The number of cyberattacks for ransom is exploding on SMBs

Cyberattack threats have been steadily increasing since the start of the pandemic among SMEs, which are easy to attack. According to Statistics Canada, one in five businesses were already affected in 2019, and ransomware attacks have been exploding ever since.

• Also Read: Almost half of Canadians fear becoming a victim of cybercrime

• Also Read: Cyberattack: Major data theft at Bell Canada

“Ransom attacks are up 91% this year compared to 2021. We’re seeing a lot of attacks on SMEs,” said Guillaume Caron, CEO of VARS, RCGT’s cyber security subsidiary.

According to Francois Daigle, Senior Information Security Advisor at OKIOK, here’s the scenario in the majority of cases: SME X’s computer system in Saint-Ginglin is managed by one or more people. The IT team does a great job, but they are not computer security experts. One day, a hacker finds a bug and manages to break into the computer system. He sneaks around computers and servers for several weeks, steals information, opens doors to other organizations and installs software that gradually encrypts the data. When the job is done, it leaves a note: “You have been attacked, if you want to restore your data, please deposit …$ in this account.”

The company is in chaos with its systems blocked or its accounting database rendered unreadable and can no longer continue its operations.

A new reality

“Cyberattacks are now part of business reality to the point where three out of five SMEs are concerned,” explains François Vincent, leader of the Canadian Federation of Independent Business (CFIB).

A March 2022 survey by the CFIB revealed that 20% of SMBs had experienced more cyberattacks in the past year. This represents more than 50,000 companies that were attacked.

The pandemic has accelerated the rise in the risk of cyberattacks. Mr Vincent explains that the development of telework and online sales has opened doors for SMEs that did not exist before.

A decade ago, OKIOK’s customers were mostly large companies, Mr. Daigle said.

But today they are well protected.

In contrast, SMEs are more vulnerable and easier to access.

“It’s easy greed for hackers, argues a computer security consultant. What we’re seeing from this year is not just SMEs, but also very small businesses. Golf clubs, NPOs, schools, because those are the poor links.”

Even the front doors

Not only can hackers easily access data from SMEs, but they can also be a gateway to large companies or large-scale attacks, adds Mr Caron.

Computer security is essential for obtaining contracts. Government agencies and large companies must ensure that confidentiality is not breached by their suppliers.

Worrying data

• 64% Quebec SMEs Never Concerned About Risk of Cyberattacks Today (CFIB 2022 Survey)
• About two-thirds (61%) Canadian businesses experienced at least one cyber security incident and three-quarters (74%) did not report it (Communications Security Establishment Survey).
• Almost half of Canadian SMEs (44%) No Comprehensive Cyber ​​Security Plan (2021 KPMG Survey)

Very important legal risks

A cyberattack can damage an SME financially or reputationally, and since last week, more legal risk has been added.

“The consequences of a cyberattack vary from one SME to another, depending on the level of security put in place, explains François Daigle. It can go from the unavailability of its services for a few hours to bankruptcy.

A senior computer security consultant at OKIOK recalls a well-known SME calling him at 6pm on a Friday three years ago. All accounting is encoded (stolen) by hackers. The company can no longer pay its employees or receive money from its customers. “This is major. It takes time to reassemble a database and not everyone has the capacity,” commented Mr Daigle.

Intervention should be swift to restore operations and allow the company to function. At this point, the financial loss is substantial.

According to a CFIB study from March 2022, the average loss from a cyberattack was $26,000. The bill can be very high depending on the case. To protect against this risk, there is insurance.

Another unfortunate consequence of a cyberattack: reputation. A 2021 KPMG survey found that 93% of Canadian consumers would not want to share their personal or financial information with an organization that has already suffered a cyberattack or data breach.

New bonds

Since last week, companies’ data protection obligations have also been strengthened. The first phase of Act 25 came into effect from September 22. It aims to protect citizens against leakage of personal information.

Companies must handle data responsibly, including protecting information and destroying it upon request. They should also disclose breaches of confidentiality of confidential information.

“It’s no longer just a business risk, it’s a legal risk,” Mr Daigle concluded.