In 2019, business owners across Canada have a lot to worry about: on one hand, they have political disputes between Ottawa and Washington with regard to the North American Free Trade Agreement, which United States President Donald Trump seems to believe is working against American interests.
On the other hand, the world of Canadian enterprise is lagging behind in terms of cyber security. Even though major companies such as Toronto-Dominion bank is taking major steps like hiring penetration testing specialists to improve their cyber defenses, small business owners are often the most vulnerable.
Canadian companies will have an additional concern in 2019, and it is related to the delicate geopolitical climate. After Vancouver law enforcement agents arrested Meng Wanzhou, a top Huawei executive, in December 2018, diplomatic relations with China have taken a downhill course.
Information security specialists have warned that Chinese intelligence officials may team up with state-sponsored hackers and cybercrime groups to target Canadian companies in retaliation, and they may not limit their efforts to major enterprises.
If what Chinese officials want is to pressure Ottawa, they will encourage cyber attacks against small business owners because their information security budgets are smaller and because they are more likely to raise a stronger voice of protest. It does not matter that Wanzhou was arrested at the behest of the U.S. for extradition; this is the daughter of a Huawei founder who has powerful connections to the Communist Party of China.
With the above in mind, business owners have a considerable IT security burden to shoulder in 2019. Here are 20 recommendations to protect your business operations from malicious hackers and other cyber security risks:
- 1 – Know Where You Stand
- 2 – Protect Your Endpoints
- 3 – Audit Your Digital Security
- 4 – Review Password Policies
- 5 – Review Compliance Policies
- 6 – Try to Avoid Email Attachments as Much as Possible
- 7 – Use Virtual Private Networking (VPN) Technology
- 8 – Use Password Vaults and Managers
- 9 – Implement Two-Factor Authentication
- 10 – Consider Biometrics
- 11 – Backup Your Company Data
- 12 – Test the Integrity of Your Backups
- 13 – Minimise Your Hardware Exposure
- 14 – Outsource Your Information Security Process
- 15 – Implement Data Encryption
- 16 – Draft and Implement Information Security Policies
- 17 – Train Your Employees on Information Security
- 18 – Be Careful With “Bring Your Own Device” Policies
- 19 – Insure Your Digital Infrastructure
- 20 – Be Careful With Social Media
- The Bottom Line
1 – Know Where You Stand
Even though some businesses are more likely to be hacked than others, you should not let your guard down. If you store customer and employee data in digital formats, hackers will be interested in breaching your network. If your business handles sensitive matters, the potential of a breach is magnified; for example, a law firm that conducts lobbying on behalf of controversial political groups could be targeted by hacktivists who either want to expose information or vandalize the business.
2 – Protect Your Endpoints
Hackers consider every endpoint to be a potential point of entry and an attack vector. Endpoint security is the first and very minimum measure you should take to protect your business, and this includes basics such as firewalls, antivirus systems and software that has been properly updated and patched for security.
If you or your staff members remotely connect to the office network, endpoint security becomes an even more pressing issue.
3 – Audit Your Digital Security
After securing your endpoints, you will want to test them. Once they are reasonably strengthened, your next step should consist of an information security audit that looks at all your business operations. The audit should be conducted by information security specialists that take into consideration the entire digital infrastructure of your company, including mobile devices used by employees during the course of business.
4 – Review Password Policies
In many cases, security audits reveal poor password strategies and weak policies. The ample bandwidth and computational processing power in use these days make it easy for hackers to launch dictionary attacks that can easily guess passwords.
5 – Review Compliance Policies
While compliance tends to be a headache for many business owners, it should not be ignored as it is related to information security. In recent years, Canadian lawmakers and regulators have increased their information security oversight, particularly with regard to Personal Information and Electronic Documents Act, known as PIPEDA. Compliance is a matter of staying in business, but it can go long way in protecting sensitive information.
6 – Try to Avoid Email Attachments as Much as Possible
In the age of cloud computing and Software-as-a-Service, sending and receiving attachments via email is a business practice that can be significantly reduced. The most sophisticated phishing attacks will not only fool recipients but also entice them to accept attachments that can execute malicious code when clicked.
7 – Use Virtual Private Networking (VPN) Technology
Company owners, managers and employees who work from home or out in the field should be very careful when connecting to the internet, particularly if they use public Wi-Fi networks at Tim Hortons or similar spots. In February 2018, hundreds of Tim Hortons stores across Canada were hit with a massive computer virus attack that may have also compromised their Wi-Fi networks. To avoid these risks, the best course of action is to have the best VPN when using work devices out of the office. A few good ones that have reviewed include ExpressVPN, NordVPN and CyberGhost.
8 – Use Password Vaults and Managers
According to a 2017 report published by Security Magazine, average business enterprises manage more than 190 online accounts, which are mostly secured by username and password combinations. Individuals manage at least a dozen personal accounts, and about half of them are entrusted to third-party businesses. In 2019, password management utilities are the way to go.
9 – Implement Two-Factor Authentication
Even with password vaults and managers, the username/password paradigm is generally thought to have run its course; for this reason, two-factor authentication, more commonly known as 2FA, was developed. Implementing 2FA is not difficult and is reasonably affordable for most Canadian business owners.
The current 2FA options include mobile devices, USB flash drives and physical tokens, the latter being the strongest complement because smartphones and USB keys tend to be more commonly lost.
10 – Consider Biometrics
Not many business owners are taking advantage of Windows Hello, the surprisingly effective technology developed by Microsoft for the purpose of increasing online account access. Windows Hello works with most biometric fingerprint scanners currently on the market, and it can be set up very easily. In many cases, biometrics is a solution that is superior to 2FA.
11 – Backup Your Company Data
We live in a time when ransomware attacks are making uncomfortable headlines on an almost daily basis. In November 2018, the Toronto Star reported on a ransomware attack that targeted ESC Corporate Services, a provider of digital services to the Government of Ontario.
This attack was notorious because it not only encrypted records and made a ransom demand in exchange for a decryption key; hackers also warned ESC that they intended to use personal information gleaned from the attack for identity theft purposes. The best protection against ransomware attacks is to keep reliable data backups. Instead of making ransom payments, victims can simply wipe their hard drives and recover from a backup.
12 – Test the Integrity of Your Backups
An unfortunate reality of information security is that many business owners implement a backup strategy on their own and neglect to test how reliable it really is. The feeling of not being able to recover from a backup is something you do not want to experience. Be sure to start by using the right strategy, which may range from snapshots to incremental or bare metal backups, and test the recovery process regularly.
13 – Minimise Your Hardware Exposure
Every device you add to your network is an endpoint that needs to be secured. As previously mentioned, hackers see endpoints as entry points, which is why you should keep them to a minimum. Modern Canadian business owners can minimize their hardware footprint by means of setting up their digital infrastructure in the cloud. Doing so will prevent them from having to fill their workplace with hardware.
14 – Outsource Your Information Security Process
The cloud computing paradigm has resulted in the creation of managed IT services, a cost-effective alternative to hiring in-house IT staff members. One of the many advantages of managed services is that they often include network security monitoring and response. This is managed through a series of alerts, inspections, audits, and algorithms. If your small company can only afford to keep a couple of IT workers on staff, you should strongly consider a managed services solution in 2019.
15 – Implement Data Encryption
Similar to endpoint security, data encryption is an essential security measure you cannot afford to ignore. Should your network suffer an intrusion, encrypted data will keep information safe from hackers who do not have decryption means. The key to business data encryption is that it should encompass all digital storage devices.
For example, if your employees use company laptops, tablets, smartphones, or USB flash drives that can be lost or stolen, they should be covered under your data encryption policy. Data encryption is also a compliance factor since it is covered under PIPEDA.
16 – Draft and Implement Information Security Policies
While just about all Canadian companies have some sort of policy covering workplace safety and security, many of them forget to extend this measure to the digital realm. You can ask your employees to practice information to the best of their abilities, but it is invariably better if they are able to refer to a set of company policies. Information security policies have a few standards, many of which are mentioned herein, but they are better off being drafted following a security audit.
17 – Train Your Employees on Information Security
One misguided assumption business owners make when they hire members of the Millennial Generation as their employees is that their digital upbringing will guarantee deep knowledge about information security. Even if your company has the benefit of an IT department, it is important to make all workers aware of the cyber risks they may encounter. Depending on the corporate culture of your workplace, you may even want to establish penalties in case security policies are not followed – this will only make sense after proper training is provided.
18 – Be Careful With “Bring Your Own Device” Policies
Younger employees tend to enjoy contributing their own laptops or smartphones to achieve business goals, and this is a practice that can save companies money, but it comes with plenty of security caveats.
If you want to make BYOB happen in your company, you should consult with an information security professional before doing so.
19 – Insure Your Digital Infrastructure
Many insurance companies in Canada offer enterprise risk management policies that have provisions related to cyber attacks and data breaches. Depending on the type of business, policy premiums for cyber insurance coverage can be reasonable.
20 – Be Careful With Social Media
Online social networks can be wonderful tools for business marketing and can even be efficiently used as low-cost platforms for customer service, but they should be approached with caution. Most of the security issues emanating from the business use of social networks are caused by “oversharing” company information.
In some cases, business principals and employees who link their personal accounts to company pages may inadvertently reveal certain details that hackers may latch onto. Sometimes, hackers use Social Media to get addresses and employ MitM attacks within range of the business and home WiFi. It’s best to get a home security system to see the faces of anyone suspicious before anything terrible happens.
The Bottom Line
The reality is that small business networks are just as much at risk to cyber intrusion as the international conglomerates that have their data breaches splashed across the daily headlines.
The stark difference is that a single data incident can put a smaller operation out of business for good. Pay attention to the preceding list. Love it. Learn it. Put the recommendations into practice and do it soon.