We got a phone call from a very prominent oil and gas company not too long ago. They were distressed, and I mean genuinely shaken, because they’d just discovered that $160,000 had been stolen from their bank account.
But here’s the part that really got me: it wasn’t done in one shot. The bad actors had figured out that this company reconciles their bank account monthly. So they realized if they kept each transaction small, around $3,000, it would just blend in with the rest of the normal business expenses. Nobody would flag it. Every single day, another $3,000 went out the door. For an entire month. That’s how they got to $160,000 before anyone noticed.
According to the Canadian Centre for Cyber Security, small and medium businesses are increasingly targeted precisely because they lack basic security controls. This company was a textbook case.
When I sat down with this company, the first thing they said was something I hear all the time: “We didn’t think anyone would go to such great lengths to target us.” In their eyes, they weren’t some high-profile organization. They weren’t a government agency or a publicly traded company. Why would anyone bother with them?
And that’s the thinking I always try to reframe. It’s not a question of whether or not you’re a big deal. It’s a question of whether you’re an easy target. These bad actors aren’t sitting around picking the most prestigious companies to go after. They’re scanning for the path of least resistance. If your front door is unlocked, somebody’s going to walk through it eventually.
I use this analogy with clients all the time: if I applied the same thinking to cavities or locking my car, like “well, it hasn’t happened yet, so I must be fine,” we’d all agree that’s a matter of time, right?
When we looked under the hood, this company had almost no cybersecurity infrastructure in place. No endpoint detection. No mobile device management. Their firewall logs weren’t being analyzed or audited by anyone — threats had been hitting the perimeter for months, and nobody was watching. There was no identity threat detection and response. They were essentially operating under a false veil of security.
The scariest part wasn’t what had already happened. It was that we didn’t know if it would happen again. The same vulnerability that let the attackers in the first time was still wide open. We had to secure the entire network before we could even take them on as a client. The last thing we wanted to do was clean up the mess and then watch it happen all over again.
Here’s the other thing that stuck with me about this situation. By the time they called us, they were ready to pay whatever it took to be protected. And honestly, that’s not a good place for us. We’d much rather have that conversation proactively, where a business owner feels good about the money they’re spending because it’s a strategic decision, not a panic purchase.
I see this pattern constantly. Businesses treat IT security as an expense, and like any expense, the instinct is to reduce it as close to zero as possible. That’s great CFO thinking for a lot of line items, but it’s terrible thinking for cybersecurity. The companies that are scaling the fastest right now are the ones that flipped their thinking. They stopped seeing IT as a cost center and started treating it like an investment with a rate of return. And like any great investment, you’re not trying to reduce it to zero. You’re trying to put more into it because it’s giving you the highest return.
The first thing we did was set up real-time network monitoring so we could see who was coming in and out of the network. Within the first week, we flagged three suspicious connection attempts that would have gone completely unnoticed under their old setup.
Then we ran a vulnerability assessment that mapped out every area of deficiency. We implemented secure passwords for everyone and rolled out multi-factor authentication across the board — email, VPN, cloud apps, all of it. From there, we ran our standard security scan and audit, then corrected each gap one by one: endpoint detection on every device, proper access controls so former employees couldn’t still log in, and an incident response plan so if something did happen again, they’d know exactly what to do in the first 60 minutes.
None of this was exotic technology. MFA, endpoint detection, log monitoring, vulnerability scanning: these are foundational tools. The tragedy is that they were all available before the $160,000 walked out the door. The company just hadn’t gotten around to it yet.
First, focus on identity, not just devices. I hear people say they have a firewall or they passed their insurance compliance checklist, and I always tell them: compliance isn’t the same as being secure. Compliance is the minimum requirement to satisfy someone else’s needs. It doesn’t mean your business is where it should be for your benefit. Make sure everyone has multi-factor authentication. Make sure your passwords are actually secure. And invest in phishing training for your team, because it’s usually not the technology that fails you. It’s the people.
Second, take a multi-layered approach. There’s no silver bullet out there. Security isn’t binary. Think of your business like a fortress with multiple points of entry. Have you actually shored up all of them? The right tools, the right training, the right processes, the right provider, and continuous monitoring. It all has to work together.
Third, stop thinking about backups and start thinking about recoverability. Everyone knows they should back up their data. But when was the last time you actually needed yesterday’s backup? Usually it’s something from months ago, a file someone deleted before they left, or data that got overwritten and nobody noticed. The real question isn’t “is our data backed up?” It’s “how fast can we get back online, and how far back can we go?” When you focus on recoverability instead of just backups, you start having a very different conversation about your data strategy.
That oil and gas company is in a completely different position today. But they’ll tell you themselves: they wish they’d had that conversation with us before the $160,000 disappeared, not after.
If any of this sounds familiar, if you’ve been putting off the security conversation, or if you’re relying on one person or one tool to protect your entire business, I’d encourage you to get a second set of eyes on your environment. It might be that everything’s fine. But more often than not, that’s not the case. You just don’t know what you don’t know.
Find out what a $3,000-a-day problem looks like in your environment. We’ll take an honest look at your setup and tell you exactly where the gaps are — no sales pitch, just a real conversation about what’s working and what’s not.
How do small businesses get hacked?
Most attacks start with phishing emails, compromised credentials, or unpatched software — not sophisticated exploits. Attackers scan for businesses without basic protections like multi-factor authentication and endpoint detection, then use automated tools to break in.
How much does a cyber attack cost a small business in Canada?
The direct costs (theft, ransom, recovery) typically range from $25,000 to $250,000. But the full impact — including downtime, lost clients, and reputational damage — is often 5 to 10 times higher. This company lost $160,000 in stolen funds alone.
What is the first thing a business should do to improve cybersecurity?
Enable multi-factor authentication on every account, starting with email. It’s the single highest-impact action you can take and blocks over 99% of automated account compromise attempts.
Does cyber insurance replace the need for cybersecurity?
No. Most insurers now require specific security controls (MFA, endpoint detection, backups) before they’ll issue a policy. Insurance covers the financial impact after a breach — it doesn’t prevent one.
We’re here for you every step of the way, ready to guide, connect, and protect your IT ecosystem. Get in touch with us today, and let us help you thrive in the digital landscape.