Increasing SME cybersecurity vulnerability and ways to fight back

Cyberattacks and cybersecurity vulnerabilities were a growing threat before the pandemic and invasion of Ukraine. Now, the experts are sounding the alarms at maximum volume.

Since the pandemic began, nearly one-third of survey respondents have experienced a rise in cyber attacks, insider threats and data breaches because of the increased amount of social and business activity shifting to the digital space.

Then in late January, Canada’s digital cybersecurity agency put out an official warning to government agencies and critical infrastructure providers to be on high alert for targeted malicious activity by Russian-backed hackers. At the same time, cybersecurity professionals are reporting an increase in ransomware attacks, supply chain attacks and the exploitation of vulnerabilities in commonly used software.

Pre-pandemic, half of all Canadian small and medium businesses have been the victim of a cyberattack. The average total cost of a data breach was a whopping $4.5 million, and even worse, the standard time to detect and contain was 226 days, says the Canadian Cyber Threat Exchange (CCTX).

Small biz doesn’t fly under the radar

There’s no one-size-fits-all description of who cyber attackers are and what motivates them. They can be states, groups or individuals motivated by politics, ideology, profit, satisfaction or discontent. But they act with malicious intent to take advantage of vulnerabilities or low-security awareness to gain unauthorized access to victims’ data, devices and networks.

SMEs may believe they aren’t high-profile enough to catch the attention of attackers. But that thinking provides a false sense of security. The reality is that they’re a top attack target because they may under-invest in security, have several points of vulnerability, and don’t have the IT maturity of government agencies or large organizations. Experts in a CBA cyber security briefing noted that “without proper protections in place, companies risk monetary losses, reputational blowback, and theft of intellectual property and customer data.”

2022 top cybersecurity considerations

Here are several ways you can protect your business and data right now. It’s a combination of renewed vigilance and adapting to remote work and cloud-computing.

Fortify your remote workers

Remote work introduces new security vulnerabilities. An IBM survey found half of remote workers at the height of the pandemic were using a personal device for work and 45% said their employer hadn’t provided work-from-home security training.

Allowing staff to use unvetted personal devices and home networks, together with little to no tools and training increases risk dramatically. Investing in cyber security awareness and training, along with baseline security protocols should be SMEs primary concern.

Microsoft Suite Cybersecurity Checklist

If your office uses Microsoft 365, you already have access to some robust cybersecurity features that you may not even be aware of. Scroll to the bottom download our checklist to learn about the most powerful features you’re already paying for, and how to implement them.

Get cyber security certified

Starting as a pilot program back in the summer of 2021, the Canadian Centre for Cyber Security has rolled out their CyberSecure Canada Certification program. It’s built on 13 low-cost, easy-to-implement security controls identified specifically for SMEs, to help reduce risk and improve incident response.

Top threats, both new and old

Here are some of the new and emerging threats you should be familiar with:

  1. HermeticWiper – This is a new, disruptive malware that has been used to target Ukrainian organizations. It penetrates a system and proceeds to wipe all data, making it unrecoverable.
  2. Phishing – Hackers are using machine learning to write more convincing fake messages in the hopes that recipients will click on a link to install malware or compromise data and networks.
  3. Ransomware – A company or institution’s database is held hostage for ransom, with the attackers demanding to be paid out in anonymous cryptocurrencies.
  4. Cryptojacking – After clicking on an unknown link or visiting an infected website, a coin miner program is secretly installed on a victim’s computer, allowing criminals to use their computing power to mine for cryptocurrency.
  5. IoT Attacks – Any smart device connected to the internet is vulnerable to infection or takeover, including routers, webcams, manufacturing equipment or medical devices.
  6. Third Parties – Vendors, contractors, and other external partners pose risks as they may not have the same security resources as their clients and are a possible weak spot.

Think about ditching the castle-and-moat model

Pre-2020, the traditional IT network security theory was the castle-and-moat model, whereby anyone inside the network is permitted to access data, while everyone outside is prevented from accessing applications and information. Users inside the business’s network are trusted by default. The problem is that once an attacker gains access to the network, there’s no stopping them.

Experts are warning that this model has become obsolete for many organizations with the migration of business to the cloud, the distribution of workers, and interconnected systems between organizations. They recommend a new model, Zero Trust, which requires strict, continuous identity verification for every person and device accessing a resource – essentially “trusting no-one”, whether they are inside or outside of the private network. Users also connect directly to the apps and resources they need and can only see the most essential information their security clearance permits. Every connection is also severed, including encrypted traffic and files, so it can be inspected for malware and ransomware in real-time before it reaches its destination.

It’s definitely worth discussing with your digital security or IT team if now is the time to rethink your company’s cybersecurity model.

Brace for impact

Being conscious of cybersecurity means building solid policies and procedures for the entire lifecycle of information that you collect – including how data is gathered, stored, secured, and deleted. Keep in mind that a breach, according to experts, is a question of when, not if. Every company should be prepared with plans, controls, and detection measures to ensure that when a breach occurs, they can respond quickly and minimize damage.

The Canadian Centre for Cyber Security also releases alerts and advisories of real-time cyber security threats that impact Canadian businesses, which you can access here.

Keep fraud in mind

It’s undeniable, both personal and corporate fraud attacks have been on the rise during the pandemic. Key pressure points making businesses more at-risk right now include:

  • Fast-tracking new suppliers and other business partners
  • Increased government support programs
  • Changes in resources and job losses

As things settle back to normal and businesses reopen, it’s wise to focus on boosting internal controls and anti-fraud programs that may have been cut during the pandemic. If your company is embracing hybrid work, internal controls and separation of duties will need to be redesigned to accommodate remote work and prevent blind spots. Employers should review processes to ensure layoffs or business changes haven’t left holes in employee responsibilities.

Embracing paperless banking and electronic signatures means companies will have to consider who has access to signatures and who can document the necessary approvals. Splitting responsibilities by separating who has access to bank accounts and records from who can review them is one way to prevent fraud.

Worryingly, companies are also reporting a reduction in fraud training for staff and many say they don’t even have a fraud response plan in place.


TransUnion estimates that suspected fraudulent digital transaction attempts against businesses worldwide increased 46% in March 2021 compared to years prior. And spillover from cyber attacks against Ukraine are going to have global consequences. As your business embraces digital transformation and remote work for the long term, cybersecurity and fraud prevention must be part of your planning, especially with heightened activity and risk.

Because financial fraud looks different for every industry, it’s best to work with a partner who understands your internal processes and controls.

Learn more about recovery leadership, in a post-pandemic world.


Q&A with Partner, Jennifer Chasson

Q&A with Partner, Jennifer Chasson

With over 25 years of experience and 100+ successful transactions under her belt, Partner, Jennifer Chasson, brings invaluable expertise to the table. Whether it’s guiding as an advisor, mentor underwriter, ...