Having the heaviest door, the most secure locks and the most sophisticated alarm system won’t do much to protect you if you hand a code and key to your attacker.
Protecting your business from digital threats similarly requires more than just sophisticated cyber security technology. Thanks to new innovations like artificial intelligence perpetrators can make themselves appear legitimate to gain the trust of their victims and trick them into handing over those digital keys.
All it takes is one employee getting fooled one time to compromise not just a company’s digital assets and sensitive data, like banking information, but their reputation among partners and clients.
“In today’s digital economy Canadian business, regardless of size or industry, face a rising threat of cybercrime,” says Adam Evans, the Senior Vice President and Chief Information Security Officer for RBC’s Cyber Operations. “These threats are not only becoming more frequent, but they are also more sophisticated, posing significant financial, operations and reputational risk.”
Organizations of all shapes and sizes are facing increasingly sophisticated cyber threats, but small businesses are particularly vulnerable due to their relative lack of defense resources.
According to Statistics Canada one in six Canadian businesses were impacted by a cyber security incident in 2023, but that number reaches 73% among small businesses, according to Business Development Canada (BDC). Of those small businesses who were targeted 41% said that it disrupted business operations, 23% said it led to higher security costs, 20% said it resulted in significant unplanned expenses, and 11% said is caused reputational damage.
1. Business owners: Educate yourself on cyber fraud
When it comes to cyber security for companies, threats can come in many different shapes and sizes, but many seek to gain access to sensitive digital information or systems through deception.
According to the BDC study 61% of attacks against small businesses were in the form of “phishing,” a type of fraud that tries to trick targets into handing over login credentials, like usernames, passwords, or banking details.
Attackers often send emails from accounts designed to look like trusted sources, like replacing a single letter with a lookalike character, or adding extra letters to an otherwise familiar address.
While many of these attacks are perpetuated through mass emails or text messages some seek to replicate trusted contacts in what’s known as Impersonator Fraud. This more sophisticated form of phishing was the most widespread and costly form of online fraud perpetrated against Canadian businesses in 2024.
Read more: Protect Your Business from Impersonator Fraud: Spot It and Stop It
According to the Canadian Federation of Independent Businesses half of Canadian businesses experienced fraud in 2024 — most commonly in the form of email, text and phone call scams — and more than a third of them suffered financial losses, which averaged $7,800.
According to the Canada Anti-Fraud Centre the institutions most frequently impersonated are in government, delivery, retail, health and finance. A 2024 study by Payments Canada also found that one in five businesses fell victim to payment related fraud in the prior six months, with one in seven suffering financial losses.
The second most common cybersecurity incident targeting small businesses according to the BDC study at 27% were Malware attacks, or pieces of malicious software that, after gaining access to an organization’s network, interrupt services and cause havoc.
The next most common types of cyber security threats affecting Canadian small businesses, which accounted for 12% each, were network intrusion attacks — which attempts to gain unauthorized access to computer networks or company data — and ransomware attacks, whereby a company’s digital assets are withheld until a ransom is paid.
In 2023 businesses in the United States, Canada and Europe paid an estimated $1.1 billion USD in ransom, nearly double the sum of payments made to attackers in 2022. That year average ransom demands were $2.73 million per attack.
“From ransomware attacks and phishing scams to data breaches and identity theft, cybercriminals are increasingly targeting organizations,” says Evans. “Small and medium-sized businesses are particularly vulnerable as many lack the dedicated cybersecurity resources or technical knowledge [to defend themselves], making them attractive targets for criminals.”
Read more: 5 Key Types of Data and How to Protect Them
2. Establish systems and processes to recognize and help prevent cyber and fraud threats
Protecting your business from cyber security risks requires both technical and behavioural defences.
Read more: How to Protect Your Business and Employees from Password Fraud
On the digital side, organizations should ensure their software systems are up to date, that their network is secure, and deploy the necessary cybersecurity detection and prevention tools to protect their most sensitive digital assets.
On the more human side, reducing the likelihood of a cyber security indecent requires proactive employee training so that everyone knows how to maintain strong passwords, how to identify potential threats, what risky behaviours to avoid, and what to do if something smells “phish-y.”
Studies show that 55 per cent of Canadians reuse passwords, and cybercriminals know that too. When a password is stolen in a data breach those login details are often used to attempt accessing victims’ other accounts.
Read more: Social Engineering: The Human Side of Modern Scams
One of the best ways to reduce the risk of cyber-attack at your company is to encourage employees to use different passwords for each account or adopt longer “passphrases.” If remembering lots of complicated passwords feels too cumbersome consider a password manager like 1Password, which automatically fills-in complicated credentials for users once their identity is confirmed.
Employees should also be encouraged to turn-on two-factor authentication — which double checks their identity with a fingerprint scan or code sent by email or text message — for added security and avoid public WiFi when using work devices.
Another strong practice is a healthy dose of skepticism. If a supplier or customer starts making unusual requests for sensitive information, for example, encourage staff to take a beat, pick up the phone and verify their identity.
FREE TEMPLATE: Download this verification template to use for your business.
“By investing in cybersecurity awareness for your employees, updating IT infrastructure, incident response planning and implementing best practices such as multi-factor authentication, businesses like yours can build up resiliency against cyber threats,” Evans says.
“When you take a proactive approach, you’re not only protecting business operations and data, but helping to give your company a competitive edge in an increasingly security-driven market,” he adds.
Read more: Is Your Business Prepared? 6 Low-Cost Ways to Help Protect Your Business from Fraud Risks
3. Your business has been hacked – now what? Managing a cybersecurity incident
Implementing these best practices can go a long way in reducing cybersecurity risks, but no business can be completely immune.
Organizations that detect suspicious activity or believe they are being targeted can take a few important steps to thwart an attack or reduce the potential damage.
If the cybersecurity incident is still ongoing it’s important to secure your systems as quickly as possible. Encourage staff to change all pertinent passwords immediately and, if you use cybersecurity prevention software, contact your vendor to request emergency assistance.
Those who have been the victim of online fraud or scams are encouraged to document the incident as best they can to aid in future investigations. Be sure to save any relevant emails, text messages website links, receipts, phone records, cancelled cheques, shipping materials or other potential pieces of evidence.
Read more: Fraud Alert: How to Respond If You Suspect Your Business Has Been Targeted
If fraudulent activity has been detected, it’s important to contact the local authorities to report the incident, and your financial institution to prevent further damage and recover any losses. If you bank with RBC and suspect your business has been targeted, contact our dedicated reporting line.
You may also want to submit a report to credit bureaus like Equifax and TransUnion, and the Canada Anti-Fraud Centre. It’s also important to notify any customers, suppliers, employees or other stakeholders that could be compromised.
Make use of these free cyber resources:
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.
