Small Business Employees, ‘Frenemies’ Threaten Cybersecurity

Fraud experts warn it could be a business-shuttering mistake to assume an SMB is less susceptible to fraud than large enterprises. An estimated 86 percent of companies around the world experienced at least one cyberattack last year, according to Kroll research, as cited by Insurance Business last week.

“The most devastating impacts of a data breach can only be avoided by both working to prevent a breach and by planning and preparing a response before an incident occurs,” Jerry Thompson, senior vice president of Intersections, told the publication in an interview.

The company just launched its Data Breach Readiness solution designed specifically for small- and medium-sized businesses, which often don’t have the resources to invest in both fraud prevention and mitigation solutions. According to Thompson, employee education is “the best solution for preventing a data breach.”

But new research released by PricewaterhouseCoopers suggests that small businesses still need more education, resources and technology to address the threat of fraud – not only because fraud levels are rising, but also because many entrepreneurs may not even be aware they’ve already been targeted.

“Cybercrimes, a perpetrator can do it in the comfort of their own homes, and just the speed at which technology is moving enables fraudsters to often get the upper hand,” said PwC national forensics leader Domenic Marino in an interview with Global News. “It can have a huge impact on an organization’s bottom line or, often more importantly, on their brand.”

“It can be months before you actually pick up that there’s been a compromise in your system, or someone has been snooping in your system,” added Satyamoorthy Kabilan, cybersecurity expert for The Conference Board of Canada.

This week’s B2B Data Digest examines the data released in PwC’s latest report, “Pulling fraud out of the shadows.”

55 percent of Canadian SMBs have experienced fraud in the last two years. According to PwC, that’s a significant 18 percent increase from 2016 levels. Worse, according to PwC’s Marino, this figure may be misleading. “The 55 percent, that is really just an organization’s awareness of fraud,” he told the publication. “It’s our view that the number is actually much higher. The reason for that is that fraud sometimes hides in dark corners of an organization. It’s not necessarily going to be fraud that makes front-page news.”

46 percent of small Canadian businesses know they’ve been a victim of some type of cybercrime, more so than asset misappropriation (38 percent) and even consumer fraud (36 percent). Business misconduct, procurement fraud, accounting fraud and human resources fraud were also reported by survey respondents, suggesting that internal fraud is collectively a massive threat to small businesses. Still, researchers found that cybercrime is the “most disruptive” to a small business.

31 percent of small businesses across the globe have been the victim of a cyberattack, meaning Canadian SMBs are more likely than their international peers to have been hit.

47 percent of external agents of fraud were ‘frenemies’ of the SMB, meaning the small businesses that fell victim to external fraud had some type of partnership with the perpetrator. The fraudster, PwC found, may have been an agent, supplier, service provider or customer.

11 percent of businesses hit by a cybercrime have no idea how it happened, though PwC found that malware, phishing emails and network scanning were the most common tactics of cyberattacks.

64 percent of Canadian SMBs have a response plan in place in case of a cyberattack. That’s more than double what it was two years ago, when PwC found that just 31 percent had a response plan in place.

57 percent of survey respondents said annual or routine processes were what prompted risk assessments, while 48 percent noted it was part of their enterprise risk management strategy. Just 16 percent said their risk assessment was initiated by a specific event, while 15 percent admitted that no risk assessment was performed in the last two years.