When the recent cyberattack on Sony Pictures Entertainment released huge amounts of internal company data into the public domain, it sent large corporations scrambling to beef up security in hopes of avoiding being the next victim of a debilitating public relations nightmare.
Theft from businesses is nothing new; however, theft of data and information is still a new threat for the average business owner. Public Safety Canada estimates that over a one-year period as many as 86% of large Canadian organizations suffer a cyberattack, and the number of attacks has been growing since 2006.
But while large corporations usually have plenty of money to throw at the problem, small and medium-sized enterprises (SMEs) aren’t usually as lucky. Richard Frank is a Simon Fraser University professor based part-time out of the Surrey campus. He holds PhDs in computing science and criminology, and his main area of research is computational criminology, cybercrime, hackers and security issues, such as online terrorism and warfare. Frank said SMEs are prime targets for internal data breaches and are much more vulnerable than larger organizations.
“Depending on size, if an SME is small enough, or lax enough about their security, then they might not even have sufficient internal checks in place to catch internal attacks. Due to resources available, they will have to rely more on their employees.”
Criminals can now sell stolen information online, such as credit card numbers, login passwords for computer servers and malicious software designed to infiltrate and damage targeted systems. Frank said the average small business that stores its information electronically needs to realize its data security is now just as important as putting locks on the doors and bars on the windows.
“An SME will not have sufficient resources to dedicate to security, so rather than develop this internally, they should outsource it to the professionals who do have the expertise to do it properly. If a company sells widgets, they should focus on selling and supporting. But they could outsource their store, the browsing of product, the shopping cart, to a company that has done it properly rather than implementing everything on their own.”
Frank added that a key cybercrime issue now is that many smaller hacks go unnoticed. Statistics are therefore tough to accumulate when the crime goes unreported.
“With physical goods, if it’s stolen, the evidence is clearly visible: it’s missing. However, duplicating personal information will not deprive the owner of that information. So if the theft is done carefully enough, the owner will not even notice it because their information, credit cards, are still there. There’s a copy somewhere else, true, but this theft can go unnoticed until someone uses that information, which could be years down the road.”
According to the Center for Strategic and International Studies, cybercrime is estimated to cost the global economy about US$445 billion annually.
Sgt. Laurie White of the RCMP’s Federal Serious and Organized Crime division said the best way for smaller businesses without dedicated cybersecurity employees to protect themselves is through education.
“Safety precautions do not necessarily have to be costly,” said White. “There are many simple ways to protect your business, including training your staff on counterfeit currency, taking basic security precautions with debit and credit card transactions and increasing your awareness about the ever-changing types of Internet scams and frauds.”
