Are organizations unwilling to commit to data security?
As La Presse recently pointed out, only 3% of companies surveyed are in compliance with their obligations under phase 1 of Bill 25... and none with those of phase 2.
And things aren't about to get much better, since almost half of respondents do not intend to take the measures required by the law any time soon. Reasons given: lack of means, time and resources.
While there's no denying that the procedures to be put in place and the governance that goes with them are not simple, ignoring them or putting them off until later is a risky gamble in several respects:
- Users are fully aware of the new data protection obligations, and of the remedies available to them in the event of non-compliance.
- The fines are particularly steep, since they are calculated as a percentage of sales.
- The risk of attack is real, regardless of company size. At the very least, a cyber attack means a slowdown in business, and at worst, bankruptcy.
Organizations lagging behind in their digital transformation
Even today, we hear the little song "I'm too small to interest a hacker".
Unfortunately not. SMEs of all sizes and in all sectors are potential targets, seriously considered by hackers. All the more so as they represent almost 90% of the economic fabric: a great opportunity for hackers.
Let's imagine three simple and realistic scenarios:
An attack that slows down business:
Malicious software slows down business. The organization is no longer able to produce at the same pace, and its customers (and suppliers) turn to its competitors. There's no guarantee that they'll come back once things are back to normal, because the bond of trust will have been seriously damaged.
An attack detected too late:
The organization is working on research and development to publish new patents or simply improve its products. Except that, in the absence of adequate protection, its work and advances... only to beat it to the punch and offer identical, cheaper products (not having had to absorb the research costs). Buyers will logically think in terms of costs and turn away from the company that has taken all the risks, in favor of the one offering the same product at a lower price.
A costly attack that blocks everything:
Ransomware is all the rage. They are also increasingly sophisticated and difficult to eradicate. As we all know, hackers have no morals, if we consider that recent attacks have targeted hospitals... SMEs are therefore no safer, and ransomware has a number of disadvantages: no more activity, no more data, exorbitant fees to pay (with no guarantee).
But, in truth, the type of attack or risk doesn't really matter: all impact the resilience of the organization and its stakeholders (customers and suppliers). And cyber risk has never been greater, as two factors feed on each other: poor corporate preparedness on the one hand, and hormone-boosted hacking tools on the other (thank you, AI).
Cybersecurity: getting your head out of the sand
Real risks
The increase in risk and the multiplicity of possible entrances (notably with hybrid working, the use of personal computers or telephones, the Internet of Things...) should serve as imperatives for organizations to review their protection against cyber threats.
The first step is actually quite simple to implement, with no cost, technical installation or regulations: ask questions.
Is there a process in place? Who is responsible for it? What is the contingency plan? Are employees informed? The list of questions could go on, but if your organization can't answer any of them clearly and precisely... you're in trouble.
Essential data
Data is essential to running a business. It's not for nothing that management teams used to have Excel dashboards, and now rely on Power BI to extract, visualize and model data in order to make insights that will help maintain competitiveness and therefore sustainability. This should be enough to take the necessary steps to secure them, and not think "nobody cares anyway". What can an organization do when it's out of data? Not much, really.
Conclusion
It's not reassuring to see that only 40% of Quebec SMEs intend to comply with their obligations. Let's hope that awareness will be raised before reality catches up with them. After that, they'll be on the lookout for trends, and will be equipping themselves and their teams accordingly.
To find out more : ➡️ Cybersecurity: setting up an action plan to protect the company
