Quebec SMEs delude themselves if they think that their small size or their French-speaking character makes them less attractive to local or foreign cybercriminals.
Posted at 4:00 p.m.
While 85% of SMEs in Quebec say they are concerned about their cybersecurity, barely 23% have adopted the four basic protection measures (see table below).
However, half of Quebec SMEs have been victims of a cyberattack in the last year.
This is revealed by a web survey conducted from September 2021 to February 2022 by SOM and the firm Dévolutions among 151 IT professionals and decision-makers from Quebec SMEs.
“We see that in Quebec, there is still a delay in terms of investment in cybersecurity. Often, we are polite, we talk about two years late, but it’s a little more than that, “says David Hervieux, president and founder of Devolutions, a Quebec firm of remote office management and cybersecurity solutions. , which has some 800,000 users worldwide.
The cyberthreats most feared by Quebec SMEs are ransomware (73%), phishing (68%) and malware (66%). But the main threat may not come from where they expect it. Among companies that have been victims of cyberattacks, ransomware is half as common (27%) as phishing (56%).
These concerns have nevertheless translated into concrete actions: 46% of respondents have increased their spending on cybersecurity over the past year. However, more than the budget, it is the continuity of efforts that erects the strongest walls.
One of the problems for SMEs is that they think they are not interesting or that malicious actors specifically target companies. But the mischievous actors throw their nets in the water, then watch what gets caught in the net. This is when they become precise. For them, a small player or a less well protected player is just easy money. A big player is going to have put up barriers.
David Hervieux, President of Devolutions
Some might believe that the French-speaking particularity is in no way an obstacle to cyberbandits, even if they are foreigners. Mistake.
“Indeed, we have often thought that when we receive an email in English, it does not affect us,” notes the president of Devolutions.
But if only by using translation software, cyber crooks are now perfectly capable of adapting to their French-speaking “market”.
“Before, there was the myth of the badly written email full of mistakes, but now it’s a little more sophisticated. »
Changes within changes
Quebec SMEs still too often neglect the most basic precautions. Nearly one in five companies fail to revoke access to former employees who retain confidential information about the organization.
Another mistake that may come as a surprise: 38% of SMEs change their passwords several times a year — a rather inadvisable procedure.
Because there has been a change in the password changes.
In theory, changing your password is a good idea. The problem is that because they change too often, people just say: this month, my password is potato2. The following month, it will be potato3.
David Hervieux, President of Devolutions
It’s the best way to make potatoes.
“After a certain number of years, you end up with a password that is too weak. »
In the United States, the National Institute of Standards and Technology now advises companies to modify their access only following a computer security breach.
Four basic measures
Nearly 9 out of 10 Quebec SMEs believe they have a good level of protection against cyber-bad guys, but less than a quarter have implemented all four basic protection measures.
Compared to foreign SMEs that were also surveyed by SOM and Dvolutions, Quebec SMEs lag behind in the application of three of the four measures.
Yet the cost of these measures is not always a push factor.
Multi-factor authentication, for people who already use Microsoft or Google services, is relatively easy. Cybersecurity training is not that expensive. For the password manager, there are free options too.
David Hervieux, President of Devolutions
However, security audits can be more expensive, he acknowledges.
“It can be very expensive because it comes with a list of things to fix. It is as if you are going to have your car inspected when it is 15 years old. You may get a lot of things to fix. »
But for the SME as for the car, it is about safety on board.