Blog

In this digital landscape, businesses are increasingly reliant on web-based platforms for their operations, communication, and customer interactions.

While this technological shift has brought convenience and efficiency, it has also opened the floodgates to a myriad of cyber threats – many no longer just centred on email-based breaches. 

As the digital realm expands, the need for robust web-based security becomes paramount for businesses of all sizes due to the escalating frequency and sophistication of cyberattacks.

Hackers are becoming more adept at exploiting vulnerabilities, often targeting sensitive data such as customer information, financial records, and intellectual property. The consequences of a successful cyberattack can be devastating, ranging from financial losses and reputational damage to legal repercussions.

These security breaches can erode customer trust and a single security incident can shatter the perception of a business as a reliable custodian of sensitive information, leading to a loss of clientele and tarnished brand image.

To address these challenges, businesses need to invest in cutting-edge web security solutions. These include regularly updating software and systems, implementing multi-factor authentication, encrypting sensitive data, and conducting regular security audits. Collaborating with cybersecurity experts and staying abreast of the latest threats intelligence is equally crucial in maintaining a proactive defence against emerging cyber hazards.

We asked John Svazic, Founder and Principal Consultant of EliteSec Information Security Consultants Inc. in Cambridge to share his thoughts on what businesses can do to ensure they are prepared for potential web-based security threats:

Q. When did more browser-based cyber threats begin to surface as opposed to spam emails?

A. This is a hard question to answer, but these types of attacks aren't new and have been around for a while, likely since the early 2000s at least, but not in any volume.  Most cyber-criminal attacks are based on opportunity and ease, so the rise can generally be attributed to companies adding more sophistication to their websites, especially as they try to go online.  

Q.  What brought on this apparent shift?

A. Opportunity is the biggest reason here.  With the rush to go online, which the pandemic only exacerbated, some companies may be taking shortcuts to get online by going with free/low- cost options to maintain margins.  While I can sympathize with this point, losing most of your margins to fraud may be reason to re-evaluate.

Q. Are there warning signs business owners should watch for indicating they might be susceptible to an attack?

A. Unfortunately, not. The best way to prevent this is to go look for vulnerabilities yourself or get someone who is skilled to go looking for you.  Having said that there are a few things that can be done on your own to better protect yourself, including:

• Making sure all your software is up to date. This is especially important if you are using a Wordpress site to host your online presence. Making sure any plug-ins or add-ons that you are using are up to date is important.
• Protect your online social media with two-factor authentication (2FA). Yes, this can be annoying, but it is a proven way to protect your accounts. Nothing is more painful than trying to get your Facebook or Instagram account back from a hacker, and many companies either pay up or are forced to create new accounts.
• Never re-use passwords!  Getting a password manager is incredibly useful to prevent this and provides a great way to help share accounts between employees if necessary. Most can help store your 2FA code as well, so you don't need to share a single phone between individuals.
• Hire a security professional to do a vulnerability assessment or penetration test of your web presence. Be sure that they are qualified by asking for references and samples of their work.  This is the costliest option but one worth considering if you want to be sure.

Q. What is one of the first steps they should take in terms of boosting their security?

A. Make sure that whatever you're using is fully patched. If this is offloaded to a hosting company or some other third-party provider, ask them what their patch cycle is. How frequently do they update, and do they do any third-party testing of their own infrastructure?  If a company is doing online sales, using a trusted partner like Shopify, Squarespace, etc., is a great way to check these boxes as these are reputable firms that take security seriously, which helps to offload the risk to someone else, albeit at a cost. 

Q. Are smaller businesses more susceptible to potential attacks than larger ones?

A. Sadly yes. While news headlines often focus on bigger named companies getting hacked and having to pay ransoms, the reality is that hundreds of smaller companies are getting hacked each day and not making headlines because they're just not big enough to report on, or they're too scared to report the attacks themselves out of fear of losing customers/reputation. Smaller companies often lack the resources or money to seek out help, so it can be a real catch-22.

Q.  If an attack has occurred, what should be the first step a business owner should take?

A. First check your business insurance to see if you have cyber insurance. Often, these policies will dictate who to call and what to do. Many brokers will recommend this type of insurance if you have an online presence, so it never hurts to start there. As most of these attackers are coming from outside the country, law enforcement won't necessarily be able to help, but report a cybercrime.  Start with the Canadian Centre for Cyber Security and report the incident. I would then recommend reaching out to a cybersecurity professional that specializes in incident response to help rectify the situation. Again, if you have a cyber insurance policy, this should be covered by insurance.

Q. Is it possible to become too paranoid regarding cyberattacks?

A. Absolutely. But it's best to always put things into perspective before things become too overwhelming. If you take some basic precautions, you can put most of these concerns aside.  It's always about perspective and the realization that raising the bar on cybersecurity isn't hard, and even small changes can deter potential attackers. Most cyber criminals are lazy, so they won't put in a lot of effort for minimal rewards. But if they can pull of a hack because it's easy, then they're willing to put in the effort for a few hundred to a few thousand dollars of potential payoff.