Hackers seeking to steal data and money historically have targeted large multinationals and government bodies. In recent years, however, they have shifted focus, and now increasingly prey on small businesses and individuals.
This is not surprising: bigger organizations may offer larger “treasure troves” to steal, but they have responded and have better defense strategies in place. They have built up armies of information security professionals and have tighter relationships with law enforcement agencies – lowering the odds of a hacker’s success and increasing the chances of them getting caught and imprisoned. With the new dynamics at play it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves.
While it is proper for businesses to perform formal risk assessments before determining cyber risk management strategy and techniques, the reality is that many Canadian small businesses don’t have the resources to do so, and following some sound general advice is far better than doing nothing. So, how can small businesses and individuals improve their cyber defenses without spending a lot of money? Here are some suggestions from Vishal Kundi, the CEO and Co-Founder of Boxx Insurance, the provider of the ground breaking Cyberboxx SMB solution that launches this Fall:
- Make your team aware of the risks – they are your human firewall. It is imperative to understand certain basics, and to train others as well. People should know to avoid cyber-risky behavior–such as opening attachments and clicking on links found in unexpected email messages, downloading music or videos from rogue websites, or buying products from unknown stores with “too good to be true” prices and no physical-contact information. However, don’t rely on training as a sole line of defense against such a fast moving threat landscape.
- Don’t give everyone the keys to the castle. If an employee goes rogue–or if a hacker breaches the security of a single person–you want to contain the damage. Give people access to the computer systems and data that they need in order to do their jobs, but not to everything else. The same goes for family members and home computers.
- Backup and Backup often. Backup often enough that if something went wrong you will not panic about lost data if you need to restore from a backup. Do not keep backups attached to production networks–if malware (e.g., ransomware) gets into the network it could corrupt the backups as well. It is best to have offsite backups as well as onsite.
- Encrypt sensitive data. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
- Use a proper password policy. Conventional wisdom is to require complex passwords for all systems–but that leads to people writing down passwords or reusing them; instead consider other strategies such as asking people to select combinations of words, numbers, and proper names (e.g., “twoburgers2gow1thfries”). For extremely sensitive systems, consider stronger forms of authentication such as multi-factor authentication.
- Devise, implement, and enforce social media policies. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks.
- Bring Your Own Devices. If people are allowed to use personal devices for work-related activities, make sure there is adequate security installed on those devices. As with social media, do not rely on policies–enforce them with technology. Portable devices should have software optimized for mobile systems and should have remote wipe capabilities (and do not forget to enable the remote wipe!).
- Stay ahead of hackers and hire a pro. If possible, hire an information-security professional to assist with designing and implementing your approach to cybersecurity. The cost of professional advice may pay for itself many times over in terms of time, money, and aggravation saved down the road. Hackers and other criminals leverage technical expertise–don’t be at a disadvantage against them.
- If you do nothing else, remember ‘Catch, Patch, Match’. These are three proactive actions every organization can do to reduce the risk of a cyber intrusion.
- Catch malicious software before it has a chance to be a problem. All computer devices (laptops, tablets, mobile phones etc.) that you use to access sensitive information (or that will be attached to network with other devices that do) need security software. There are several popular, inexpensive packages that include anti-virus, firewall, anti-spam, and other beneficial technologies.
- Patch all your web applications with updates promptly- your operating system too. Do it now, intruders can take advantage of vulnerabilities in software.
- Match the right risk behaviours e.g. manage carefully which people you give access to passwords to. Passwords in an intruder’s hands, can spell disaster. passwords.
- Finally, consider Cyber insurance. As the likelihood of a cyber incident increase and the expense of dealing with a breach gets higher, the value of transferring the risk to an insurer makes increasing sense in much the same way that existing business insurance policies for fire, flood and theft are a vital itinerary in the risk management toolkit. Getting the right broker is important. A good specialist broker will save you time in determining what is right for your business.
Special thanks to Toronto-based MGA Boxx Insurance, for the valuable contribution of their expertise to this post.