Cyberattacks: Small businesses remain in denial

10-minute read

Published February 20, 2025

The digitization of the economy, the acceleration of artificial intelligence (AI) and the intensification of geopolitical tensions have multiplied the risks of cyberattacks.

However, many Canadian small businesses still believe that they’re less at risk than large organizations. This denial can be costly.

Hackers target small businesses too

In a poll conducted by BDC in September 2024, 61% of respondents said they agreed with the notion that the larger a company is, the more likely it is to be hacked. This perception is even more common among businesses with revenues of less than $3 million.

Unfortunately, that’s just not the case. For hackers looking to collect $1 million in ransom, it’s often easier to demand $50,000 from 20 small, vulnerable businesses than to attack a large company with the means to defend itself. A company’s size isn’t a good gauge of its security.

73%

of small businesses have experienced a cybersecurity incident

The feeling of being protected due to having revenue under a certain amount is even more surprising given that 73% of small businesses report having experienced a cybersecurity incident, ranging from phishing attempts to denial-of-service attacks.

Chart 1: Percentage of Canadian small businesses that have experienced a cybersecurity incident

61% of SMEs have experienced a phishing attempt via email. 27% have experienced a malware attack. 12% have experienced network intrusion. 12% have experienced a ransomware attack. 7% have experienced a data breach. 5% have experienced a distributed deniol-of-service attack. 27% have never experienced a cybersecurity incident.

Basis: All individuals polled (n=494). Those who preferred not to answer were excluded from the basis for calculation. As more than one answer was allowed, the total exceeded 100%.

Source: BDC

Despite this relatively common experience, more than half of the small businesses polled felt unprepared to deal with an incident. What’s behind this discrepancy?

It’s often easier to demand $50,000 from 20 small, vulnerable businesses than to attack a large company that has the means to defend itself. A company’s size isn’t a good gauge of its security.

Assess the risks

Businesses don’t appear to fully grasp the risks. Just as you call on an auditing firm every year for your company’s finances, you should regularly have your network externally assessed for any weaknesses.

This will allow you to verify the security of your infrastructure, the management of your human resources, your governance and your compliance with standards.

Some risks are rarely assessed. For example, the poll showed that one in five businesses have never assessed risks tied to their partners, suppliers or clients. Yet, 40% of respondents reported having been affected by an incident caused by an outside party.

Understanding your risks entails a thorough knowledge of your assets. Only 40% of small businesses believe that they have, host or use data that exposes them to the risk of a cyberattack. However, anyone is vulnerable to an incident. The discrepancy is even more striking given that the vast majority of small businesses don’t have an asset log or an up-to-date inventory of their data.

Take preventive action and develop a response plan

Conducting a comprehensive assessment of your cybersecurity measures will allow you to analyze your prevention efforts. In the last few years, companies have invested heavily in IT tools, such as firewalls, anti-virus software and monitoring software. This is a sign of progress, but it must be accompanied by secure behaviours.

The poll showed that only two in five small businesses have implemented cybersecurity training for their staff. This is cause for concern, as one-off training sessions aren’t enough. Efforts to raise awareness about good reflexes need to be carried out repeatedly and often in order to be effective.

Chart 2: Tools and measures implemented and currently used by companies (% of small businesses that use them)

76% of SMEs do regular data backups, 71% use a firewall, 65% use two-factor authentification, 57% use anti-malware software, 42% have implement cybersecurity training for staff, 36% use a virtual private network, 30% use data encryption, 25% have formal internal security policies, 25% have intrusion detection and protection systems, 18% do frequent security audits, 1% use external monitoring, 4% have other measures in place,, 5% have no cybersecurity measures in place.

Basis: All individuals polled (n=484). Those who did not know how to answer were excluded from the basis for calculation. As more than one answer was allowed, the total exceeded 100%.

Source: BDC

Beyond prevention efforts, when it comes to responding to an incident, there’s plenty of room for improvement. The poll revealed that only 11% of businesses have a formal response plan, while 37% have an informal plan and 52% have no plan at all. Even if a plan exists, it’s rarely, if ever, tested (30% of cases).

Define roles in the event of an attack

Without a clear roadmap for managing a crisis, you could waste precious time and struggle to recover from it. Your plan must clearly define the roles and responsibilities in the event of an incident in order to minimize damage and quickly resume operations. If your management team is overcome with panic, hackers will have free rein to do widespread damage.

Does your company have a list of assets? Has it put in place systems to detect problems in real time? Is someone reachable 24/7 in the event of a problem? It’s important to ask yourself these types of questions.

Lastly, you must consider how you’ll resume operations following an attack. What area of the company needs to resume operations first once the worst is over? Production? Human resources? What is your protocol for ensuring total decontamination? All of these aspects need to be addressed in a business continuity plan.

Highly variable costs

Your level of preparation can impact how long it takes to resume normal operations and, as a result, how much the attack costs you. The poll suggests that small businesses that experienced an incident recovered quickly (in less than a week for the most recent incident in 76% of cases). However, this is likely due to the large proportion of phishing attempts in the total number of responses. Once the damage is done from an attack, it often takes more than two months to recover. The same is true for the costs involved. It isn’t unusual to see six- or seven-figure bills, particularly if a business has to involve crisis managers or lawyers.

Chart 3: What were the impacts of your company’s most recent cybersecurity incident?

Of SMEs that experienced a cybersecurity incident, 41% say it disrupted their operations, 23% say it increased security costs, 20% say it resulted in significant unplanned expenses, 11% say it cause reputational damage, 7% say it led to the loss of sensitive data, 5% to the loss of clients, 4% say it increased insurance premiums, 4% say they had to meet legal or regulatory obligations as a result, 2% say it had other impacts, 43% say it had no impact.

Basis: Individuals who experienced a cybersecurity incident (n=364). Those who did not know were excluded from the basis for calculation. As more than one answer was allowed, the total exceeded 100%.

Source: BDC

Regardless of the severity of the incident, this poll is a reminder that cyberattacks are now a day-to-day reality for entrepreneurs. There’s no shame in talking about it. In fact, sharing your story can help businesses become more vigilant. Ensuring the longevity of your business also means never taking your IT security for granted.

Next step

We can help you develop a business continuity plan to ensure that your company remains resilient. We can also assist you in implementing best practices to protect your company from cyberattacks. Contact us to learn more.

Note: The poll was conducted online in September 2024 among business owners and individuals responsible for business decisions on the BDC ViewPoints panel.