Who is affected by cybersecurity?
Hacking has changed a lot in the last few years. Whereas we used to see targeted hacking of valuable companies, today we are faced with mass hacking, which targets both large and small companies. After all, if a company is in business, it is valuable... It's not a question of "if" your company will fall victim to a cyber attack, it's a question of "when" it will fall victim to a cyber attack, and if you will be protected on that day.
What's more, even when a company has "backups", it can take time to reactivate them and thus cause a (temporary) shutdown of the business. The direct consequence of which is measured in dry losses.
This explains why 21% of SMEs will not survive a security incident...
And the possibilities of an incident are numerous because technology is everywhere: even the smallest imaginable business includes at least one smartphone. Technological surveillance is therefore necessary.
70% of Quebec's economic fabric is based on SMEs. They are therefore naturally the first to be targeted today.
Where security breaches come from
95% of security breaches are human (whether intentional or not). Hybrid work has not helped matters.
Simply put, in the overwhelming majority of cases, it was a human action that caused the breach, such as clicking on a link in an email that seemed harmless...
How to fight against security breaches?
By following four main lines of work:
- Infrastructures (tasks that are the responsibility of IT: cabling, servers, hardware...)
- Security in the broadest sense (access to buildings, surveillance cameras, alarms... because cybersecurity is part of a whole)
- Governance, risk and compliance (internal policies, succession plan, risk analysis, insurance, certification, etc.)
- Policy and training (user policy, use of personal connected objects, risk awareness...)
Whatever the size of the company, these areas remain valid, especially since some will be better mastered than others.
How to adopt the right mindset in terms of security for SMEs?
First of all, don't focus on specific aspects (software, encryption method, etc.), but rather have a high-level approach, in which all employees can participate. With this in mind, here are three main cybersecurity principles:
- Don't assume: don't take anything for granted and validate as clearly as possible what arrangements are in place and who is responsible for them, both internally and externally. Simply saying "I have a contract and everything is fine" is not enough. Ask to test the arrangements, validate the implementation time in case of problems (3 hours or 3 weeks can make a big difference on business).
- Challenge yourself: ask questions, validate that the options chosen are the right ones, that contingency plans are up to date.
- Don't bury your head in the sand: "I'm too small to interest hackers". However basic and "harmless" a company's data may be, at the very least it allows it to remain operational! But it is the data that is being hunted by hackers. All data. Choosing to ignore the threat is putting a target on your back.
A good way to make sure you don't fall into one of these pitfalls is to start by doing an annual audit: are all the necessary points covered? are the people in charge clearly identified? are their responsibilities well understood? are there any unanswered questions?
In short: have an action plan, which you will question at regular intervals. This questioning can be done internally, with the risk that it is more difficult to see the possible issues (in the same way that one generally sees less spelling mistakes in one's own text). Hence the interest in sometimes calling on an external party to benefit from a neutral, fresh and objective approach. The goal is not to judge anyone: it is normal for flags to be raised.
Be aware that there is no set course of action: technology and hacking techniques evolve. What is true today may not be true tomorrow.
Law 25 on the protection of personal data helps you to become better. By imposing a binding framework, it reminds you that the data of customers, employees, etc. does not belong to the organization, but that it must take care of it.
Should I take out cyber risk insurance?
In the last few years, claims related to cyber issues have exploded. This has led insurers to more or less clearly review the coverage offered to their policyholders, without always clearly informing them of this. Some insurers ask for general coverage, others are very specific.
It is therefore essential for an SME to review its current contract (and the numerous exemptions!) and to ask questions to validate the reality of the coverage offered.
In conclusion
Small and medium-sized businesses are today among the preferred targets of hackers, mainly because they have often minimized the risks and delayed taking preventive measures. However, in cybersecurity, repairing is more expensive than anticipating. A breach can lead to a complete shutdown. Fortunately, it is not too late to ask the right questions, get advice and take the appropriate measures, starting with developing a security culture and raising awareness of data protection among all employees.
To go further:
