Locked Out and Out-of-Luck: The Impact of Ransomware on SMEs

September 18, 2017

Recent high-profile data breaches have emphasized the importance of protecting client, company, and personal information by governments and businesses.  In May 2017, the WannaCry ransomware attack rapidly struck many high-profile public and private targets worldwide. WannaCry effectively “locked” companies out of their data and demanded a “ransom” or payment in exchange for the data’s release.1 

Cyber-attacks such as WannaCry have resulted in many large corporations increasing investments and dedicating company resources to safeguard against breaches. Given the costs that can result from a data breach, it should come as no surprise.  In 2016, the average cost per compromised record in Canada was $211, while the average cost per Canadian data breach was almost $5 million. Additionally, lost goodwill may significantly impact a company’s bottom line if customers lose confidence in the competency and security of the business.2

However, studies show that small and medium-sized enterprises (SMEs) need to do more to strengthen their cybersecurity plans. According to a 2017 Canadian Chamber of Commerce report, SMEs lag behind large businesses in deploying cybersecurity measures. In fact, most attacks now target SMEs specifically.  The Chamber report also indicated that 71% of data breaches happen to small businesses. In addition, nearly half of all small businesses in the US have been victim to a cyber-attack; rates are estimated to be a similar in Canada.

Experts believe that SMEs have become the focus of cyber criminals because these businesses are less prepared to prevent and respond to attacks. As a result, ransomware attacks can disproportionately impact SMEs.  If the targeted data is extremely valuable (e.g., helps to maintain the business’ operations), the likelihood of the ransom payment being paid will increase. This was the case in a 2015 attack on a Calgary wine store. The hackers made the Kensington Wine Market’s database inaccessible through a ransomware attack.  They demanded a ransom of $500 in bitcoins for the data to be released.  While the data itself was not extremely profitable to the hackers, it was critical to the wine store’s operations. The wine store could not open email, review inventory, or process sales during the busy holiday season. Ultimately, the store paid the ransom because it was estimated that paying a software company to resolve the issue would cost 10 times more than the ransom.4

In 2016, the University of Calgary fell victim to a ransomware attack that encrypted staff and faculty emails.  The university paid $20,000 to regain access to their data, which was seen as a bargain given the university faculty consisted of more than 1,800 members. Even at minimum wage, an hour of time for each member represented a sum of more than $20,000.5

Whether to pay the ransom or seek the expertise of a cybersecurity specialist will depend on the objectives of the SME and the circumstances at the time of the attack.  Regardless, companies ought to spend time considering, drafting, and implementing a policy that outlines the risk assessment and response process required for a ransomware attack well before it happens.  This will allow for and improve employees’ understanding of the issues at play (and highlight what to do if they face such an incident that impacts their day-to-day operations).

It is also important to keep in mind that once the recently published and proposed Regulations of the Digital Privacy Act come into force, SMEs governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to notify affected Canadians (and the Privacy Commissioner of Canada) as soon as feasible in circumstances where:

  • Personal information has been lost;
  • Stolen; and
  • The individuals are at a risk of suffering harm.

These discussions may also assist in streamlining internal protocols and external communications in the event the attack becomes public knowledge.

Although media outlets might not always report on SMEs being attacked, these businesses are increasingly becoming a target of cyber criminals. Here are some strategies that SMEs might consider in order to combat cyber-attacks:

  • It is important for SMEs to take measures to protect their systems against the constant probing of hackers. Ongoing monitoring of system security can raise awareness of impending attacks before serious damage is done.
  • Many cyber criminals check for well-known points of entry due to old patches and systems. Make sure systems, software, and applications are updated frequently.
  • Train employees to conduct themselves in a manner that does not open the company up to a potential data breach. Raising the awareness of employees of cybersecurity risks can improve prevention, reduce system gaps, and hopefully lead to an overall faster response in the event of a breach.

For a business that is just now taking stock of the cybersecurity threats it may face (and any related data privacy obligations it may have), these issues may seem daunting.  However, the team at Cox & Palmer is here to help.  Should you have any questions, please do not hesitate to contact us.

1 Christina Mercer, “What is WannaCry? How does WannaCry ransomware work?” (15 May 2017), Techworld, online: <http://www.techworld.com/security/what-is-wannacry-how-does-wannacry-ransomware-work-3659064/>.
2 Larry Ponemon, “2016 Cost of Data Breach Study: Global Analysis” (15 June 2016), online: <https://securityintelligence.com/cost-of-a-data-breach-2016/>.
3 Canadian Chamber of Commerce, “Cyber Security in Canada: Practical Solutions to a Growing Problem” (31 March 2017), online: <http://www.chamber.ca/media/blog/170403-cyber-security-in-canada-practical-solutions-to-a-growing-problem/>, at 25.
4 CBC News, “Bitcoin ransom demanded by hackers of Calgary wine store” (10 December 2015), online: <http://www.cbc.ca/news/canada/calgary/kensington-wine-market-bitcoin-ransom-1.3359427>.
5 Dave Dormer and Stephanie Wiebe, “U of C ransom payout better than battling hackers, expert says” (8 June 2016), CBC News, online: <http://www.cbc.ca/news/canada/calgary/university-of-calgary-cyberattack-part-of-increasing-problem-1.3621505>.

Related Services

Intellectual Property & Technology Small & Medium Sized Enterprises Crisis Management

Related Articles

Legal Authority and Consent in Generative AI: Ensuring Compliance and Building Trust

As businesses in Canada continue to uncover the potential of generative artificial intelligence (AI), understanding the legal underpinnings of authority and consent becomes paramount. This article explores these concepts within the framework of the Office of the Privacy Commissioner of Canada’s principles, providing actionable insights and practical examples to guide businesses in their compliance efforts. […]

read more

Introduction to OPC’s Generative AI Principles: A Guide for Canadian Businesses 

In late 2023, the Office of the Privacy Commissioner of Canada (OPC) introduced a comprehensive set of principles aimed at guiding the responsible, trustworthy, and privacy-protective development and use of generative artificial intelligence (AI) technologies. This initiative reflects a proactive stance by Canadian privacy regulators to address the complex challenges and opportunities posed by the […]

read more

Canada’s Artificial Intelligence and Data Act (AIDA) 2024: A Comprehensive Guide

Introduction to AIDA In a pivotal move to navigate the rapidly evolving landscape of artificial intelligence (AI), Canada introduced the Artificial Intelligence and Data Act (AIDA) as part of Bill C-27, the Digital Charter Implementation Act, 2022. Marking a significant stride towards a regulatory framework, AIDA ensures the safe and responsible development and deployment of […]

read more
view all
Cox & Palmer publications are intended to provide information of a general nature only and not legal advice. The information presented is current to the date of publication and may be subject to change following the publication date.