Skip to main content

Discover & Learn

When you understand the potential online risks to your business and plan the steps you need to take to contain them, you can concentrate more on growing your business. Here are considerations for business owners to develop their cyber readiness.

Acknowledging cyber threats can affect your business is the first step in protecting your business — and it would be hard not to given the frequency and severity of incidents reported in the news.

Seven out of 10 business leaders say that their cyber security risks are increasing and cyber readiness is more important given the potential risk that an incident poses to small businesses.

Developing cyber readiness starts with:

  • Increasing your awareness of successful cyber threats, and understanding how they might affect your business operations
  • Learning effective tactics you can practice against cyber threats, and focusing on the protections that are within your control
  • Keeping alert to cyber threats, practicing healthy cyber habits, and committing to continuous learning and adapting your cyber hygiene habits to meet these threats
  • Knowing the relevant reputational, legal, and operational risks to your business from below standard cyber security practices
  • Planning ahead to reduce the potential impact of cyber threats to your business, your employees, and your customers

“Owners should pay as much attention to their operational cyber readiness as much as they do to their employee safety, customer experience, cash flow, supply chain, or equally business-critical parts of your business,” says James Lee, a cyber security consultant for Royal Bank of Canada. “Think about cyber security when you think about your people, your processes, your technologies, and your customers’ user experience.”

Be informed about and prepared for cyber security risks before they happen. Then you can concentrate more on growing your business, worrying less about your cyber risks.

Where to start: cyber security for your small business

1. Determine what needs protection

Identify your most valuable information, Lee explains. “Think about, ‘What kind of data do I have,’ ‘What does it mean to me if I lose control of that data,’ and ‘What steps can I take to increase the possibility that, if I lose control of that data, I can recover it.'”

2. Protect your data

Lee recommends following cyber security best practices. These include:

  • Use strong, different passwords to login into different systems
  • Implement multi-step authentication
  • Install antivirus software and keep it updated
  • Remain current with software security updates
  • Back up your data
3. Learn about common threats and the precautions to take

Protecting your business against cyber risks requires you to know about common threats and the precautions to take.

For example:

ThreatEntry pointRoot causeA way to avoid it
Unauthorized access to a systemCompromised loginSame password used for email, social media, bankingUse a different strong password for each purpose
RansomwareEmailUser-opened attachmentStrengthen awareness of suspect messages – when in doubt, delete
Distributed denial of service (DDoS) attacksNetworkMassive amounts of traffic sent by hackersLimit what traffic reaches your systems with a firewall
Spear phishingEmailFake messages targeted at business leadersEducate users on social engineering techniques
SmishingSMS text messageUser tricked into providing sensitive informationTeach users not to click on suspicious links in text messages


4. Think safety first

Even the most well-intentioned employees can expose your business to cyber threats if they are not careful. Teaching employees to “think before they click” is crucial to avoid social engineering attacks embedded in suspect emails, texts, or social media messages.

Cyber security best practices for small businesses include training employees on:

  • Safely browsing the internet
  • Creating strong passwords
  • Protecting sensitive data

For example, teaching employees to recognize fake emails may help prevent business email compromise, in which cyber criminals dupe companies into sending money to false accounts by appearing to send legitimate emails requesting payments or funds transfers.

5. Protect log-in credentials

Theft of log-in credentials is one of the biggest risks, Lee says. Cyber criminals often steal such information through “phishing” emails that trick recipients into providing sensitive data or getting them to click on a link that infects their computer with a virus.

Criminals could use stolen credentials to access your company’s bank accounts, customer data, or other similarly sensitive information. That is why teaching employees to spot malicious emails is important.

6. Consider software-as-a-service (SaaS) risks

Using another company’s software does not necessarily protect you from cyber attacks. If you use solutions like Google’s G-Suite, which many businesses do, just because Google stores data and requires two-step authentication — like an activation code sent to your phone to access your account — doesn’t mean all your information is 100 per cent secure.

Even with multi-factor authentication, a criminal may be able to steal the activation code sent to your phone and use it to log into your account, Lee says. Confirm that your SaaS provider also checks where a user logs in from so that a criminal overseas or from any other unauthorized location cannot log into your account in Canada.

7. Put a plan in place

Document your plans to protect your business as well as your expected response if you are attacked. Customize the steps to your business. For example, if you use mobile devices you should implement protections for accessing your company data remotely.

Update your plan as threats evolve. If you read of a major incident like the recent Colonial Pipeline ransomware attack that shut down gasoline distribution in the Southeast United States, consider how you would respond if a cyber criminal seized control of your systems and demanded payment to restore access.

“You have to be able to separate out moments of panic versus, ‘I understand what’s happening,'” says Lee. You must also be ready to assess whether a threat would be an issue for your business, he says.

“You always have to think about: ‘What’s my role, what’s my content, and am I outsourcing it to a software-as-a-service provider or am I running it all,” Lee says.

Developing —and maintaining — cyber readiness may be a continuous process but it is worth the effort to protect against ongoing risks. Lee likens maintaining cyber readiness to walking across a street: Even if you have the walk sign, you still check both ways before crossing to protect yourself.

This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.