Skip to main content
With new cyber attacks forcing Canadian companies to spend billions in response, it's a matter of when, not if, your business will be targeted

Small business security used to be a strong lock on the door, a guard, and a few security cameras. These days it’s often lines of code that stand between thieves and your money.

One out of five Canadian businesses experienced a cybersecurity incident in 2017, according to Statistics Canada. The total costs of prevention, detection and recovery from incidents in 2017 totaled $14 billion.

RBC Chief Information Security Officer Adam Evans says small- and medium-sized businesses need to assume that they will be the target of cyber thieves. “It’s not about if; it’s going to be a when scenario,” he says in the “How to Protect Your Business from Cyberfraud” podcast.


Listen to this podcast for more details on what you need to know about cyber crime and how it can affect your business.

Surprisingly, many businesses still don’t take steps to protect themselves. Only 54 per cent of small businesses provide cybersecurity training for their employees according to the Canadian Internet Registration Authority (CIRA), even though phishing attacks, which directly target employees, are the most common.

Some businesses cope with these threats by outsourcing their cybersecurity to consultants or contractors, but many smaller business owners may not feel they have the resources to do so.

With attacks sure to increase in frequency, here are three ways to protect your business against cyber crime:

Identify Risks in Your Business

Think about your business as a whole, and where potential weaknesses might be.

  • Make sure you secure customer data and have up-to-date software throughout the system.
  • Download and install the latest security updates on all your devices.
  • Back up data off-site to protect against a potential attack by ransomware, which freezes your system until you pay the attacker.


Businesses should also consider any other partners or subsidiaries in their networks that could be used and an entry point for thieves.

“If I was a threat actor,” says Evans, “Chances are, going after a smaller business is going to require less effort and less sophistication.”

Good internet hygiene can also be a strong line of defence. This can include using different passwords for different platforms, and not using public WIFI for financial transactions or sensitive work functions.


The Art of Fraud Prevention: A guide to keeping your business and customers safe

Educate and Make Employees Aware

While employees can be a business’s greatest asset, they can also be targets for cyber scammers looking for information to get them into your network.

The weakest link is still really the first line of defence, which is the employee or the individual.

Adam Evans

It’s important to make sure all employees are on the same page regarding company policies and are kept up to speed on potential risks and emerging scams. Adam points to phishing and spear phishing as two types of attacks that target employees.

Phishing involves setting up a fraudulent website, usually sent via a link in an email, to steal login credentials. With spear phishing, the idea is to get the victim to click on a link, which hackers can then use to infect the system with malware.

“In the cyber world, it’s those social engineering techniques that allow threat actors to profile and start to surgically target organizations or individuals,” says Evans.

In the cyber world, it's those social engineering techniques that allow threat actors to profile and start to surgically target organizations or individuals.

Adam Evans

Have a Plan

If a cyber attack is a foregone conclusion, it’s important to have a plan in place in order to minimize potential damage. During a cyber attack, have a plan to protect customers, employees and the organization as a whole.

The first step is to have a response plan that covers which parties need to be part of the decision process as the attack unfolds.

Take advantage of the fact that you control the messaging to make sure your customers and employees know and understand how you’re acting in their best interests.

After the attack, it’s important to be up front about what’s happened, says Evans. “Owning the breach is a critical part of it,” says Evans. “If you do those things (right) you maintain a level of integrity and trust with the community that you service.”

Combat Cyberfraud Checklist:

Many small businesses may not have all the resources they need to have a strong cybersecurity posture. But by implementing simple cybersecurity practices throughout the organization, small and medium businesses can safeguard their information and data.

  • Establish security practices and policies to protect sensitive information.
  • Explain policies and standards to employees so they understand why they are in place, how they apply, and the risks to themselves or the organization if they don’t follow them.
  • Educate employees about cyber threats and how to protect your organization’s data.
  • Back up data so that if your company is attacked by ransomware, you may minimize the impact. The best way to back up files is on an off-site system that continually creates new versions of all of a company’s data.
  • Stay current. Software and hardware manufacturers routinely issue updates and what are called patches to improve security. Every device at a small business needs to have all updates and patches downloaded and installed.
  • If you don’t have the internal resources to build and maintain your company’s cybersecurity defenses, consider hiring consultants or third party vendors who specialize in helping small/medium businesses with their cybersecurity needs.
  • Think beyond the systems. Companies can be attacked through other businesses and vendors. Do your due diligence and check with anyone who links into your systems the steps they take to protect their data.