In 2017, almost 11,000 Canadian businesses with 10 or more employees participated in the first Canadian Survey of Cyber Security and Cybercrime1 and reported on the incidents that impacted them. Over one in five respondents said their businesses had been targeted, with large businesses twice as likely to be affected. Incidents ranged from hackers attempting to access unauthorized areas and stealing personal or financial information to installing ransomware and blocking access to data or services unless a payment was made.
A 2017 report from Accenture – based on a survey of more than 250 companies operating in seven countries – found that security breaches were up 27% from 2016 and that the number of ransomware attacks doubled from 2016 to 2017. Companies are spending more money and time to recover from the disruption caused to their organization and customers. The financial costs associated with cyberattacks are up 62 percent over the past five years2, and the time required to resolve malicious code attacks and ransomware are also up, averaging 55 and 23 days2 respectively.
The Accenture study also found that larger firms were more likely to be the victim of denial of service and malicious code, while smaller organizations were more likely to experience malware and phishing incidents.
We’ve all received emails that look like legitimate requests for information – requiring us to click on a link or download an attachment – but that on closer examination seem suspicious.
In the past, these emails were often laughably amateur. But they are becoming increasingly sophisticated. Many hackers will conduct extensive research to tailor their emails with specific and customized details. It’s easy to be fooled.
Clicking on a link may install ransomware or malware on your system that is able to capture keystroke data or corrupt or steal files. Or you may be connected to a site that looks identical to a legitimate site you visit frequently and asked to log in so that hackers can gain access to your passwords, user names or other sensitive data.
Security breaches happen in other ways, too – from clicking on corrupt links on websites or inserting an infected USB drive into your laptop. Hackers can also deliberately target your network system to gain access.
Protecting your business from cybercrime requires a multifaceted strategy. Reduce the weak points in your technology and processes by:
Siva Ram, HSBC’s Head of Business Security and Fraud, Global Liquidity and Cash Management, notes that basic precautions to protect your company’s financial systems and identify potential breaches include “multi-level approvals, secure integration between internal and bank systems, and daily account reconciliation to avoid or quickly identify unauthorized payments.”
Processes and internal controls must be consistent across the organization and tested regularly.
There are many tools that provide strong lines of defence against cybercrime – from security intelligence systems and advanced perimeter controls to deploying encryption technologies.
Just as important is training. As Ram notes, “most unauthorized access is committed using impersonation fraud…or [through] phishing where it is user behaviour rather than controls on infrastructure that creates the vulnerability.”
This means all staff must be encouraged to adopt a healthy suspicion towards any out-of-the-ordinary emails, Internet links, USB drives and more.
Vigilance is key. Practical tips for preventing cybercrime include:
If a security breach does occur and an employee suspects that they may have inadvertently been the victim of a cybercrime, they must be encouraged to share this information immediately, without fear of repercussion. The faster the breach is identified, the more options you have for resolving the issue and preventing further damage.
The information presented is not meant to be comprehensive and does not constitute financial, legal, tax or other professional advice. You should not act upon the information contained in this document without first obtaining specific professional advice. While reasonable care has been taken in preparing this document, HSBC does not make any guarantee, representation or warranty (express or implied) as to its accuracy or completeness. The information presented in this document is subject to change without notice.
Certain of the products and services offered by HSBC and its subsidiaries and affiliates are subject to credit adjudication and approval. This document does not constitute an offer to provide the services and products described and the provision of such services and products remains subject to contract.
Issued by HSBC Bank Canada ("HSBC")