Cyber Security for Small to Medium Sized Businesses
As a small to medium-sized business owner, chances are you wear many hats. From admin to finance, marketing to cyber security, your hands are full at all times. As more companies become reliant on digital processes, it presents a risk of cyber threats.
What is a cyber incident?
The Cyber Centre defines a cyber incident as any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. Some examples of cyber incidents are phishing, ransomware, and Distributed Denial-of-Service (DDOS ) attacks.
According to the IBM Security X-Force report, the manufacturing industry was most targeted by cybercriminals in 2021. Other popular industries targeted by cyber-attacks were finance & insurance, professional & business services, energy, retail and wholesale, and the healthcare industry. Additionally, the report found that ransomware attacks were the top cyberattack type in 2021.
The Canadian Centre for Cyber Security encourages businesses to remain vigilant and take the time to ensure they are engaged in cyber defence best practices. These practices include:
- Increased monitoring of network logs
- Encouraging employees to practice phishing awareness
- Encouraging the use of two-factor authentication where possible
- Ensuring that servers and other critical systems are patched for all known security vulnerabilities
The Baseline Cyber Security Controls for Small and Medium Organizations lists a set of lower-cost and lower-burden security controls that you can implement to thwart cyber threat factors, reduce exposure to cyber threats, and get the most out of your cyber security investments.
While the Canadian health sector faces an increased risk, these are best practices that all organizations should apply to stay ahead of cyber threats.
Have an incident response plan
An incident response plan ensures that your organization is prepared to detect, respond to, and recover from a cyber incident. The goal is to recover as quickly as possible. An effective plan limits disruptions to internal services, clients, and partners and reduces data loss and reputational damage.
A written incident response plan ensures that responders are ready to carry out the necessary tasks to deal with an incident. It should:
- Specify the roles and responsibilities of those involved in the response
- Provide contact information for everyone involved in response activities
- Provide detailed instructions on handling common incidents
- Specify actions required for mandatory incident reporting
Enable security software to protect your organization against malware
Malware is malicious software designed to infiltrate or damage a computer system. Your organization should protect itself against the threat posed by known malware (i.e. malware that security researchers already know about and that security software can defend against). Focusing on known malware is relatively easy; your organization can enable and securely configure anti-virus and anti-malware solutions, including any software firewalls, on all information systems and assets.
As with all software, your organization should configure these solutions for automatic updates and scans.
Recommendations for your organization:
- Enable anti-malware solutions
- Activate software firewalls
Provide employee training
Cybercriminals take advantage of human error and deception to compromise information systems and assets. For example, cybercriminals can access devices and information if easily guessed passwords are used for accounts. Or cyber threat actors can compromise your organization’s networks and systems by sending emails that contain malicious links or attachments.
Educating employees about common cyber threats can protect your organization and minimize risks. Your organization should consider addressing topics such as the following examples:
- Creating unique passphrases and complex passwords for all accounts
- Using the Internet and social media safely in the workplace
- Using approved software and mobile applications
- Identifying malicious emails
For many small and medium organizations, their websites are essential to their business. An offline or defaced website can negatively impact an organization’s operations and reputation. Your organization should properly secure its web presence to avoid possible concerns, such as lost revenue or customer trust and compromised sensitive information.
You can secure your website by using the Application Security Verification Standard (ASVS), which was developed by the Open Web Application Security Project (OWASP). This standard proposes a list of security requirements and controls to implement during all phases of web application development.
Resources to help:
- OWASP Annotated Application Security Verification Standard
Ensure that all websites and web applications meet the OWASP ASVS Level 1 guidelines
- Canadian Centre for Cyber Security (the Cyber Centre)
A single unified source of expert advice, guidance, services, and support on cyber security for Canadians. The Cyber Centre can help protect you. They work with organizations and Canadians to better protect them from cyber adversaries. Visit their website for a list of alerts and advisories, including those regarding critical vulnerability patches.
- CyberSecure Canada
Canada’s national certification program. This program certifies small and medium organizations that implement the baseline controls.
Resources noted in the blog are sourced from Government of Canada