Cybercrime is up over 600 percent since the start of the pandemic, but according to new Mastercard Canada research, only 16 percent of Canadian SMB owners surveyed say they know what to do in the event of an attack. And it’s not just the risk of an attack entrepreneurs should be worried about—data also shows that customers increasingly prioritize companies that care about cybersecurity.
Speaking with BetaKit, Aviva Klein, the Vice President of Digital Payments and Cybersecurity Solutions for Mastercard in Canada, explained the disconnect between the priorities of customers and the actions of SMBs, and how conversations about cybersecurity need to be reframed.
The cyberattack double whammy
Hackers know that big companies may invest a lot in cybersecurity, so the “new vector” they use is hacking smaller businesses in order to exploit the connections they have to larger businesses. This not only puts a large target on the backs of smaller companies, but it could also make enterprises increasingly wary of doing business with unprepared SMBs, stymieing growth efforts.
“Fraudsters and criminals are actually actively targeting small businesses not to get to the small business, but to be able to get to the large business that they have a relationship with,” Klein said.
This means a cyberattack leads to a double whammy for small businesses. First are the actual losses derived from the attack itself. According to Mastercard’s recent survey, SMB owners are most concerned about losing customers (47 percent), losing sensitive data (47 percent), and losing revenue (46 percent). When it comes to underrepresented founders, those concerns are even larger—for example, 72 percent of Black-owned businesses surveyed fear a loss of customer trust; 77 percent of Indigenous business owners fear a loss of revenue.
The second whammy is how customers will perceive you—including choosing to no longer do business with you—after an attack. The majority of consumers surveyed by Mastercard (55 percent) said they have already refrained from making online purchases due to cybersecurity concerns or a past breach, while nearly half (48 percent) would not continue patronizing a business after it suffered a cyberattack.
“When that accounting software does get breached because they didn’t load the latest security [patch], how are they going to bill their customers?” Klein added. “How are they going to know what to build? These are real implications.”
Keeping hackers off your back
Despite the clear consequences for SMBs that have suffered a cyberattack, over half (53 percent) say they cannot spare the cost of adopting new cybersecurity tools. And many of those who are investing in security don’t feel secure as a result: only one-third (33 percent) of SMB owners said they are confident in their cybersecurity tools, while a small minority (18 percent) feel they could fully recover if an attack occurred in the next six months.
The key to bridging this gap between customer expectation and SMB capacity, Klein said, is ensuring solutions are accessible and tangible for entrepreneurs, a job the industry has not been doing very well thus far.
Only one-third (33 percent) of SMB owners said they are confident in their cybersecurity tools.
“The cybersecurity industry—many industries, not just the cybersecurity industry—has done a really good job of overcomplicating things and having people not understand [the options available to them],” said Klein. “For small businesses, we really need to watch our language; we need to be able to provide low-cost [or] no-cost solutions that clean up cyber hygiene.”
Klein outlined three simple low- or no-cost ways SMBs can up their cybersecurity game to keep their businesses—and their customers—safer. The first step is implementing stronger internal security protocols, in particular password management and 2-factor authentication (2FA).
Klein noted quantum computing can increasingly crack simple passwords in seconds, so business owners should mandate both password complexity (including letters, numbers, and special characters) and frequently changing passwords (e.g. bi-weekly or monthly). Further, Klein recommended requiring 2-factor authentication (2FA) for all work devices, as it provides a simple additional security layer.
The second step is making a contingency plan so you know what steps you’ll follow if an attack occurs. Even simply documenting the basics—for instance, shutting down networks and reporting the details of the incident—is a way to bring the abstract into reality. And if you’re unsure of where to start, there are a lot of free resources such as the Canadian Federation of Independent Business (CFIB) Cybersecurity Academy, the Digital Main Street, and the provided by Global Cyber Alliance’s cybersecurity toolkits and solutions.
“It’s really about demystifying what cybersecurity is and breaking it down into very bite-sized and actionable chunks that people can really wrap their head around and rally around,” said Klein.
The third step is to leverage your technology stack, even if for some small businesses that just means a single invoicing platform. To begin with, Klein said it’s important first to keep all software up to date, taking every patch or upgrade offered to you. From there, ask the provider’s support team what they are doing to keep you secure and how you can use their platform in the most secure way.
“Ask questions to your providers,” said Klein. “Like, what happens if I do this? I’d love to post my property on your site, but I’m nervous that this could happen. What do you have in place to protect me? How can you help me?”
The need for a new lens
With the increasing frequency of cyberattacks and what businesses stand to lose, both in terms of the attack itself and customer fallout, Klein said SMB owners need a new lens. In the past, cyber preparedness was commonly seen as a security issue off to the side. However, when you factor in the lost revenues and risk to customer data and trust, it’s no longer an isolated issue: it is your entire business.
“That rings very different than ‘Oh, you should really make sure that you have good cybersecurity posture in place,’” said Klein. “It’s reframing the same issue, but looking at it from a business risk perspective as opposed to a security perspective.”