the majority (68%) of successful cyberattacks. This is why prioritizing employee cyber security training is paramount.
Training employees is one of the most effective things an organization can do to improve their security posture. Through regular workshops and training sessions, employees can be updated on the latest threats, such as new phishing techniques. An organization that fosters open dialogue around cybersecurity ensures that everyone feels responsible and confident to use their judgment. Just like technology controls, people won’t always get it right, but if your employees can spot most attacks, most of the time, you’ll be in a good place.
Two–Factor Authentication
Two-Factor Authentication (2FA) is the essential control for anything connected to the internet. Thankfully, many apps and subscriptions are mandating consumers to use 2FA to safeguard their personal information, so your employees should be comfortable using it at work.
When cyber criminals encounter 2FA, a stolen or guessed password won’t grant them access. By utilizing a unique code, sent either to a personal device like a smartphone or a dedicated hardware token, access is only possible for someone with the physical device in hand.
Endpoint Detection and Response
User devices are often the initial target of a cyber-attack and used by criminals as a foothold to launch their attacks into business networks, where more valuable systems and data can be found. The development of specialised ‘Endpoint Detection and Response’(EDR) tools have helped businesses secure their devices and growing IT networks.
EDR represents a big step forward from traditional anti-virus tools which rely on ‘signatures’ of previously discovered viruses and malware. EDR does this too but can also detect the telltale signs of an attack, even if it hasn’t been seen before. This means businesses can stay ahead of threats with far less effort and cost. EDR tools are now often baked into computer operating systems, like Microsoft Windows, and can be configured to detect and neutralise attacks without any human intervention.
Preparing for a Crisis
Lastly, foresight is invaluable in cybersecurity and what you do or don’t do in the heat of an incident might be the defining factor in how serious it ultimately becomes.
Businesses should proactively plan for cyber-attacks by developing crisis plans that identify what data and systems are essential for their operations, how and who will make critical decisions under pressure and where they can go for external, specialist support. When all your systems are down and customers are calling, the last thing you want to be doing is frantically searching the internet for technical and legal support or arguing about who has the authority to switch off a compromised server.
Having a list of key contacts and a coordinated response strategy can be the difference between a minor hiccup and a major crisis. When the plan is complete, organizations should run tests to ensure the processes and responses are working effectively, so they will be ready should a real attack occur. This can be as simple as a tabletop exercise with the right people from the business talking through a scenario, through to a comprehensive simulation run by external experts.
Such preparedness ensures swift, coordinated action during incidents, significantly reducing potential damage in terms of downtime, costs, and reputation.
Keeping it simple is the key to cyber resilience
Good cybersecurity doesn’t have to be an insurmountable goal. While many aspects are highly technical, the basic concepts of cyber resilience can be simple and easy to implement. Taking these steps will greatly reduce the likelihood of a successful attack and ensure SMBs are ready to take effective measures if needed.