Running a business in Canada come with many challenges. One of the challenges many small and medium sized business owners sometimes neglect is the need for a cyber security plan. Some business owners believe they are too small to be a target for big bad hackers, while others just don’t have the budget. The BDC (Business Development Bank of Canada) came up with this handy checklist about a year ago to help business owners understand the risk, and know what actions they can take to reduce that risk. These same points still apply today, and especially with the COVID-19 pandemic. Below is a summary of some key points on to help you take charge of cyber security planning for your business.
1.Strategies and Policies
This is where any security planning is going to start. There need to be security policies in place that determine who is allowed access to data and technology. Then there need to be policies that relate to privacy and passwords. If you collect information on clients and staff, there need to be policies on who can access this information, how long that information should be stored, and how it should be destroyed. This is true for “paper” copies and electronic copies of data.
2. Data Backups
There have been far too many stories about malware and ransomware taking hold in various types of companies around the world. In many cases, a hacker will demand a ransom payment in exchange for returning your data. This can happens by a hacker sending an email with malicious code to multiple users at a company. All it takes is for one employee to be fooled and download the malicious code. The code is usually designed to encrypt the data so that it cannot be accessed by the users at the company. Because this data is so valuable, companies will pay the ransom in exchange for being able to access their data again. To make yourself less vulnerable to ransomware, data back-ups are extremely important. For critical data (this is anything needed in day-to-day operations, including customer information), it should be backed-up nightly to a remote location. For important data (anything important to the business but that doesn’t get updated frequently), it should be backed-up semi-regularly off-site.
3. Desktop Security
This involves your staff computers, and possibly tablets and other mobile devices. There should be procedures in place for ensuring all devices have up-to-date anti-malware software, policies on what can and can’t be downloaded onto devices, and a password policy, or better yet, two-factor authentication, to minimize the risk of unauthorized access. In addition, regular patching with security updates should also be implemented.
4. Internet and Network Security
Similar to desktop security, firewalls, intrusion detections systems and VPNs should be kept up to date. Workers should take care to always use secured Wi-Fi and internet connections. Where possible, a VPN should be used to connect remotely to servers. When leveraging the cloud, always ensure you have secured your company's connection to the cloud services. Wherever possible, access to the cloud should have some form of multifactor authentication.
For regulatory compliance, most businesses will require some sort of annual or bi-annual audit of their systems. While compliance with standards can help improve security, it does not make your business secure. Use the audit results to fix any gaps in security policy. Audit on a regular basis to ensure ongoing compliance, as things can change quickly in a year. The BDC recommends at least every 6 months, but if possible, quarterly is better.
6. Breach Response
This is part of your security policy and strategy, in that, you need to plan to be secure, but you need to plan in the event of breach. Think of it like planning for a fire. We’ve done everything we can to prevent a fire at the office, but we still drill an escape plan should the worst happen. What would be your plan? Many small businesses turn to MSSPs (Managed Security Services Providers) to help them drill what would happen in the event of a breach. Which is not much different from businesses working with firefighters to help them determine a fire safety plan.
Are you able to check all the items off the list? If there are any points where you think your business can use some help, contact Uzado today.