The threat of cyber attacks is all over the news, but almost half of Canadian small businesses surveyed say they do not allocate any portion of their annual operating budget to cyber security. This marks an increase of 14% from 2019, when one-third said they do not allocate any budget to cyber security, according to a new Leger survey, commissioned by the Insurance Bureau of  Canada (IBC). 

This year, 41 per cent of small businesses that ever suffered a cyber attack reported that it cost them at least $100,000, up from 37 per cent in 2019. However, fewer than half of the businesses surveyed (46 per cent) said they have implemented defences against possible future cyber attacks, and only a quarter say they plan to purchase cyber insurance within the next year. 

Small businesses are a target for cyber crime 

"The COVID-19 pandemic has forced many small businesses to adopt digital processes and move some of their traditional business online," said Jordan Brennan, vice president, Policy Development, IBC. "Unfortunately, this has created increased opportunities for cybercrime. While cyber attacks on larger businesses receive more media attention, small businesses are also a target for online criminals." 

In the first half of 2021, insurers paid out more than $106 million in cyber liability claims, according to the Office of the Superintendent of Financial Institutions (OSFI). Incidents of cybercrime — particularly ransomware attacks — have increased dramatically since 2020, as criminals began to prey on people working from home due to the pandemic. A report by law firm McCarthy Tétrault found that ransoms and the resulting lost productivity cost Canadian organizations an estimated $5.1 billion in 2020 alone. 

Insurance pays victims of many cyber-related crimes 

"Cyber insurance can help victims pay for many expenses related to cyber attacks, such as civil fines, legal damages, forensic investigations, data restoration costs and other expenses to restore their business operations," said Brennan. "Before looking for cyber insurance quotes, business owners should take preventive actions to demonstrate to their insurance representative that they are a lower risk." 

Brennan recommends that business owners follow these steps to help secure their data:

  • Enforce multi-factor authentication on login and network access 
  • Focus on e-mail security: enable attachment scanning, use external sender banners and train staff (or develop protocol) on spotting and containing malicious phishing attempts; and
  • Run regular data backups and make sure the backups have unique credentials.