As a business owner, you’re accustomed to taking on risks and skillfully maneuvering around unexpected challenges to protect your business, and 2020 has brought its share – including rapid pivots in strategy and operations. Many small businesses have had to make radical changes, including how they work with clients, suppliers and their employees.
This rapid digitization has brought many unexpected wins, efficiencies and opportunities, as businesses quickly adopted new processes, technology and policies including support for staff working from home, virtual storefronts, online payment systems, VPNs, messaging tools, collaboration platforms, file management, and video conferencing. Yet the rush to adopt new technology has also brought new risks, especially on the cyber front.
With operations starting to adjust to the “new normal,” now is the time to make sure any pivots haven’t left your business vulnerable and opened the door to cybercriminals. In this conversation, RBC’s Chief Information Security Officer Adam Evans shares the top threats small businesses are facing now, plus the steps you can take to protect your business and recover from cyber incidents. As he points out, it can be difficult to understand, predict and manage the cyber risks to your business in today’s landscape, but there’s also no more important time because “fraudsters don’t discriminate. Fraud affects every sector and size of business.”
The Emergence of Cyber Threats in the COVID Era
According to Evans, cybercriminals are “following the money” right now, playing on COVID-related fears as well as new work-from-home set-ups.
Fraudsters are tapping into anxiety around COVID to improve social engineering for targeted phishing attack campaigns and ransomware. “Click here for urgent coronavirus update” and other such promises have been successful at luring remote workers into online scams. “When you marry that up with the amount of data breaches happening – i.e. there is more information out there than ever before – the environment is very target rich for fraudsters,” says Evans.
Given physical restrictions and virtual work/life requirements, hackers are also taking advantage of increased use of mobile devices to hack and hijack smartphones. And they’re seeking ways to exploit businesses who have staff working and communicating in different ways. For example, using home computers, personal mobile devices and home internet for work, instead of more secure corporate-supplied devices and networks. All of which might pose privacy and security challenges, and make it easier for criminals to intercept or access your confidential documents, financial data and information capital.
How do you know if your business is a victim?
It’s not always obvious if your business has been attacked. In fact, you might only find out after the fact that you have been compromised. Statistics show that cybercriminals are typically in business environments 200 days before owners realize they have been attacked.
Some events, of course, are more obvious, and Evans calls ransomware the ‘flavour of the day.’ “What we’re seeing is that a cybercriminal breaks in through email or malware. Once in, they will collect a bunch of sensitive information, which, they will then move outside of the organization.” Fraudsters can then either sell the data or encrypt your business devices in an attempt to extort you into paying to get your data back. In these cases, the attacks are evident. But your next steps aren’t always clear.
Learn more about Business Email Compromise.
What You Can Do To Protect Your Business
As you might expect, there are steps you can take to keep cyber criminals out and protect the most important elements of your business. But as Evans cautions, it’s just as important to prepare for a quick recovery. “A cyber-attack on your business isn’t a question of ‘if’ but ‘when’,” he says. Here are five things to consider:
1. Prioritize what you’re protecting
As a first step, Evans recommends that you understand your company’s most important assets – what experts call the “crown jewels”. Is it intellectual property? Data? Brand? Payment systems? Understand the risks associated with what you need to protect so that your business stays viable. “You need to spend your time protecting those crown jewel assets,” says Evans.
2. Align your practices with the risk you’re prepared to take
How is your data stored, backed up and transferred? What software and hardware are you using? Who has access to confidential information in your organization? When you are aware of these key details, you can ensure that your set-up is aligned with the risk you’re prepared to take. If there is a discrepancy, you have the opportunity to adjust your processes before a cyber event takes place. For example, many small businesses have adopted new free or low-cost tools this year – ensure their use aligns with your risk threshold.
3. Train your team + Maintain a culture of awareness
When it comes to cybercrime, the “human factor” can be your biggest risk – or your greatest asset. “Education is the most important step to take,” says Evans. Invest time and resources in training your staff. Set expectations for use of technology and data, and help your team understand what they can and can’t do. This can be even more challenging in a new virtual workplace with new tools. Even printing from home or emailing a document to a personal email can pose a risk. Help staff learn your tools, be aware of the risks and understand that everyone has a role to play. Show them what cyber-attacks can look like, what they can do to prevent incidents and how to report incidents.
4. Have a crisis plan in place
It’s wise to think about a cyber-attack as an inevitable event rather than an unlikely occurrence. That’s why it’s critical to have a plan in place, so you know the roles and responsibilities of your team and who to call for help. Like a fire escape plan, run through scenarios and practice your response. And don’t let the plan gather dust: review it regularly for new threats and get expert help to close any gaps.
5. Have a team on standby
Consider putting a crisis management firm and/or legal firm on retainer to help you manage through cyber events. Having someone to support you through the process will be critical to recovery.
While cybercrime isn’t new, 2020 has introduced fresh opportunities for fraudsters and new risks for businesses. Understanding what the risks are, how to protect your business and how to recover quickly can help mitigate the impact and keep your business, your employees and your client data safe.
Learn more: rbc.com/cyber.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.