Where have all the cybercrimes gone?
Cybercrime. It screams at us from the headlines daily. Millions of accounts hacked. Banks and Cryptocurrencies raided. Foreign nationals indicted or arrested. Yet so few of those headlines talk about the cybercrimes that law enforcement encounters daily – attacks on the small businesses that make up our local communities.
From 2015 to 2016, Canadian police-reported cyber fraud and mischief increased 33 per cent to 12,627 incidents1 – a trend which likely continues today. From our own experience, we know that small businesses are unlikely to file a police report – unless they have cyber insurance. They simply want to get back to business, ASAP! So, how big is the ongoing attack on small businesses, really?
Although Canadian statistics are scarce, CIRA (the Canadian Internet Registration Authority) reports that 19 per cent of surveyed Canadian corporations have been the victim of a ransomware attack. 32 per cent say their users have unwittingly divulged confidential information (corporate login credentials, banking details, etc.) to hackers through phishing campaigns2.
To be conservative, let’s discount those numbers by 75 per cent. With 1.3 million businesses in Canada, that’s still 165,000 incidents of just two of the many types of cybercrime. An overwhelming number, if every incident was reported and investigated.
There is obviously a huge disconnect between reported cybercrimes and the number we know must be taking place. Where do small business owners turn when their data is held for ransom, lost or their systems are compromised?
Generally, small businesses don’t have the time, staff or knowledge to deal with a cyber breach. The lucky few will use a professional IT company. The rest may get their recovery strategy from their local IT “guru”, friends or the internet. With the focus on simply getting their business back up and running, little attention is paid to the root cause of the breach or to the potential consequences of having their lost information in the hands of criminals.
With their security problems left unfixed, many businesses just get hit again. We often come across clients who have cleaned up one system, only to find later that similar malware was sitting on other systems — little timebombs, just waiting to go off. Or we find that the cyber vulnerability the hacker broke in through is still wide open and waiting for business
The standard response to these issues is more education programs. Increasing small business awareness of cyber threats and how to defend against them. Our experience is that selling small businesses on the importance of investing in good cyber defences is a lot like selling insurance. Despite all the news headlines, brochures and websites, unless it’s a requirement for doing business with their clients or financial institution, or they have already been burnt, it’s not very high on their list of priorities.
Good security hygiene requires an investment in hardware, software and the advice of qualified security experts. The average IT person just doesn’t have the skills, tools or mindset to defend against determined criminals. Equally important are the changes needed in employee behaviours and company policies in order to become and stay secure.
Losing time, spending money and suffering inconvenience to implement security — a project whose best outcome is that nothing happens — isn’t very compelling for small businesses fighting to pay suppliers and hit this month’s payroll.
One recent step towards overcoming these barriers is an international program called Cyber Essentials — an inexpensive self-certification program for small businesses. The concept is simple. Businesses are guided through an online, step-by-step process to becoming cyber-resilient. On successful completion of the program and implementation of security standards, the business is awarded a Cyber Essentials certificate.
Cyber Essentials certification is now required in the U.K. for firms doing business with the government. The hope is that the same will happen in Canada. Many large Canadian corporations already require that their suppliers follow cyber security procedures and standards before they are permitted to interact with the corporate networks. The practice is not yet industry-wide however and the required standards vary from company to company.
To fight cybercrime, computer security needs to become an every-day business necessity — like locks, fire extinguishers and alarm systems. Adopting a standardised cyber certification as a minimum business requirement — at the very least for suppliers to large corporations and government – may well be the financial push that small business needs to really get going.
Access to contracts and cyber certification as a competitive advantage are tangible benefits that will help drive business owners to not just cyber awareness – but to the cyber action we need to achieve a secure Canadian business environment.
1 Statistics Canada. Table 35-10-0001-01: Police-reported cybercrime, by cyber-related violation
2 CIRA 2018 Canadian CyberSecurity Survey https://cira.ca/2018cybersecurity-survey
Earl Wyllie is a technologist, CDFA, and has a Certificate in Digital Forensics from Ryerson University. He is currently working with Cyber Security Canada, the sponsor of Blue Line’s first Cybercrime Week, designing and implementing security control structures.