Canadian businesses may be ill-prepared for electronic threats, says Danny Bradbury.

Ian Wilms isn’t your normal sales director. The Canadian executive, who works in a small, family hardware business, is more educated about cybersecurity than many. Until February, Wilms ran the Global Center for Securing Cyberspace, a Canada-based organization that was to collaborate internationally with inter-jurisdictional experts to combat cybercrime. But Wilms, formerly a business development executive at IBM Canada and a chair of the Calgary Police Commission, explains that he had to leave the table after the Canadian government pulled funding for the project.

“We’re dead in the water,” explains Wilms, who said that he had both private and government funding at the end of 2008, but lost his private funding in early 2009 when the economy began to wobble. “The federal government decided not to go anywhere with it, because the police said that it would be a duplication of what they’re doing.”

Wilms’ job promoting cybersecurity became entirely voluntary and he had to leave the tech industry altogether to pay the bills. Now, like many small businesses, he struggles to protect the company against electronic threats.

“For the company I’m working with now, cybersecurity is one of the last things on the list in terms of investment,” says Wilms, who tries to persuade managers to take cybersecurity seriously. “People are coming after us from all over the world.”

Most small Canadian businesses won’t have someone like Wilms educating their management. They have few resources at their disposal and it is showing. A recent Symantec survey, which polled 1,425 small and medium-sized businesses (SMBs) globally, 200 of which were in Canada, found that 35 percent of the companies in Canada didn’t have basic anti-virus in place. Michael Murphy, vice president and general manager for Symantec Canada, says that numbers were similar elsewhere. “The lack of understanding is not just a Canadian challenge, it’s a global one.”

The lack of resources among Canadian SMBs also shows up in terms of skills. Deloitte Canada’s forthcoming 2010 Global Security Study reveals that Canadian small businesses are far less confident than those in the United States about staff competency. In addition, only 36 percent of Canadian SMBs were confident that their staff had all required competencies in cybersecurity versus 55 percent of U.S. small businesses.

“Expenditure-wise, Canada is getting better funding than the U.S., and most of that is attributable to the global economy, with the U.S. being hit much more than Canada,” argues Adel Melek, partner and global leader in information technology risk at Deloitte. “But we found a higher percentage of Canadian organizations [39 percent] characterizing their spend on security as unplanned versus 27 percent in the U.S.”

More with less

Perhaps Canadian small businesses simply think that they can do more with less. Deloitte found that Canadian SMBs are visibly more confident about being protected from external attack than their U.S. counterparts. But Symantec’s Murphy argues that security is a data-centric issue. “Data is the endgame here,” he warns. And yet, Deloitte revealed to SC Magazine that data protection ranks seventh on the list of priorities for Canadian SMBs versus second in the U.S.

Could the problem be a history of technological conservatism among Canadian companies? Many have historically invested less in technology than their U.S. counterparts. A survey by the Center for the Study of Living Standards found that Canada’s rate of information and communication technology investment per worker in 2008 was 62.1 percent that of the U.S. Economists focus on the effect this may have on per-capita GDP (a gap that is also widening between the U.S. and Canada). But with most companies still failing to view security investments as tools to increase profits, it seems likely that Canada’s relative unwillingness to invest in technology expenditure would have a particular impact on its use of cybersecurity tools.

Regulatory landscape

Differences in the regulatory landscape on either side of the border are not helping either. In the U.S., 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted data breach notification laws and the federal government has stepped in on specific kinds of information, particularly medical and financial data. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t explicitly require data breaches to be disclosed. Guidelines provided by the federal privacy commissioner advise organizations to notify individuals of data breaches, but these are not legally enforceable. Only the province of Alberta appears to be explicitly mandating data breach notification with Bill 54, which will soon be enacted.

This should be of concern to policy-makers in Canada where small businesses are a particularly strong driving force in the economy. A report last October from BMO Capital Markets said that SMBs created more than one-third of all new private sector jobs between 1998 and 2008. And yet the Canadian government has long been criticized for lacking a formal cybersecurity policy. Most recently, Canadian researchers Rafal Rohozinski and Ronald Diebert, who were responsible for a cyberespionage report called “Shadows in the Cloud,” lamented poor security practices among individuals, businesses and governments,” and called the absence of Canadian policy for cyberspace “notable.”

Meanwhile, the Canadian government announced in February that it would be working on a national cybersecurity strategy, but it has made similar statements twice before. Compared to its southern neighbor, it appears woefully late to the party. Consequently, approaches to cybersecurity are ad hoc and based largely on personalities, warns Wilms. He calls for a national awareness campaign to educate small businesses about the real threats to their operations posed by electronic attack. There should be a call center for reporting cybercrime, he suggests.

Perhaps one positive aspect reflected in Deloitte’s figures lies in the approach of Canadian small businesses to outsourcing security measures. Canadian SMBs rank higher in terms of confidence about third-party security practices. Twenty-nine percent of them are very confident versus only 15 percent in the U.S. Further, Canadian SMBs are outsourcing security functions more, with only eight percent of them choosing to not outsource any versus more than 20 percent at U.S. companies.

While small businesses are being heavily targeted by cybercriminals, they’re being trawled using older attacks rather than sophisticated zero-day hacks, the way larger companies are, explains Brian Bourne, founder of Toronto-based Canadian security conference SecTOR. For attackers seeking credit card numbers and SMB banking logins, it’s a numbers game rather than a precision attack. SMBs can therefore solve a large part of the problem with fairly simple measures.

“An SMB may have five or 10 machines,” Bourne says, and think that having anti-virus and firewall software is good enough. But, he adds, it’s absolutely necessary to stay patched.

Educating SMBs about those issues is a governmental responsibility. Many in the know hope that the promise it made in February sticks this time.