October is Cyber Security Awareness Month
By Michela Toscano, IONICA
There were over 5000 recorded data breaches last year, with an estimated average cost of CAD$5.07M. Cyber security threats are more numerous and sophisticated than ever before. Is your business ready?
Many organizations think they are too small to fall victim to cyber-attacks. However, as institutions traditionally targeted by cyber criminals have erected robust cyber security defences, criminals have turned to less sophisticated, less prepared and smaller organizations.
“The biggest challenge is that many SMEs don’t have adequate cyber protection in place, simply because they don’t know they need it”, says Corinne Pohlmann, SVP of National Affairs and Partnerships for the Canadian Federation of Independent Business (CFIB). “Many small and medium enterprises just don’t realize how vulnerable they may be.”
Additionally, many small-medium enterprise owners don’t know exactly what is needed to secure their business. Most technology vendors offer partial solutions, leaving their customers and prospective customers to educate themselves, sifting through a variety of disjointed offerings. This commonly leads to gaps that can be exploited by hackers.
Indeed, a poll by the Insurance Bureau of Canada, found that nearly one in five Canadian SMEs surveyed had been affected by a cyberattack or data breach in the previous two years, with 37% estimating that the incidents cost over $100,000. Moreover, nearly half of the respondents acknowledge having no defences against possible cyber-attacks.
Cyber Security Awareness Month is an opportunity to take stock and reconsider the importance of cyber hygiene. Here are a few relatively simple actions to help make your business safer and more resilient.
Build a Cyber Aware Culture
Your first line of defence against cyber incidents is your team. Most breaches occur as a result of human error resulting from a lack of awareness and education.
Staff should be trained to identify potentially malicious emails and links. Consider repeating the importance of safe and appropriate usage of the Internet and social media. Other simple practices, such as locking unattended workstations and setting complex passcodes on mobile devices, should be included in cyber security policies.
It may seem obvious, but the basics can go a long way to averting security and public relations disasters!
Strong User Authentication
In its yearly Digital Defense Report, Microsoft reports an increase in identity-based attacks using brute force. “Given the frequency of passwords being guessed, phished, stolen with malware or reused, it’s critical for people to pair passwords with some second form of strong credential,” mentions the report.
Multi-factor authentication or MFA (also referred to as 2FA for two-factor authentication) is an authentication mechanism whereby a user is prompted to provide an additional form of identification during a sign-in process. This is often done with via SMS or an authenticator app and can take many other forms such as hardware tokens and biometrics. A good way to think of MFA is “something you know (like a password), and something you have (like a fingerprint or a piece of hardware).”
Email and many web services have MFA enabled by default, but users often must take additional steps to enable it. If you do only one thing to boost your security, it should be this.
Safe Instant Messaging
Use of chat and instant messaging (IM) platforms like Slack, Teams, Hangouts, and Skype has grown tremendously over the last few years, especially as more people work from home. The often casual use of chat might lead some to think it’s innocuous, but it comes with risks that we should all be aware of.
As with other forms of digital communications, threat actors can obtain privileged information in many ways, despite claims by vendors of offering fully secure end-to-end encryption (looking at you, Zoom!).
The Canadian Centre for Cyber Security offers some excellent tips for reducing the risks, such as suggesting limiting links between chat systems and Internet of things (IoT) devices.
Use secure networks
Now more than ever, mobile devices and laptops are essential tools for most organizations. Generally, these devices will be connected to other resources or the Internet via Wi-Fi or cellular network. Data transmitted could be vulnerable to eavesdropping by others using the same network.
Using a Virtual Private Network (VPN) when connecting to the Internet outside trusted networks can greatly reduce the risk of having data exposed to third parties. A VPN facilitates a more secure connection to the Internet, effectively isolating the communications from others using the same network.
Many VPN vendors have apps that can be configured to automatically turn on when connecting to an untrusted network. Make sure that the VPN vendor you choose is based in a country with strong data privacy laws and a reputation for valuing human rights.
Keep system software and apps up to date
Many organizations provide locked down devices to their employees, but it is not uncommon for SMEs to allow staff to use their own devices (especially phones). Users can, of course, freely install software and adjust the configurations of their own devices, which can potentially result in increased exposure to security risks. Accounting and vulnerability management tools are available to maintain user freedom while ensuring devices are properly secured.
When it’s not possible to limit the installation of apps to explicitly approved software, organizations should require that their employees use only official app stores like Google Play or Apple’s App Store.
Additionally, it is important that apps and operating systems (Windows, Android, OSX/iOS, etc.) are current with the latest security patches by regularly running system and application updates.
For most of us, it’s not “if” a security incident happens, it’s “when”. That’s why it is critical to be prepared.
Developing an incident response plan helps organisations efficiently and effectively take immediate action — minimising the impact of a breach. The ramifications of a potential breach can be extensive, causing harm to productivity, brand reputation, loss of clients, as well as legal claims.
To get started on your own, visit CyberSecure Canada, a federal Government certification program for small and medium-sized organizations.
Need or prefer expert help in cyber security? Contact us at firstname.lastname@example.org
Michela Toscano is an entrepreneur and technologist based in Vancouver, BC., where she is principal of IONICA, an integrated technology firm specializing in site reliability engineering, cyber security, hosting, and web development.
Published with permission.