What would you do if your business was the victim of a cyberattack—and to top it off, you lost half your customers because of it? This double whammy is a legitimate possibility for startups and small businesses, according to new research by Mastercard in Canada: over half (55 percent) of consumers said they’ve refrained from making purchases because a business was a victim of a cyberattack.
Despite this risk, startup and small business owners reported both a lack of confidence in and a lack of desire to budget for cybersecurity solutions. Meanwhile, 50 percent of consumers said they would further support a business that prioritizes cybersecurity, pointing to a gap between SMB and consumer priorities.
In a recent BetaKit Live conversation, three expert panellists—Aviva Klein, VP of Digital Payments & Cybersecurity Solutions at Mastercard in Canada, Darryl Julott, Managing Lead at Digital Main Street, and Charles Finlay, Executive Director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University—discussed the very real business risks of a cyberattack and how small business and startup owners should engage with those risks.
It’s just business
Klein noted that the typical cyberattack can cost an SMB anywhere from $10,000 to $25,000 or more in direct costs to restart and re-establish the business, with the average for large businesses closer to $5.6 million. And with only half of the customers (52 percent) surveyed saying they would continue supporting a business after an attack, the financial setback of a cyberattack can be a death blow to businesses of all sizes.
“If you’re going to be a vendor of any kind to a major organization, now you are going to have to show that you are cyber secure. It’s just part of doing business.”
Yet even with this threat, more than half of Canadian SMBs surveyed (57 percent) have not had any cyber training, only one-third (33 percent) are confident in their tools, and the majority (53 percent) say they can’t spare the cost of adopting new tools.
Despite the concerning statistics, the panel noted that only focusing on the negatives might make cybersecurity seem needlessly complex and scary—potentially freezing entrepreneurs into inaction. Instead, they suggested framing the issue in terms of opportunity.
Finlay noted that larger enterprises and governments include cybersecurity questions on all of their RFPs or other procurement processes. In this sense, ignoring cybersecurity isn’t just about losing existing customers or incurring costs; you are directly inhibiting your business’ growth prospects.
“It’s not a competitive benefit or differentiator,” said Finlay. “It’s a competitive requirement… If you’re going to be a vendor of any kind to a major organization, now you are going to have to show that you are cyber secure. It’s just part of doing business.”
Keep it simple
While the opportunity cost of not doing so might be high, Klein noted that it was a misconception that businesses should start by spending a ton of money or hiring a dedicated cybersecurity team. Starting with no-cost or low-cost actions, Klein added, like complex passwords and multifactor authentication go a long way.
Cybercrime in Canada has increased 600 percent since the start of the pandemic. Small businesses and startups are particularly vulnerable.
Leaders should also understand that the most common scams are socially engineered and employee-focused. Finlay cited email scams where business leaders are impersonated in emails to employees asking them to click a link, provide sensitive information, or directly pay a fraudulent invoice. Julott shared another example of potentially corrupted USB sticks left lying around waiting for employees to connect them to the company’s network.
“We try our best to demystify things with incredibly simple examples,” Julott said, speaking to Digital Main Street’s work helping small businesses with their online presence.
The next step, noted Klein, is adding official policies so employees know what they need to do and why it’s important. If your company is in a position where strict policies might not make sense, Klein still recommends simple documentation—even something like a “top 10 cybersecurity tips” guide.
Regardless of policies or guides, all business owners should also have a “what if I get attacked” plan in place—including the contact information of whom you can report the incident to.
“Every small business can do that now,” said Finlay. “They can do an assessment of what their risk is. They can make a decision about how they want to invest to protect themselves. And they can make a list of phone numbers about folks they’re going to call when it happens.”
Fear-mongering… the right way!
Unfortunately, the rapid growth in cybercrime—600 percent since the start of the pandemic— is unlikely to slow down; as generative AI tools become more predominant, sophisticated attacks are likely to increase.
While much of the panel conversation focused on reframing this issue of cybersecurity in a way that motivates action, the panellists were clear that businesses that are attacked should not feel ashamed. Not only are attacks far too common—and likely— to feel this way, but it is that feeling of shame that leads to underreporting of incidents, impeding the fight against cybercrime. Those who have been impacted by an incident are strongly urged to contact local police, the Canadian Anti-Fraud Centre, and the Canadian Centre for Cybersecurity.
Finding a balance between communicating both the business risks and opportunities remained the consensus conclusion from the panellists on the best way to close Canada’s cybersecurity gap.
“How do we work collectively together as small and large groups to shine that spotlight specifically on cyber and almost forcefully pull it out so it’s seen as a separate, very important item that these businesses need to dedicate time for?” asked Julott. “It’s not just a part of another piece of their strategy.”