The Canadian Guide to Better Cybersecurity
If you're like most businesses in Canada, the Internet is an indispensable tool to your success. Getting online allows you to attract new leads, engage customers and grow your business. Even if you don't have a website or participate on a social media platform you probably depend on the Internet for other business operations like banking, paying bills, payroll or ordering supplies. All Canadian Internet-connected systems, networks and data are vulnerable to the threat of cyberattacks. From unauthorized access to data, to the theft, alteration and destruction of private information, these attacks have detrimental impact on electronic data. Yet, a recent study found that 83% of small and medium businesses in Canada do not have a cybersecurity plan in place.
Cybersecurity encompasses all methods, techniques, procedures and tools used to protect companies and individuals from cyberattacks, while preventing potential future business disasters. Below we offer a uniquely Canadian guide to cybersecurity, focused on the three pillars of cyber health: preserving confidentiality, preserving integrity, and maintaining availability.
Increased Attacks on Canadian Businesses
The rapid rate of growth in modern technology has opened the door for an increasing number of malicious attacks on Canadian businesses. As physical offices are replaced by a complex online network, and as businesses operate interconnectedly through a series of end-point devices, there is more room for cracks in the system to be infiltrated by intruders. Over a 12-month period in 2012, 69% of Canadian businesses surveyed reported some kind of cyberattack, costing them approximately $5.3 million, or about $15,000 per attack. As sensitive information spans from computers to smartphones to tablets, businesses must remain one step ahead in ensuring their own protection.
1. Cybersecurity Planning
It can be difficult to pinpoint vulnerabilities, which can range from the design, to the implementation to the operation of systems. Upgrades and add-ons to hardware and software can also trigger vulnerabilities in a system’s core. A solid plan to ensure your cybersecurity includes the protection of three major areas:
- Internet-capable devices such as computers, tablets, smartphones
- The network, both external and internal
- The cloud
The most common techniques used in the protection of devices are antivirus and anti-spyware software, firewall and a virtual private network (VPN). Passwords, ID, and encryption are commonly used to protect the network from outside attacks and provide enhanced internal security.
2. Security Awareness Campaigns
Cybersecurity in the cloud is more complex, as it requires a set of strategies and policies to form controls that protect the cloud system. The number one thing Canadian business can do to increase their cybersecurity is to run awareness campaigns in the workplace. A workforce steeped in knowledge about potential cyberattacks will be better positioned to avoid activities that create vulnerabilities and identify threats quickly and hopefully before they cause damage.
3. Develop a Strategy
It is also important to develop a strategy that can be quickly implemented in the event of an attack. A cyberattack disaster could amount to significant data and financial losses. A well-planned recovery approach and guide to cybersecurity will help to minimize the impact of a cyberattack and ensure businesses can return to normal operations faster. Areas to be addressed in creating your strategy include:
A. Roles and Responsibilities
Define and assign roles and responsibilities. There should be 1 person who has the ultimate responsibility for maintaining, enforcing safe cyber practices and implementing a response.
B. Document Policies, Procedures and Standards
Create and document policies, procedures and standards. This doesn't need to be complicated but it is essential in helping your employees understand their roles and responsibilities. A security policy is a document that states what personnel may or may not do with respect to cybersecurity. A standard is a document that explains how a specific task should be done. Standards most often apply to setting up and using technical systems. Test your procedures. Update your policies and standards as need be.
C. Restrict Employee Surfing and Software
Pay attention to web security by restricting the types of websites that employees are allowed to visit and advise employees on what software is safe to install on their computers. Permission should be sought before downloading any new programs. Draft and prominently post an Internet Usage Policy for personnel to follow. This will include whether employees can use their work emails to sign up for social media platforms. Create social media policies. Require employees to have complex passwords that include letters (uppercase and lowercase), numbers and symbols.
D. Point of Sale
Point of sale (POS) security requires special attention. Always ensure that your POS system is behind a firewall and set up strong encryption for all transmitted data. Never use the default username and password provided by the manufacturer. Client data should be accessed on a need-to-know basis only. Ensure that all anti-malware software is always up to date.
E. Email Security
Implement standardized email security by using a spam filter. A spam filter will help you avoid the most potentially harmful emails sent by cyber criminals. Instruct employees to never click on any unverified or suspicious links—one errant click could hurt your business. Enable HTTPS, which encrypts data and makes life harder for cyber criminals. It is also good practice to use generic emails (such as info@companyname.com) for email addresses that are on your website or on your social media accounts.
F. Backup and Recover Plans
Develop backup and recovery plans. Losing access to your data would be devastating. Developing a strenuous backup and recovery plan will be the best money you spend on cybersecurity, in addition to educating your team on cybersecurity. Backup like you breathe—non-stop and without thinking about it.
Failure to adopt a comprehensive plan to cybersecurity has caused huge problems for some Canadian companies. Apathy is very dangerous. It’s not only money or highly sensitive data that intruders are targeting. Canadian businesses and their employees are at risk of having their personal information stolen, as well as their network and information destroyed.
Taking action to prevent such disasters by engaging in cybersecurity planning can make all the difference in how a company functions and flourishes in Canada’s booming technological environment.