Acknowledging cyber threats can affect your business is the first step in protecting your business — and it would be hard not to given the frequency and severity of incidents reported in the news.
Seven out of 10 business leaders say that their cyber security risks are increasing and cyber readiness is more important given the potential risk that an incident poses to small businesses.
Developing cyber readiness starts with:
- Increasing your awareness of successful cyber threats, and understanding how they might affect your business operations
- Learning effective tactics you can practice against cyber threats, and focusing on the protections that are within your control
- Keeping alert to cyber threats, practicing healthy cyber habits, and committing to continuous learning and adapting your cyber hygiene habits to meet these threats
- Knowing the relevant reputational, legal, and operational risks to your business from below standard cyber security practices
- Planning ahead to reduce the potential impact of cyber threats to your business, your employees, and your customers
“Owners should pay as much attention to their operational cyber readiness as much as they do to their employee safety, customer experience, cash flow, supply chain, or equally business-critical parts of your business,” says James Lee, a cyber security consultant for Royal Bank of Canada. “Think about cyber security when you think about your people, your processes, your technologies, and your customers’ user experience.”
Be informed about and prepared for cyber security risks before they happen. Then you can concentrate more on growing your business, worrying less about your cyber risks.
Where to start: cyber security for your small business
1. Determine what needs protection
Identify your most valuable information, Lee explains. “Think about, ‘What kind of data do I have,’ ‘What does it mean to me if I lose control of that data,’ and ‘What steps can I take to increase the possibility that, if I lose control of that data, I can recover it.'”
2. Protect your data
Lee recommends following cyber security best practices. These include:
- Use strong, different passwords to login into different systems
- Implement multi-step authentication
- Install antivirus software and keep it updated
- Remain current with software security updates
- Back up your data
3. Learn about common threats and the precautions to take
Protecting your business against cyber risks requires you to know about common threats and the precautions to take.
For example:
Threat | Entry point | Root cause | A way to avoid it |
Unauthorized access to a system | Compromised login | Same password used for email, social media, banking | Use a different strong password for each purpose |
Ransomware | User-opened attachment | Strengthen awareness of suspect messages – when in doubt, delete | |
Distributed denial of service (DDoS) attacks | Network | Massive amounts of traffic sent by hackers | Limit what traffic reaches your systems with a firewall |
Spear phishing | Fake messages targeted at business leaders | Educate users on social engineering techniques | |
Smishing | SMS text message | User tricked into providing sensitive information | Teach users not to click on suspicious links in text messages |
4. Think safety first
Even the most well-intentioned employees can expose your business to cyber threats if they are not careful. Teaching employees to “think before they click” is crucial to avoid social engineering attacks embedded in suspect emails, texts, or social media messages.
Cyber security best practices for small businesses include training employees on:
- Safely browsing the internet
- Creating strong passwords
- Protecting sensitive data
For example, teaching employees to recognize fake emails may help prevent business email compromise, in which cyber criminals dupe companies into sending money to false accounts by appearing to send legitimate emails requesting payments or funds transfers.
5. Protect log-in credentials
Theft of log-in credentials is one of the biggest risks, Lee says. Cyber criminals often steal such information through “phishing” emails that trick recipients into providing sensitive data or getting them to click on a link that infects their computer with a virus.
Criminals could use stolen credentials to access your company’s bank accounts, customer data, or other similarly sensitive information. That is why teaching employees to spot malicious emails is important.
6. Consider software-as-a-service (SaaS) risks
Using another company’s software does not necessarily protect you from cyber attacks. If you use solutions like Google’s G-Suite, which many businesses do, just because Google stores data and requires two-step authentication — like an activation code sent to your phone to access your account — doesn’t mean all your information is 100 per cent secure.
Even with multi-factor authentication, a criminal may be able to steal the activation code sent to your phone and use it to log into your account, Lee says. Confirm that your SaaS provider also checks where a user logs in from so that a criminal overseas or from any other unauthorized location cannot log into your account in Canada.
7. Put a plan in place
Document your plans to protect your business as well as your expected response if you are attacked. Customize the steps to your business. For example, if you use mobile devices you should implement protections for accessing your company data remotely.
Update your plan as threats evolve. If you read of a major incident like the recent Colonial Pipeline ransomware attack that shut down gasoline distribution in the Southeast United States, consider how you would respond if a cyber criminal seized control of your systems and demanded payment to restore access.
“You have to be able to separate out moments of panic versus, ‘I understand what’s happening,'” says Lee. You must also be ready to assess whether a threat would be an issue for your business, he says.
“You always have to think about: ‘What’s my role, what’s my content, and am I outsourcing it to a software-as-a-service provider or am I running it all,” Lee says.
Developing —and maintaining — cyber readiness may be a continuous process but it is worth the effort to protect against ongoing risks. Lee likens maintaining cyber readiness to walking across a street: Even if you have the walk sign, you still check both ways before crossing to protect yourself.
This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.