Cybercrime: Is your small business protected?

Many small businesses have turned to online sales in recent years, even more so during the pandemic. While an online storefront can help you reach more customers, it can also leave your business vulnerable to cyberattacks. 

Cybercrime hits small businesses hard. CFIB research has found that between March and October 2020:

• almost one sixth of small businesses reported having experienced attempted cyberfraud; and
• one in twenty small businesses fell victim to cyberattacks

This translates to about 61,000 Canadian businesses who fell prey to cybercrime!

In 2018, Canadians made over to $57  billion worth of purchases over the Internet – up from just shy of $20 million in 2012. As online business continues to grow, the potential for being victimized by cyber-crime also increases.

What is cybercrime?

Cybercrime, also known as cyberfraud or a cyberattack, is any criminal offence that involves a computer or the Internet as either the target of a crime or as the means used to commit a crime.

Some examples that relate to commercial transactions include:

• Identity theft: Fraudsters hack into databases and steal usernames, passwords, credit card and other personal information, to make illicit purchases.
• Phishing scams to take over legitimate customer accounts: A customer is tricked by an email or bogus website to provide passwords and login information, which are then used to make unauthorized purchases.
• Malicious software, such as spyware and malware.
• Supplier payments fraud: tricks that are designed to make businesses wire money to a scammer’s bank account thinking they are paying a supplier.
• Ransomware: online blackmail that blocks access to your computer, networks, smartphone and demands an exorbitant amount of money to unlock them.

Fraud is the most common type of cybercrime reported to police, representing over half of all Internet-based crime, according to 2018 Statistics Canada data. 

What are the biggest cybersecurity risks to my small business – and how can I prevent them?

There are four main areas that can make you more vulnerable to cybercrime. Being aware of these vulnerabilities, and how they can be exploited, will help you take action to protect your business.

Weak passwords. 63% of data breaches result from weak passwords and most passwords take hackers seconds to crack. 

• Strengthen your passwords by using a passphrase which is a combination of words with letters that only you would know. For example: a line from your favorite movie or song.
• Use a unique password for each account.
• Consider using a password manager to help keep track of your passwords.
• Enable two-factor authentication wherever available. This requires you to input a unique code that is sent to your mobile device for each new login. 

Out of date software. A patch refers to the updates to your software systems, programs and apps. These patches are meant to fix security vulnerabilities and other bugs.  

• When you receive notification of an update to your software, update right away.
• Turn on auto updates if it is available.
• Assign someone to be responsible to ensure all updates are done on all company computers and phones. 

Phishing is one of the main sources of cyber crime with 91% of all attacks starting with a phishing email. An infected email can download viruses or give access to your data and possibly trigger a ransomware event. 

• Learn to identify phishing by looking for inconsistencies or sign it maybe fake – check the sender address, company logos, spelling errors.
• If you are not familiar with the email sender do not click any links or open attachments. 
• Delete the emails and immediately empty the trash folder. 
• If in doubt, find a phone number outside of the email) and call to verify authenticity.
• Keep your data backed in case it is ever taken hostage. 

USBs and Removable media can be problematic with 27% of malware infections coming from infected USBs. 

• Use alternatives to portable devices such as the Cloud. 
• If you don’t know where the device came from, don’t plug it into your computer. 

How else can I protect my small business against cyber-crime?

The first line of defense is being aware and informed about the risks and types of cybercrime out there. For example, not opening an e-mail or link in a text message that looks suspicious. 

In addition to standard common-sense vigilance, businesses are encouraged to monitor purchase trends and keep a very close eye on statements and purchase orders. Watch for deviations from normal sales activities. Software solutions to protect data are also crucial (e.g., encryption, firewalls, anti-virus).

Another option is to protect your business through cyber insurance. This type of insurance covers liabilities that can occur online including data theft and computer viruses such as ransomware. The insurance can help cover legal and civil damagers, crisis management expenses, computer programming and electronic data restoration expenses, business interruption and other expenses. 

Tips to guard against cybercrime

• Stay up-to-date on the risks to your business using sources such as the Insurance Bureau of Canada, the Government of Canada’s National Security and Defence Cyber Security Unit, Mastercard’s Trust Centre, CFIB’s website, and other business associations’ websites and resources. 
• Raise awareness among your employees about cybercrime, and train staff to detect and avoid cyberattacks.
• Share information on scams and best practices for prevention with other business owners in the community directly, and through business associations. 
• Evaluate whether cyber insurance would be advantageous for your business. The Insurance Bureau of Canada has information for business owners about cyber risks and cyber insurance.
• Invest in anti-virus software. There are many reputable brands and the one you choose should meet your business needs. Ask yourself:
  • What is the cost per machine?
  • How easy is it to install? 
  • What is the ease of the day-to-day management?
  • How much support does the vendor supply?
• PCI compliance: Check out the Payment Card Industry Security Standard Council forum, which is a network of global brands, including Visa, MasterCard, and AMEX, who have established best practices for conducting electronic transactions and payment processing.
• Watch for well-known signs of a fraudulent purchase:
  • Unusually large orders placed over the Internet without contact by the customer.
  • Priority rush orders of high-value merchandise, where the customer requests overnight shipping.
  • Missing contact information on an order, or a customer refuses to provide key contact information, such as a daytime phone number.
  • Orders that are set to be shipped to a different address than the billing address. Similarly, watch for billing addresses that are not the same as the information on file with the credit card company. An address verification system (AVS) can block sales where addresses don’t match.
  • Orders from other countries.
• Set limits on the number and dollar value of purchases, using your knowledge of your own business.
• Require customers to enter the three-digit Card Security Code on the back of their credit card.
• If you are suspicious, phone the card holder to confirm the order. If you can’t contact the cardholder using the information you were provided, don’t ship the merchandise. Fraudsters don’t leave phone numbers where they can actually be contacted.

What if I am a victim of cybercrime?

Unfortunately, there is currently little recourse available to you; scammers are often operating in a foreign country which makes it hard for authorities in Canada to investigate. That said, it is still important to report any cybercrime against your business to the Canadian Anti-Fraud Centre.

If your business faces a data breach due to cybercrime that has potential to cause significant harm (i.e., financial loss, identity theft, loss of property, etc.) you are required to report it to the Office of the Privacy Commissioner (OPC), as well as notifying all affected individuals and keeping a record of the breach. 

If you think you may have been a target of online fraud, report it to your local police service and the Canadian Anti-Fraud Centre. Canada’s Competition Bureau is also a trusted resource for information related to fraud and cyber-crime.

The Government of Canada has created an information portal where you can review your online safety practices.

What is CFIB doing?

The government is currently looking at new laws regarding how to manager private information online. CFIB is working to ensure that any new rules and regulations are not overly complex, not costly to implement in your business. 

We have a Savings Program Partnership with Northbridge Insurance, who offer cyber insurance as well as other insurance and legal support products. 

CFIB has partnered with Mastercard to build targeted, user-friendly training for small business owners and their employees regarding cybersecurity. Launching later this year, the new CFIB Cybersecurity Academy will deliver digital lessons on a mobile-first and gamified platform on topics including: preventing ransomware and cyberattacks, recognizing fraud, and identifying and preventing social engineering. 

Watch our member-exclusive webinar “Cybersecurity: How to Protect your business” presented by CFIB and Mastercard by visiting our member portal.