Ian: Welcome to the Business Coach Podcast, an advice-oriented series that tackles the hot issues and opportunities facing Canada’s small businesses. I’m your host, Ian Portsmouth, the Editor of PROFIT Magazine and we’ve developed this podcast in cooperation with BMO Bank of Montreal.
How safe is your company from hackers, computer viruses, malware and many other threats that lurk in cyberspace. It’s a critical question to ask yourself in the hyper-connected information age. But it’s also a difficult question for many small business owners to answer. For one, it’s tough for busy entrepreneurs to stay on top of the latest developments in computer crime. Moreover, the threats are largely invisible but that does not mean they’re not there. In fact, the San Francisco base Computer Security Institute reported in its most recent annual study that cyber-losses are again on the rise after five years of decline. So what you need to know about the threats out there and how you should respond to them. Here to help answer those questions is Claudio Popa, Founder and President of Informatica Corporation, a provider of Information Security services and Privacy Consulting based in ToClaudioto. Claudio, welcome to the Business Coach.
Claudio: Thank you very much.
Ian: So how safe do you think Canada’s small and mid-size businesses are from computer and online security threats?
Claudio: Well, you know Ian, from my perspective, there are about as safe as any other company. However, the fact that their resources are quite limited and they’re leveraging them far less than larger organizations make them prime targets for crimes of any kind anywhere from high-tech crime to the lowest types of fraud and theft.
Ian: Now I think most entrepreneurs would think that, you know, I am not Coca-Cola, I am not McDonald, who would want to target me. But in fact they do get targeted. Correct?
Claudio: They do. And the reason for that is that all the good criminals know that there is a definite lack of monitoring. And small organizations are notorious for not spending money on security monitoring, security management, privacy controls, the verification of the effectiveness of these controls. So essentially, they tend to buy commercial technologies that address some sort of security issue and under-utilize that technology. So the effectiveness of those tools is greatly diminished.
Ian: Now, can you put a number on the threat to Canada businesses or specifically of the small business sector?
Claudio: I can’t put a particular number on it. We know that last year’s losses were around the 20 billion dollar mark from all sorts of security issues anywhere from computer theft, hacking to fraud and online breaches but that’s from across North America. So clearly, these are continental studies and not Canadian specific. However, we do know that about 87% according to the Retail Council of Canada of companies have been the victims of fraud, theft and other security issues which include computer threat.
Ian: It’s definitely a huge number no matter how you present it.
Claudio: Well, speaking of huge numbers, Semantic released another huge number of 1.1 million code threats. So you know how their antivirus security works, they look for signatures. And they’ve reached the point where they’re actually scanning for 1.1 million different types of viruses and malware and spyware and things like that but the astonishing number there was that almost three quarters of these, some 720,000 variations of these types of malware were discovered last year alone. So that tells us that the threat is rapidly increasing.
Ian: What exactly is at risk? I think a lot of people think about, say, viruses is something that’s going to shut down their computer for a couple of hours until the tech guy comes and fixes it, but surely a lot more is at stake.
Claudio: Absolutely. Security is a business issue. Security should be look at as an operational priority and that’s really the reason for the fact that there is reputation damage, there is money on the line, there is lost time and productivity as you say. There is really an impact on the businesses competitive posture. And in many cases, when trade secrets are at risk, the entire existence of the business can be put in jeopardy.
Ian: Can you give us an example of a company that you’ve worked with that has suffered a security breach?
Claudio: I can give you an example of a situation that we’ve worked with. In one instance, quite recently, we were called in to do some remedial action following a breach and when we got there, it turned out that it was an internal disgruntled employee that had in fact copied the entire financial records of the organization, the entire accounting program, all the data, all the archived data as well and had shared it with the public through the internet. So we had to figure out how that was done and how to contain the issue and of course how to prevent it in the future. Now this is a pretty common scenario simply because internal employees often have access to more information than they need to do their job. And that’s one of the tasks that should be high on the manager’s priority list. But it’s not just internal threats that are the issue here.
Ian: Do you want to name some of the bigger threats that Canadian small businesses face?
Claudio: Sure. The third biggest threat I would say is in fact the most visible one and the things that you read about in the papers which really have a lot to do with what I said before hackers, viruses, malware. Essentially we clump these together into a group of external sources. So threats from external sources I would say are number three. Number two, I would say are threats from internal sources. Anything from, you know, disgruntled employees to partners and third parties to suppliers and various individuals with privileged access. And unfortunately, what we find as the biggest area of risks for Canadian businesses is really themselves. So we find that a false sense of security is what causes a lot of the preventable breaches that we are seeing on a daily basis. So, it really, we are going back specially in the SME space, we’re going back to this idea that a lot of companies have budgets, small companies do have small budgets for purchasing preventive tools and solutions but unfortunately because they mismanage them and they don’t configure them adequately, they get one the sense of security that shouldn’t really be there and secondly, they end up having a solution that is largely ineffective and can’t be used for anything from detecting these threats as they are occurring to leveraging the information and using it in court to say prosecute someone that they found stealing their information.
Ian: So it sounds like the simplest thing that companies can do to protect themselves is to simply assume that they’re exposed to more danger than they actually think they are.
Claudio: Really what they need to do is not panic and take a best-practices approach which really includes conducting an internal security review to figure out where their areas of risk are and secondly, as part of the same study, they really need to take a look at the resources that they have including their most valuable resource which is people and see how they can better leverage them to secure themselves and to make everyone more accountable. So that’s a two-prong type of solution that we always recommend because it’s not always how much money you throw at the problem, it’s really how you address it.
Ian: And finally, most SME’s do not have much in the way of IT expertise on staff. And if that’s their case, where should they go for help?
Claudio: Well that’s a two-prong issue there. Some of them do have IT expertise on staff but they certainly don’t have security experts whether they’re IT security experts or otherwise and the ones that don’t can hire externally. For example, organizations like ours, like Informatica, tend to provide small businesses with services, and I don’t mean to sound like a commercial here but essentially, we take some of the solutions that are available to enterprise-class businesses which put a lot of pressure on their suppliers and their smaller partners anyway and we scale down those services in order to apply to the budgets and to the priorities of small businesses. So those solutions are certainly available whether they be in a sense of, in a way of a managed service which is all done remotely and it’s really quite simple, from a subscription base service all the way to having, you know, part-time employees or experts visiting every once in a while to make sure that security and privacy compliance are under control.
Ian: That’s great Claudio. Thank you for taking time out for the Business Coach.
Claudio: You’re welcome Ian.
Ian: Claudio Popa is the Founder and President of Informatica Corporation, a provider of information security services and privacy consulting based in Toronto.
Well that’s it for another episode of the Business Coach Podcast. You can download other installments in the series from BMO.com, profitguide.com or iTunes. And as always, I would love to hear your feedback and suggestions for future topics. You can send them to firstname.lastname@example.org.
Until next time, I am Ian Portsmouth, Editor at the PROFIT Magazine, wishing you continued success.