This text is part of the special Business Challenges section
During its second annual summit on IT security (ITSec), information technology specialist Devolutions presented the results of a study on cybersecurity within Quebec small and medium-sized businesses (SMEs). The overwhelming majority of respondents (94%) say they are concerned about the privacy and security of their companies’ data. Ransomware (83%) and phishing (68%) are the most feared scourges, followed by internal threats, whether intentionally or unintentionally caused by employees (42%).
A legitimate anxiety, according to Laurence Cadieux, analyst at Devolutions and involved in the study. Here as elsewhere, the question “is not whether [les PME] are going to be attacked, but when they are going to be attacked,” she states bluntly.
So you just need to be prepared for it. The only problem is that only 20% of them describe their level of protection against cyberattacks as excellent. Internationally, this percentage rises to 30%, according to the comparative study conducted by Devolutions, based on a web survey carried out among 75 Quebec companies and 217 foreign SMEs, between March and May 2023.
This delay compared to foreign standards can be explained in particular by a lack of budget. “Software updates are expensive, and SMEs don’t always have the means, so they can keep machines vulnerable to attacks,” admits Bertrand Milot, president and founder of Bradley & Rollins, an innovation and consulting firm. cyber defense. The cost of cyberattacks is not always greater than the investments necessary for their prevention, he specifies.
But “with the envelopes that have been made available by the Ministry of Cybersecurity and Digital Affairs, companies no longer have excuses […] », continues the specialist. And if the step was not taken sooner, he believes that it is partly due to a lack of “awareness of the dangerousness”. “France has [réagi] earlier just because she was a victim earlier,” he illustrates.
It doesn’t just happen to others
Businesses aren’t the only ones lagging behind. Laurence Cadieux recalls that the European Union’s General Data Protection Regulation (GDPR) came into force in 2018, while we had to wait until September 2022 for Law 25, the Quebec equivalent.
Only a quarter of Quebec businesses would be ready to comply, although its provisions will be implemented gradually, over a period of three years. The rest of the respondents told Devolutions they lacked information, or were unaware of the cost or time needed to adapt to the requirements of Law 25.
“It’s also a question of cybersecurity education,” believes Laurence Cadieux. If big cyberattacks are scary, she concedes, “SMEs think that it won’t happen to them because they are small. But that’s not true, warns the analyst, there are actually a lot of attackers who will go towards SMEs because it’s easier to attack them.
With the development of technologies such as artificial intelligence, threats are likely to multiply. And although Quebec companies already widely use two-factor authentication or even password managers, these tools could be insufficient.
For example, Devolutions invites Quebec SMEs to adopt a privileged access management (PAM) solution, which makes it possible to limit the circulation of data internally. The PAM is only present in 12% of Quebec companies, compared to more than 20% elsewhere in the world. A good step forward, but not impossible to catch up.
While waiting for other measures resulting from Law 25, she invites SMEs to “rely on what is in place internationally to see how to protect themselves and how to protect people”.
This content was produced by the Special Publications team at Duty, relating to marketing. The writing of the Duty did not take part.