The president of our firm and the cybersecurity expert Guillaume Caron discussed issues for SMEs. What should businesses do to protect themselves?
In recent months, the world has witnessed numerous massive supply chain attacks, including some affecting tech giants like SolarWinds, Microsoft and FireEye.
“It’s definitely concerning. These attacks are unprecedented and they’ve had serious consequences for thousands of businesses,” explained Guillaume Caron, president of VARS, our firm’s cybersecurity division. Quebec SMEs and institutions are becoming collateral victims of these massive attacks.
Supply chain attacks
A supply chain attack is a cyberattack that aims to damage a company by exploiting vulnerabilities in its supply chain. The process involves persistent rounds of hacking or infiltration to gain access to an organization’s network.
The hacked company isn’t necessarily the attacker’s ultimate target. In many cases, the supply chain element is simply a gateway. The cybercriminals capitalize on the target’s vulnerabilities to reach a larger network of companies to attack.
“We’re talking about a malicious, orchestrated effort that could affect our clients here in Quebec and across Canada,” said Emilio B. Imbriglio, president and chief executive officer of Raymond Chabot Grant Thornton.
For instance, millions of small businesses rely on SolarWinds and Microsoft products and systems. These businesses were targeted by the same criminal organizations that successfully exploited the vulnerabilities exposed by the massive attacks on the tech giants.
“In Microsoft’s case, there were vulnerabilities in their Exchange email servers. In the last few months, we’ve intervened in a number of large-scale attacks, involving ransomware or other issues, that targeted SMEs around the world and even here in Quebec,” explained Guillaume Caron.
Cyberattacks can have grave repercussions on major corporations and small organizations alike. In addition to financial consequences, there can be damage to the company’s reputation with customers, investors and suppliers. Businesses can also face serious litigation.
The importance of protecting yourself during your digital transformation
The digital transformation process often involves capitalizing on the Internet of Things, with IoT devices used to connect different systems, networks and companies in order to accelerate business processes. This increases the attack surface considerably and makes it harder to protect all vectors. That’s why performing ongoing risk analyses is so important. You want to identify entry points and implement checks and balances like technological tools, business processes, policies, etc.
A Leger study found that the proportion of SMEs that plan on investing in cybersecurity solutions over the next two years fell from 42% in 2019 to just 25% in 2020. However, as Guillaume Caron pointed out, “In 2021, there’s simply no excuse for leaving your company exposed to serious cybersecurity problems.”
Today, there are easily deployable and affordable tools that SMEs can use to protect their business. No matter what industry you operate in, criminals can gain access to your company and then take control, download sensitive data, steal information and more. If your machines stop working, you can’t produce anything. If your workstations are blocked, your employees can’t work. Scenarios like this can have a major impact on the survival prospects of small- or medium-sized businesses.
What can SMEs do to equip themselves?
In today’s reality, it isn’t a matter of if a cyberattack will occur, but when. Companies need to protect themselves and have a concrete action plan outlining what to do when an attack occurs.
Third-party risk has become a pressing issue. Governments, major corporations and SMEs that do business with other organizations can’t afford to put blind faith in their business partners. After all, your company may be entrusting these third parties with critical, sensitive, strategic or secret information, even if they don’t have the same security practices and safeguards in place.
Large institutions often require their suppliers to comply with certain information security standards. That way, if a supply chain attack happens, there aren’t any vulnerabilities between the company and its partners and suppliers.
“SMEs should do the same and require their partners and suppliers to have cybersecurity measures in place. This type of vigilance shouldn’t just be for large institutions and governments,” emphasized Guillaume Caron.
Today, it’s critical for companies to be able to prove that they have proper controls in place. There are established standards that businesses should abide by. You need to be able to demonstrate, with facts, that you’ve developed a strong security culture. Doing so can even become a competitive advantage.