Protect your Business from Cybercrime, with Advice from RBC’s Chief Information Security Officer

Cybercriminals are counting on Canadian businesses to underestimate the risks.

Contrary to popular belief, they don’t just target organizations with significant resources, or in critical sectors; in fact, they often find more success going after small- and medium-sized businesses with less means to defend themselves.

“Canadians often think, ‘I run a small business, or I’m an individual, I’m not interesting to them’,” explained Adam Evans, RBC’s senior vice president and Chief Information Security Officer. “The reality is everybody is interesting to them—they are casting their net as wide as they possibly can—and it’s a numbers game to them.”

In an online conversation titled Protecting Your Business in a Digital Age with Roger Howard, RBC’s Executive Vice President of Regional Banking, Evans explained to commercial banking clients how cybercrime has evolved from mom-and-pop operations to a sophisticated global industry.

What are the risks of cybercrime to Canadian businesses?

According to a study by Cybersecurity Ventures, the cybercrime industry is expected to exceed $10 trillion USD in 2025, making it the world’s 3rd largest economy after the US and China.

Here at home, one-in-five Canadian businesses has been targeted and one-in-seven have lost money to payments fraud in the last six months, according to a report by Payments Canada. In a recent TransUnion survey, Canadian business leaders reported fraud losses equivalent to 7.2% of their revenues this year—totalling an estimated $111 billion CAD in the past year. 

Part of the reason why those losses are so high, according to Evans, is that businesses too often underestimate the risks, and too often under-invest in protecting themselves.

“We refer to it as the ‘cyber poverty line’,” he said. “The criminal ecosystem of this industrialized complex is outpacing businesses, so companies are falling below that poverty line, and when you fall below it, the chances of you getting compromised have increased pretty drastically.”

Hope for the best, but plan for the worst when it comes to operationalizing your business’s cybersecurity protocols

The unfortunate reality is that for most Canadian businesses, being the target of a cybercrime—like fraud, ransomware attacks or identity theft—is less a matter of “if,” and more a matter of “when.”

While we all hope for the best, Evans says its critical for businesses to take the time to create and communicate a plan for the worst.

“This becomes part of the plan; what do I do when I have a compromised credential?” he said, adding that knowing which accounts are compromised and changing passwords immediately is critical. “It’s those basic things that really move your security in the right direction, and you would be surprised at how many people actually know what to do, but aren’t necessarily operationalizing it or making the decision to take that step.”

Thanks to their successes, these criminal actors now have the resources to utilize cutting edge technologies like artificial intelligence (AI) to better perpetrate attacks.

Here’s how Evans advises organizations of all sizes, industries and geographies to protect themselves from an increasingly sophisticated and well-funded cybercriminal industry.

1. Don’t underestimate the threat of cybercrime to your business, especially when it comes to AI

The first step in protecting your business, according to Evans, is understanding the size, scale and speed at which this global industry operates.

“Canadians, they’re going through fatigue—security fatigue, fraud fatigue—and this is a real problem,” warned Evans, emphasizing that cybercrime became a $10.5 trillion industry “because they’re good at it.”

Furthermore, Evans warns that each new wave of innovation comes with unique threats, and that businesses rushing into AI adoption could be inadvertently introducing new risks.

“In the business world, we sort of run afoul of rushing in to adopt these new technologies without really understanding how we’re going to secure them,” he said, adding that he saw the same pattern play out in the early days of cloud computing. “We started to see compromises happening in cloud-based environments, and AI will be the same thing—we’re going to rush ahead, we’re going to start to consume, but we haven’t necessarily talked enough about the safe enablement of next generation AI.”

When it comes to safe and responsible AI adoption, Evans emphasizes the importance of maintaining a clear understanding of what data it can utilize, who has access to those tools, how they’re going to be used, and whether the business benefits outweigh the cyber risks.

“You need to start to ask some basic questions like: If you’re going to automate something through AI, is there a risk of losing the data? Is there a risk of compromise with your organization? What steps have you taken to secure it?” he said. “If you start asking those questions, and you start really thinking your way through how you want to implement protection, it puts you further down the road as far as your overall security.”

2. When it comes to cybersecurity measures, know what needs to be secured

While there are many tools and services businesses can onboard to beef up protection, some of the most important steps come at no cost—they just require a little bit of time and energy.

For example, cybercriminals won’t burst through your front door brandishing a weapon and demanding access to the vault, but like traditional thieves they are likely to go straight for the most valuable goods.

That is why Evans suggests starting by taking stock of your most critical assets.

“The first thing is understanding what you need to secure—your most sensitive information assets, your most sensitive accounts,” he said. “That could be email, that could be your financial platform that you’re using for payroll, whatever it may be—just take stock of where those things are and how people access them.”

With an understanding of what your informational valuables are, and who has a “key” to those vaults, business leaders can ensure basic but important cybersecurity best practices.

Those include enabling multi-factor authentication, using unique passwords for all accounts, and utilizing a password manager to generate and auto-fill complex passwords, and warn of any compromised credentials.

Read more: How to protect your business and employees from password fraud

“Make sure that your systems are set to auto-update, make sure that you’re running security software, make sure that when you’re doing critical business services—maybe running your payroll—you’re on a trusted network,” he said, adding that accessing those secure accounts using public WiFi is not advised. “Pick and choose the time where you start to do more of those sensitive activities.”

3. Validate and verify who you’re speaking to before sharing sensitive information

Some of the most common, most effective, and ultimately most damaging cyber-attacks against businesses involve the impersonation of trusted institutions and contacts.

For example, if a supplier’s email is compromised, attackers will use that information to solicit fraudulent payments from customers. In recent years, Canadian banks, logistics providers and even the Canada Revenue Agency have been among the most spoofed contacts, and Evans says they’ve gotten harder to detect.

When a seemingly trusted contact calls requesting payments, authentication codes or sensitive information, Evans says the best thing to do is call them back using a trusted phone number, like the one on the back of your bank cards.  

“The power and the dynamic can be shifted if you hang up the phone, you find the right number to call, and you call in,” he said. “If it’s your relationship manager, your personal bank or something along those lines, you can set up some sort of pass phrase so you can authenticate each other over the phone.” 

Evans warns that fraudsters prey on human vulnerabilities and often try to incite a sense of panic to cloud their victims’ judgement.

“Take a breath, hang the phone up, call the right number—it’s on the back of all your cards and collateral that you get from your financial provider—and then you can start the conversation and know that that conversation is starting from a safe place.”

4. Plan out the steps to take in response to various threats

While cyber criminals used to spend days or weeks digging around for precious bits of data like recycled passwords or compromised networks, now they’re finding them in minutes.

This metric is known as “dwell time,” and according to The Canadian Centre for Cyber Security it dropped from 16 days in 2022 to 10 days in 2023. As of January, studies found it was down to just 48 minutes, and according to Evans that’s since dropped to just 18 minutes.

“Once they are in, they start moving through the organization, wherever they happen to be, and they start looking for your most sensitive information assets,” Evans said.

With just minutes to react, it’s critical for organizations to know how to identify when their systems have been compromised, and what to do about it. 

Read more: How to respond if you suspect your business has been targeted

“If you’re talking about something like ransomware, disconnecting from the internet may be the first thing that you to do to stop the threat actors from encrypting your environment,” he said. “If you find something on one of your corporate systems at work, unplug that corporate system from the network, but leave it powered up, because you’re going to need to bring in a firm that’s going to do some forensic analysis for you to help you try to figure out what has happened.”

If there is any risk of financial fraud Evans advises reaching out to your financial institution to inform them of the breach.

“Let them know that you have a problem so they can start to freeze things like your cards or your credit products, so cyber criminals have a harder time using the information that they harvested to commit fraudulent behaviour or do identity takeover and those sorts of things,” he said.

Next, he suggests reaching out to the Canadian Centre for Cybersecurity for assistance with recovery and law enforcement. Businesses may also choose to hire a private cybercrime recovery firm to provide professional assistance—make sure to do your due diligence and ensure the firm is reputable and reliable. 

5. Take advantage of the cybersecurity resources at your disposal

Canadian businesses that are the target or victims of cybercrime don’t need to proceed alone.

Today there are a range of resources offered by governments, banking partners and private cybersecurity providers that can offer guidance and clarity in the event of an attack.

For example, the Federal Government’s Canadian Centre for Cyber Security offers free checklists, guides and toolkits for businesses of all sizes; RBC’s Be Cyber Aware offers free information about the latest threats to businesses, and law enforcement agencies often inform the public of significant risks.  

“This doesn’t have to be a costly endeavour,” Evans said. “You want to have an information security policy. You want to have some standards that you hold your technology teams to so you can guarantee a level of hygiene in the environment, but those things don’t have to be super complicated.”

Read more: Are you prepared? 3 essential cyber security practices for business owners