Logo - Business Development Bank of Canada - BDC

How to protect your business from cyberattacks

8-minute read

From ransomware to data breaches and stolen funds, cyberattacks cost Canadian businesses millions of dollars every year.

While many entrepreneurs think they’re too small to be targeted, cyberattacks can happen to any business at any time. A fifth (16%) of Canadian small businesses and 28% of medium-sized businesses were the target of a cyberattack in in the 12 months before November 2021, according to a BDC survey.

By taking the risks seriously and adopting cybersecurity measures to defend against them, businesses of all sizes can protect themselves and their customers.

What are the main cyber threats?

Cyber threats are the dangers caused by cyberattacks, these can be significant and include:

Financial threats: Attacks come with high price tags. 30% of businesses that suffered a cyberattack in the 12 months before November 2021 reported costs of a least $50,000, according to a BDC survey.

Strategic threats: The loss of intellectual property (IP), damage to networks and systems, and more can undermine the ability of a business to compete effectively.

Privacy threats: Data leaks can put personal or private information in the hands of bad actors, with potential harms to customers, employees and the business as a whole.

Safety threats: When a cyberattack damages or takes control of assets such as public infrastructure, human health and safety can be put at risk.

Reputational threats: Public and customer confidence in a business can be severely damaged by a breach.

Even though the threats—and consequences—can be severe, many businesses are unprepared to face them. Only 55% of businesses train their employees against possible cyberattacks, according to a BDC survey.

Common myths about cybersecurity

In many cases, that un- or under-preparedness is due to common myths and misconceptions about cybersecurity.

Cyberattacks won’t happen to us.

Fact: Cyberattacks are targeted and can happen to anyone.

Cyberattacks come from the outside.

Fact: They are often the result of malicious insiders working with outside hackers.

Cyberattacks are unstoppable.

Fact: A methodical approach to cybersecurity implemented through small, manageable changes can protect you.

Technology will keep us safe.

Fact: Technology is an essential tool, but vigilance is still key.

Our industry is safe.

Fact: Every industry can and has been targeted by cyberattacks.

2020 saw an alarming spike in cyberattacks in Canada and the average ransomware demand increased 170% between the first half of 2021 and the first half of 2020. Smaller businesses are often targeted because they’re perceived to have both valuable IP and extensive funding.

Types of cyberattack

Cyberattacks come in all shapes and sizes.

  • Malware is software that accesses a computer or system without authorization and damages it.
  • Ransomware locks data and holds it hostage until money is paid.
  • Compromised credentials and phishing attacks let hackers steal passwords with the help of malicious insiders or by manipulating unsuspecting users.
  • Cloud breaches target potential security weaknesses in third-party cloud service providers,
  • “Island hoppers” bounce around from a company to its partners and customers, looking for vulnerabilities.

No matter the type, cyberattacks tend to follow a common four-stage pattern.

  • Survey—The target is investigated.
  • Delivery—An attacker enters a system through malware, compromised credentials, etc.
  • Breach—Vulnerabilities are exposed once the attacker is inside.
  • Affect—The attack is launched to cause damage, extort money or extract data.

The results of an attack can be devastating. Hackers targeting the Finnish mental health start-up Vastaamo in 2020, for example, gained access to patient records and sent extortion emails to both the CEO and its patients. They demanded 40 bitcoins and threated to release 100 patient records a day until the ransom was paid. Months after the breach went public, the company filed for bankruptcy.

4 steps to strengthening your cybersecurity

A four-step approach can significantly strengthen your defenses against cyberattacks.

1. Identify risks

Countering cyber threats starts with asking questions.

  • What are our most valuable assets?
  • Do we integrate cyber risk with overall business risk?
  • What are some potential threats we are facing?
  • Are our current security controls effective?
  • Do we have clear cybersecurity policies and have those been communicated?
  • Do our people understand the impacts of cyber risk and our collective responsibilities?
  • Who is currently responsible for cybersecurity?

Look at people, processes and premises as technology as potential risk areas. Identify what’s most valuable—and potentially most likely to be targeted—among your information and data.

2. Create controls

Put in place measures such as malware detection, security protocols and policies, training, data encryption, and asset and supply chain risk management to protect your assets and systems.

Consider implementing the following measures:

  • a formal information security management program
  • malware protection
  • information and security policies, identity and access control
  • staff information security training, security team competence
  • encryption, physical and environmental security
  • patch management, network and communications security
  • asset management
  • supply chain risk management


3. Establish a security culture

Train staff to think in terms of cybersecurity and adopt safe practices: a strong security culture can go a long way toward keeping an organization safe.

Developing the skills of your people internally can take a long time and will entail more than simply having them complete a class. If you urgently need these skills in your team then asking for short-term help from a consultant or specialist may be the best course of action.

4. Monitor and improve

You’ll need to install software or hire a service provider to monitor your network and watch for anomalies and potential cybersecurity incidents before they cause damage.

Over time, you’ll be able to set benchmarks and measure how effective your solution is at responding to threats and keeping systems protected with the latest software.

Create a cybersecurity incident response plan

If a cyberattack does happen, a cybersecurity incident response plan can lower your data breach costs. The plan should cover how you’ll investigate the attack, how you’ll communicate it to partners and customers, and how you’ll notify third parties such as police, regulators or stakeholders.

Most incident response plans will cover six steps.

  • Identify—Find the breach.
  • Contain—Limit damage.
  • Eradicate—Eliminate the root cause of the breach.
  • Recover—Restore systems.
  • Re-assess—Decide what and how to improve.
  • Share knowledge—Transfer knowledge of the attack and how to prevent similar ones in future to other businesses and authorities.

Boost your cyber skills

With some investment of time, training and money, there’s a lot that can be done to prevent cyberattacks and minimize their harms.

Common methods used by attackers take over a network can be defended against by putting basic cyber security controls in place. Making sure your follow a set of standards or getting a cybersecurity certification—such as ISO 27001—will help ensure you have implemented the basics of cybersecurity. It will also signal to your customers and partners that you take security seriously have invested in processes and systems to protect customer data.

BDC can help you select and invest in cybersecurity with loans to buy necessary technology, hardware or software. We can also help you get your business ready for certification and navigate the certification process by your site.

Don’t hesitate to contact us if you want to get the process started.

Your privacy

BDC uses cookies to improve your experience on its website and for advertising purposes, to offer you products or services that are relevant to you. By clicking ῝I understand῎ or by continuing to browse this site, you consent to their use.

To find out more, consult our Policy on confidentiality.