As we step into 2025, I want to take a moment to address the small business community in Canada. Too often it seems that concern about cyber threats is voiced only when it impacts larger corporations. In today’s digital landscape, cybercriminals see small and medium-sized businesses (SMBs) as the most reliable and lucrative targets. It’s time for law enforcement, government, the media and SMEs ourselves to recognize that SMEs are the most vulnerable, and that there are ways for SMEs to significantly minimize their cyber risk.
The statistics are delivering a clear message. Cyber threats, including ransomware and data breaches, have increasingly targeted SMEs, often because these businesses lack the robust or “enterprise class” defences that larger organizations maintain. Threat actors know that there is profit from focusing on exploiting vulnerabilities in smaller companies, leaving them to bear the brunt of the financial and reputational damage as so many don’t have the resources of larger companies including cyberinsurance.
So, what can you do to protect your business? The answer lies in cyber resilience, which is built on three key pillars: technology, processes, and people. First, ensure your technology is up to date and incorporates the best solutions available. This includes regular software updates, firewalls, and intrusion detection systems. Don’t wait for a breach to invest in your cybersecurity infrastructure, and if you’re not sure if it is being done then ask. This isn’t a money issue, it’s a process one and it involves looking for new technology you’ve introduced that may need patching.
Second, establish strong processes that prioritize data protection and incident response. Create a clear plan for how to respond to a cyber incident, ensuring that your team knows their roles and responsibilities. Treat your data either like it’s radioactive gold: it has value and it must be contained, shielded, and accounted for. Too many SMEs get hurt when critical data is allowed to reside in unprotected spaces, or be transferred onto employee devices when it shouldn’t be. And protect and manage all your devices.
Finally, invest in your people. Educating your staff about cybersecurity best practices works. No need for technical lectures, but instead provide a reminder of the threats and what practices attackers exploit – these can even be an educational and enjoyable break if done right. Regular training sessions can empower your team to recognize threats like phishing attacks and to understand the importance of safe online behavior.
If managing cybersecurity feels overwhelming or if you’re outgrowing your own IT staff’s bandwidth to manage security, consider partnering with managed service providers. These experts can extend your cybersecurity capabilities. There are made-in-Canada resources to help, such as those within CanadianSME, the Canadian Cyber Centre for Security, and Industry, Science, Education and Development (ISED)’s Forum on Digital Infrastructure Resilience.
As we embark on this new year, let’s commit to making cybersecurity a positive step by taking the helm of own SME’s future and making cyberesilience a priority. By being proactive and informed, we can build a safer digital environment for our businesses and communities. We’re not alone, and collaborating and sharing with other SMEs, even our competitors, is the new reality towards keeping our businesses up and running. Together, we can turn the tide against cyber threats and ensure a prosperous 2025.
Greg Young
VP of Cybersecurity, Trend Micro
Greg’s focus is enterprise-class security. He is keen on sharing the reality of security in larger organisations and how business can be done securely in those environments. As research vice president with Gartner for 13 years Greg advised thousands of companies and governments on how to better secure themselves, evaluated and advised hundreds of security vendors, and has seen those same technologies successfully used, abused, put on a shelf, or pushed into a deep hole, never to be spoken of again.
At Gartner he led research for network security, threat trends, data centre security, cloud netsec and microsegmentation. He authored more than 20 Magic Quadrants for firewall, IPS, WAF, and UTM, and was Conference Chair for 4 Security Summits. Greg headed several large security consulting practices, was CISO for the Department of Communications, and served as chief security architect for a security product company. He was a commissioned officer in the military police and counterintelligence branch working as a certifier/accreditor at the national authority and received the Confederation Medal from the Governor General of Canada for his work with smart card security.
Greg was named in the “12 Most Powerful Security Companies” and as one of “100 Most Powerful Voices in Worldwide Security.” And, as he mentions too often, Greg was an extra in 2 episodes of Airwolf.
Specialties: Securing networks, architectures, and data
