Understand cyber risks: Prepare, protect and educate your home and business

April 28, 2022 | RBC Wealth Management


Nearly half of Canadian small business owners anticipate becoming a victim of cyber crime in the next year. Here are some tips on how business owners can develop their cybersecurity mitigation and crisis management plans.

woman using a laptop

The accelerating digital transformation of the global economy has made it easier to conduct business from almost anywhere, but there are downsides to the added efficiency and convenience. The quick shift to online transactions has led to increased cyber threats and security breaches, particularly for those who aren't prepared.

"Many businesses are consuming technology faster than they can protect it," says Adam Evans, vice president of Cyber Operations and chief information security officer (CISO), RBC.

The pandemic has heightened the risk over the past two years, Evans adds, with many people handling sensitive customer information while working from home.

Businesses are battling what Evans calls the growing "economy of crime," which includes everything from well-established phishing and malware operations to ransomware franchises. Data breaches have become a huge and growing problem for companies of all sizes and across sectors.

Small- and medium-sized enterprises (SMEs) are a key threat to supply chains, partner networks and ecosystems, according to the World Economic Forum Centre for Cybersecurity . A recent survey commissioned by RBC shows nearly half of Canadian small business owners anticipate becoming a victim of cyber crime in the next year.

Cyber security and the family office

The risk is also real for family offices managing billions in assets and dealing with huge volumes of private client information.

Campden Wealth's North American Family Office Report 2021  shows 92 percent of those surveyed expect scams or cyber attacks will increase in the coming months, while nearly one in three feels ill-prepared to safeguard themselves should an attack occur.

"The more technology a company brings on board, the more it will be targeted," Evans says, adding that smaller firms with fewer resources are often more vulnerable.

"The crux of the problem is: they're not sure where to start."

Evans says businesses can protect themselves by taking the right steps and adopting the proper security frameworks—everything from multi-factor authentication and mandatory employee training to thinking through potential risk scenarios and identifying key stakeholders to manage them. The Campden Wealth report shows 77 percent of family offices have a cybersecurity plan, but more than half feel it could be better.

To improve their level of cyber security, Evans says, family offices can begin by identifying which areas of the business are in most need of protection—for example, the client database and intellectual property.

"You need to sit down and think about what you need to protect—and then start building a plan to protect it," he says.

Evans also recommends bringing in cybersecurity experts to help ensure all bases are covered.

"There may be blind spots that family offices are not aware of," he says.

With phishing and malware, for example, the protection may include patching holes in the virtual network and running security software to ensure everything is safeguarded. Businesses also need to know if there are other internal and external systems they're connected to that may not have adequate safeguards in place.

"These steps all help with your cyber hygiene and create more barriers for threat actors who want to compromise your family business systems," Evans says.

Businesses also should have a crisis management plan in case there is a breach.

"You don't want to think about your plan in a time of crisis," he says.

A crisis management plan typically includes contact information for outside organizations equipped to deal with a cyber breach.

"Have you got a retainer with a company to come in and help you through your crisis? Do you know who in law enforcement you would need to call?" he adds, noting that it's imperative to act quickly if there's a breach or suspected breach.

"You need to think of it not as if it's going to happen, but when," Evans says.

Cyber education and awareness

Family offices also need to be cyber aware and educated on the various types of threats, which are constantly evolving and changing.

The RBC survey showed while many small business owners are concerned about cyber crime, only about a quarter of respondents felt "very" knowledgeable about the different threats.

Bernadine Leung, managing director of the RBC Enterprise Strategic Client Group, says organizations need to keep their employees and clients up to speed on the cyber risks, including some of the latest privacy, identity theft and phishing scams that occur.

"The biggest risk for family offices is the individual sitting in front of the computer," Leung says. "They need to be vigilant to the e-mails and requests they receive that sound urgent or suspicious, and just take that pause to make sure that this makes sense."

For instance, RBC has a policy requiring verbal confirmation from a client when asked to send funds from their account to a third party because of the risks associated with e-mail communication.

"It's about reinforcing education for staff and ensuring they're vigilant toward any sorts of attacks, given that they deal with such a large amount of wealth," she says.

Five tips to achieve cyber resilience

As part of the survey results, RBC provided tips for business owners to develop their cybersecurity mitigation and crisis management plans. They include:

1. Prioritizing measures such as multi-factor authentication, mandatory cybersecurity training for employees and limited authorization for those who install software.

2. Thinking through risks and creating a prioritized list of possible cyber events unique to the organization.

3. Compiling a list of key stakeholders—leadership, technical and non-technical persons—and their relevant contact information for use in the event notifications and/or their services are needed.

4. Outlining an engagement procedure to guide the organization's response to a cyber attack, detailing how events will be handled and communicated.

5. Creating a communications template specifying details on how and when to address impacted parties should a cybersecurity incident occur.

Family offices and SMEs, in general, can find more information on adequately preparing and protecting their organization against cybersecurity incidents at https://www.rbc.com/cyber-security/ .

In Quebec, financial planning services are provided by RBC Wealth Management Financial Services Inc. which is licensed as a financial services firm in that province. In the rest of Canada, financial planning services are available through RBC Dominion Securities Inc.


Family Technology