Two-thirds of small businesses can't spend on cybersecurity: study

Due to the pandemic, two-thirds of small-to-medium-sized businesses in Canada have not been able to spend on cybersecurity infrastructure, says the Canadian Federation of Independent Businesses (CFIB) in a report. Experts say that if businesses aren’t able to upgrade their technology, they need to be made aware of the free tools that can help protect them online.

Jasmin Guénette, vice-president of national affairs at the CFIB, said in an interview that while two-thirds of businesses didn’t spend on cybersecurity, one-third spent on average $6,700.

“That in itself is remarkable,” he said. “At the beginning of the pandemic in March, 80 per cent of small businesses were partially or fully shut down. Now it’s only 47 per cent of businesses that are fully open and those businesses just don’t have the financial means at the moment to invest.”

He said that those businesses that didn’t invest may already have the IT infrastructure necessary and maybe “they don’t feel they need that extra investment.” He added that these businesses should do an internal review on whether they need to spend extra on better technology.

The report indicated that nearly 25 per cent of businesses experienced cyberattacks since March 2020 and that 5 per cent overall saying the attack against them was successful. This means that 61,000 small businesses were victims of cyberfraud, the report said.

Guénette said it’s important for those businesses that can't spend on cybersecurity to ensure they’ve trained staff to avoid fraud and cyberattacks.

“Have at least one or two fire drills,” he said. “It’s important to educate and train and know exactly what to do if it happens. The situation is different from one business to another. We are telling businesses to make sure you have the proper equipment and make sure that your business is protected.”

Sumit Bhatia, director of communications and knowledge mobilization with Ryerson University’s Cybersecure Catalyst, agreed with Guénette and added that the unfortunate circumstance resulting from the pandemic is the inability to spend money on more IT infrastructure.

Bhatia said that most SMEs undergoing a digital transformation are relying on other service providers to assist with their transformation. In many cases, the service providers are not putting security on top of their implementation plans, he said.

The other problem Bhatia noted is that many of these SMEs don’t even know the benchmark for how much to spend on cybersecurity infrastructure. “So while they may be considering [upgrading], they’re not sure where to start and they’re not sure how much to invest and who to invest with,” he said.

“Companies are also being forced to make choices between recruiting or maintaining employees that can work through this period, or thinking about how to invest in infrastructure that allows them to become somewhat digital.”

But he said there are lots of free tools businesses can use to better their understanding of cyber fraud, but small businesses need to be made aware of these resources.

“It starts with awareness. Are you aware of the fundamental steps you can take that actually will not cost you a lot of money with businesses?” he asked, adding that the Cybersecure Catalyst is launching a national program for small businesses on March 1 to help companies build that general level of awareness.

“We want to help them understand what business continuity planning looks like from a security perspective,” he said.

He also added that the Canadian Centre for Cyber Security has free online toolkits.