Skip to main content
risks

Toronto's Amazing Party and Costume store makes more money in the few days leading up to Halloween than at any other particular time of the year.

So when owner Shawn Hamilton found seven homemade explosives hidden among the masks, capes and other outfits in the four days before last Halloween, it was a huge setback. While the bombs didn't explode, Mr. Hamilton was forced to close his shop for most of that time and estimates he lost about $350,000 of potential revenue, representing nearly a fifth of his annual business.

While no arrests have been made and police gave no motive, he suspects a competitor may have been behind it, and that he was deliberately sabotaged.

"I can't prove anything, but this happened during my money time, when I do most of my business," he says. "Was this really a coincidence?"

It's rare for a small company to have to call in the bomb squad, but small businesses can be the targets of many kinds of sabotage.

"I'm not the last person that will have to deal with this," Mr. Hamilton says.

Saboteurs can come in many forms. The biggest threats are employees, customers and competitors, says Michel Juneau-Katsuya, founder and chief executive officer of The Northgate Group Corp., an Ottawa-based company that performs risk and threat assessments for businesses.

Acts of sabotage can take many forms as well, from stealing files to stealing customers to stealing staff to purposely ruining an event to harming a business's reputation on social media.

Whoever is behind it and whatever way it happens, sabotage, generally, does more damage to a smaller business than to a larger one, Mr. Juneau-Katsuya says.

If a competitor gains access to a critical piece of information, it could bankrupt a business. Disgruntled employees, dissatisfied customers or aggressive rivals could do lasting harm to a company's reputation.

"Big companies are often diversified enough that they can bounce back," Mr. Juneau-Katsuya sats. "For a vast majority of small companies, it can cost so much to rectify the situation, and that can break their backs."

Rogue staff are the most dangerous, he says, because they have access to inside information, but with technology making it easier to hack into servers or destroy reputations on social media, sabotage can come from anywhere.

"Sabotage is one of the ways that you can neutralize the competition," he notes. "It is also one of the ways that you can inflict pain on someone you're angry with."

While planting a bomb is grave, there are less insidious ways for someone to do something harmful to a company.

Tony Ritlop, a partner in Ernst & Young's IT risk and advisory practice, has heard of someone simply eavesdropping on a competitor's conversation at a bar and stealing information. He's also seen competitors hire away another company's employees as a way to get at inside information.

"What we see a lot of is a company losing a bid and they don't know why," Mr. Ritlop says. "They find out the other guy came in at a much lower bid, and that couldn't have happened unless the competition knew something about that bid."

There aren't many statistics on sabotage as it relates to small and medium-sized companies, says Mr. Juneau-Katsuya. The former CSIS director says that, usually, companies don't report insidious activity to the authorities because the police can't really do much.

"What are you going to charge them with?" he asks. "We don't have an element of sabotage in the Criminal Code that clearly says, I took this list of clients and gave it to the competition. It might be breach of trust, but it's not often something police pursue."

While there may not be hard numbers on how many companies are sabotaged every year, experts say it's happening.

Walid Hejazi a professor at the Rotman School of Management at the University of Toronto and the author of the Rotman-Telus study on Canadian IT security practices, says that smaller companies are increasingly becoming a target of sabotage.

As bigger companies beef up their security systems, smaller, less protected operations become more vulnerable, he says.

Cyber-sabotage is one of the easiest ways to devastate a company, he says. It's not difficult for someone to hack into a website and unleash a virus or for an employee to grab sensitive information and sell it to a competitor.

Prof. Hejazi' has heard of situations where someone threatens to release a crippling virus unless a company pays up.

Small to medium-sized companies are especially vulnerable to this type of threat because they don't have to get board approvals or even report sabotage the way a public company would have to, Prof. Hejazi says.

It's impossible to completely protect a business from sabotage Mr. Ritlop says, but steps can be taken to reduce the chance of something going wrong.

Mr. Ritlop, Mr. Juneau-Katsuya and Prof. Hejazi say that the first place to start is with employees. Every business owner should do a background check to see if a potential staff member has a criminal past.

Mr. Ritlop says having detailed company policies also make a big difference. It starts with a code of conduct, including how employees share information, talk to clients and deal with ethics-related issues.

Companies may then want to create a policy around technology. Include rules around personal use of company phones, computers and other equipment, and who gets access to what servers and files, he says.

Mr. Juneau-Katsuya adds that companies should conduct their own risk assessments. First ,figure out what could be at risk – it might be intellectual property, an important supplier or specific strategy – and then try to determine who could be a potential saboteur. When the assessment is complete, the solutions usually present themselves, he says.

"Say you have a competitor that's really aggressive," he says. "If that's the case, you need to know as much as you can about the competition. You need to know its weak points and how far they can go. If you think it'll steal a supplier, then maybe try to find a second supplier so you're sure you don't get caught.

"If you wait until crisis mode, then it's going to be extremely costly."

When it comes to social media, it's not good enough to have a policy explaining what staff can or cannot do, says Mr. Juneau-Katsuya. Part of the plan must also include what to do when a case of social media sabotage occurs.

"You've got to think ahead of time," he says. "Have standard operating procedures in place that will decide how everyone should behave if a crisis does happen."

Many companies may want to take things a step further and beef up security. For a computer-based company that could mean enhancing cyber protections; for a company like Mr. Hamilton's, that might mean upgrading cameras, lighting and alarm systems.

Mr. Hamilton admits he wasn't nearly as protected as he now knows he should have been. Before the bombs put him out of commission for several days, he had eight cameras in his store and poor lighting. Now, after $70,000 of security upgrades, he has 32 cameras, better lighting and a fence around his building that can quickly lock to keep evil-doers inside.

He's also changed policies. Customers can't bring in bags and his staff are now trained to be more aware of their surroundings.

Ultimately, the best protection is vigilance, Mr. Ritlop says. Think about everything from who gets access to what, to when store lights are on and off, to whether or not a back entrance is blocked from view, he says.

Business owners can't cover off everything, but it's better to be on guard than to think sabotage can't happen.

"It makes me feel sad to treat customers like this," Mr. Hamilton says. "But I've been in business 20 years and I'm not about to quit."

Special to The Globe and Mail

Interact with The Globe