Large retailers across British Columbia are racing to bolster their cybersecurity infrastructure amidst growing cyberthreats.
However, smaller businesses are having a hard time catching up with advanced technologies, relying heavily on less-protective basic tools.
In late April 2024, B.C.-based retailer London Drugs was forced to close all 79 stores for a week because of a ransomware attack.
Concerns and attacks have seen a steady increase in the past few years, and according to retail analyst and DIG360 owner David Ian Gray. Just because a business is larger doesn’t necessarily mean they’re less at risk.
“There’s multiple attempted breaches and attacks all through the year. Nobody is immune,” said Gray. “The issue is nobody wants to talk about it, and so we don’t really know quite how widespread it is, because no one really wants to admit they had a vulnerability.”
The security of a small business may be easier to breach, but cybercriminals are attracted to larger companies with more capital and sensitive information.
One vulnerability of larger companies is the interconnection of their systems, so a breach to one area could be the gateway to their entire database.
The less sophisticated measures taken by smaller retail businesses, and the separation of their information, could be indirectly serving as a preventive measure.
“They don’t have all their systems interlinked, they may even have some paper-based systems involved,” said Gray.
Although some advanced cybersecurity technologies could be hard to reach for SMEs, a lot of it comes down to habits and practices.
For the larger retail companies, the COVID-19 pandemic and the increase in cyberthreats has triggered a technological reconstruction, he said.
Retail is quickly modernizing all aspects of its business operations, including systems, supply chains, employee management and customer touch points.
The number of suppliers, vendors and transactional touch points makes retail significantly more exposed to threats compared to other industries, further increasing the pressure to modernize quickly.
“Every time you’re adding another component like that, are you adding another vulnerability?” asked Gray. “The second part of it is, you’re never going to eliminate all the risks. So how do you get comfortable running your business knowing there’ll always be some risk?”
While larger retailers investing more money in cybersecurity and response plans, Gray said there are two critical points that are not being given enough attention.
The first is the need for organizations to get more comfortable with sharing their practices and data, since companies could feel vulnerable by doing so.
“It’s not something where a particular chain is going to have a competitive advantage over the others in its category because it handles cyber threats better … all of you just have to be able to do the best you can,” he said.
The second is for employees to feel confident in their organization’s capabilities to protect their information.
“So you’re not just managing your shoppers, but you’re also managing your staff, because sometimes it’s their data that’s exposed,” said Gray.
Currently, discussions and responses to tackle cybercrime are being led by the industry and by technology partners, and although it’s a hard issue to solve, he mentioned there is a desire in the retail community for law enforcement to be more involved.
“I’m sure every CEO is saying, we need more help here. Should this be happening to the degree that it is, and can’t more be done to track down the people that are doing it?”
SMEs are lagging in cybersecurity investment
Recent data shows Canadian SMEs are heavily reliant on basic technologies, with less than half of them planning on adopting advanced technologies in the next five years.
This lack of protection opens the door to various cybersecurity risks for SMEs, with only 16 per cent of them feeling confident about what to do after an attack, according to Mastercard vice-president of security solutions Amisha Parikh.
The risk of cyberattacks to small businesses has increased due to the unprecedented levels of digital interaction.
A 2023 Mastercard survey and study on 300 SMEs showed cybercrime has surged by 600 per cent in Canada since the start of the pandemic and only 53 per cent saying they’re unable to afford innovative cybersecurity tools.
An October 21 survey by the Business Development Bank of Canada (BDC) of nearly 1,300 business owners and leaders showed increased business reliance on technology, with around 82 per cent of businesses across Canada saying technology has played a critical role in shaping their operations over the last five years.
Advanced tools like automation software, cloud computing and cybersecurity systems are having a larger impact than basic technologies like websites and online payment platforms, with 44 per cent of respondents saying advanced tools have become very critical for their operations, compared to 38 per cent for basic technologies.
Parikh said the RCMP and the Canadian Anti-Fraud Centre reported $569 million in losses to scams and fraud activity in 2023 across the country. It is estimated that only five to 10 per cent of cybercrimes are reported.
“This number is substantially higher, and it could be in the ballpark of $10 billion to $11 billion a year,” said Parikh. “Globally, the cost in lost revenue from cyberattacks are estimated to reach 10 and a half trillion dollars by 2025, according to cybersecurity ventures.”
As the business world becomes more digitized, investments towards advanced technologies will continue. However, large businesses have been investing considerably more than smaller businesses in the last five years, with a 43 per cent gap on technology adoption between them.
This gap is expected to increase to 48 per cent by 2029, with 94 per cent of larger businesses planning on adopting advanced technologies in the next five years compared to 46 per cent of micro-business and 68 per cent of small businesses.
Although cyberattacks using artificial intelligence continue to increase in complexity and frequency, Parikh said one of the most common types of attacks against SMEs are business email compromises.
These often involve taking over an email account and posing as a trusted figure, later asking for sensitive information or a transaction. Generative AI plays a key role, as deep fakes and voice cloning can help criminals emulate individuals in further detail.
One way to tighten security is using multi-factor authentication and having different layers of security, said Parikh, as most cyberattacks occur when passwords aren’t updated at a regular interval.
Investing in a full-time cybersecurity professional can be expensive for SMEs, but putting cost-friendly measures in place—such as data backups, software updates and cybersecurity education—can go a long way.
The online BDC survey was conducted between June 7 and 18, 2024. The margin of error is plus or minus 2.7 percentage points, 19 times out of 20.
