Our FAQs
All your cyber security questions in one place.
Most small businesses today use the Internet as a regular part of doing business. Getting online has never been easier. Just turn on your smartphone and start surfing, or open up your laptop and connect to a wifi hotspot. The Internet has become the new Wild West, with cybercriminals operating globally with impunity, stealing information and locking businesses out of their own networks, and holding them for ransom which is usually paid in bitcoins. Small businesses have just as much to lose as larger businesses. IYour information is valuable and is worth something to somebody, and then the onus is on you to protect it. Not taking precautions can lead to expensive clean-up costs, or, in extreme cases, can cause the death of your entire business. It’s up to you to make sure your business, your employees, and all of your data is protected at all times.
From the most basic perspective, using the Internet has become incredibly risky because the bad guys, criminals, hackers, malicious, and, in some cases, just curious users, have recognized the Internet as a source of almost limitless information. In today’s digital economy, information = money. All data, no matter how innocuous or almost irrelevant it may seem to you, has value to someone. And because even today with everything we know about the risks and about protecting ourselves, the vast majority of both large and small companies online aren’t taking adequate steps to protect themselves. Combine a wealth of information (remember, information=money) along with a bunch of unprotected systems hosting that information, and you create a breeding ground for criminals to make a very comfortable living online stealing information and holding systems hostage (the cost of cybercrime is estimated at $6 TRILLION in 2021 by Cybersecurity Ventures). If you aren’t taking reasonable effort to protect yourself and your business online, you’re simply helping to perpetuate the problem. It’s time to break the cycle!
Whether they are marketing their products or services, getting orders from customers by email or through web order forms, or simply doing research on their line of business, the Internet has been a game-changer for all businesses. If you aren’t using the Internet in some fashion, you can pretty much guarantee that your competition is. You can also guarantee that your customers and prospective customers are. If you’re not there in some way for them to find or interact with you, they’ll simply move on to someone else they can find online. Being part of the global digital workplace isn’t an option anymore. For 99.9% of all businesses, it’s a necessity to survive and thrive.
You may have heard of the Internet of Things (IOT). IOT refers to the billions of devices in comparison to people that are connected to the Internet. Rather than laptops and desktops being used by people, IOT devices are typically purpose-built devices that are performing a specific function. Think of the myriad of new smart home devices like the Google Nest and Amazon’s Alexa. Even your Smart TV is connected to the Internet so you can run Netflix or Disney+ right from the TV without any set top boxes. Every one of those devices (TVs, refrigerators and other smart appliances, smart home devices like light switches, garage door openers, front door cameras, the list goes on) has an Internet address and is able to talk to the Internet, just like you do when you’re on your laptop or home PC surfing. Each one of those devices represents a potential security risk if it hasn’t been properly secured. If the average household now has 10 or more connected devices, that’s 10 places where poor or non-existent security controls could provide a hacker into your home network. With so many people now working from home, someone on your or your employee’s home network is one step away from accessing the sensitive company information on your corporate network.
Simply put, cybersecurity protects everything companies (large and small) and individuals require to prevent hackers from gaining access to the information and possibly disrupting their business operations. Cybersecurity includes people (you, your users, and your suppliers), processes (things you need to do, things you and your users shouldn’t do), and technology (tools to protect your users and systems, tools to identify potential or actual security issues, and to alert, track, and record what’s happening and help you respond if a security incident does occur). Good cybersecurity hygiene helps ensure your company is proactively ready to deal with an incident, rather than reactively responding to an incident without any type of game plan or response capabilities already in place. It’s the door that you always lock, the alarm you always turn on at the end of the day, the camera system that’s always watching. Proactive activities help prevent an incident from happening in the first case and provide you with accurate and instant information if it does.
Every company will deal with some type of cybersecurity incident at some point, but how that incident impacts your business is entirely up to you. There are two approaches: Proactive/Preventative (meaning you assume something will happen at some point in time and you prepare for it ahead of time), and Reactive (meaning you assume nothing will ever happen and if/when it does, you scramble to determine what happened, how it happened, and most importantly what do you need to do to respond to it to protect your business). Reading those two very different scenarios above, which side of an incident do you want to be on? Do you want to be on the proactive/preventative side where if/when an incident occurs, it’s an annoyance or inconvenience, or on the reactive side where you may never fully recover from an incident, or may incur significant costs and impacts to your business (monetary, reputation, etc.).
First you need to know what a risk management program is before you decide if you need one. Simply put, it’s a program that helps you identify the risks your business faces and provides guidance for addressing those risks. It’s not something you do once, instead it’s something you revisit at least annually and sometimes more often depending on your business and regulatory/compliance requirements you may face. The goal of the program is to help you be prepared to deal with common risks you face, have your tools and processes in place to respond if need be to an incident, and ensure that what you’ve put in place is effective, not just at the time you implement it but also in the future. Networks, systems, and people all change with surprising regularity in most companies. The periodic “health checks” ensure that your people, processes, and technology are all up to the task which you’ve assigned them.
In most companies, having an acceptable use policy allows you to set a baseline set of expectations for your employees and any users of your corporate network and resources. Think of it as a list of do’s and don’ts: Users shall use strong passwords, users won’t share their account information with anyone else, users won’t go to inappropriate websites while using a company PC or laptop, or while connected to the corporate network. Most statements should be common sense, but not everyone will understand them. Another challenge of the acceptable use policy is that it usually talks about what users should and shouldn’t do, but it doesn’t talk to them about why they should or shouldn’t do those things. Aligning your acceptable use policies with employee awareness training ensures that your users understand why they are being asked to do or not do certain things, making it far more likely they’ll follow your policies.
Policies are the lifeblood of risk management for any organization. Without policies, people don’t know what they should or shouldn’t do, how they should behave, etc. This leaves your company and its information open to unnecessary exposures. With a good set of policies in place, you ensure your users will take reasonable efforts to help protect the company. You can also demonstrate to your customers what you’re doing to manage risk inside your company (and more and more these days, they’re starting to ask about the protection of these risks). Policies are implemented using 3 key components: The policy itself which outlines the requirement/s, some process or technology to help enforce the policy, and a way of validating the effectiveness of the policy-in other words, is it doing what it’s supposed to be doing? Without all 3 pillars, you’re actually exposing the company in many cases to greater risk. If you just have a policy but do nothing to enforce it, people may think you’re protected when you’re not. If you create a policy and put something in place to enforce it but then don’t validate it periodically, it may stop working or a change may make the policy ineffective, without periodic health checks you may be exposed and never know it until it’s too late.
Viruses and malware and ransomware, oh my! These are just a few of the risks that users face every time they connect to the Internet. Phishing emails are sent to unsuspecting users with links that, when clicked, try to install software on your laptop, pc, and even your mobile phone. This allows them to do things you wouldn’t want them doing. In some cases they can take over the machine and steal information from the machine. With ransomware, they can even encrypt your machine entirely, after which they’ll happily sell you a key to unlock your files but for a healthy price of course. Losing access to your computing device, having your data stolen and sold to the highest bidder, and having your bank account emptied out-all of these are very real risks that people suffer every day while using the Internet. You can go a long way towards managing these risks by taking a proactive approach to risk management for you, your company, and your employees.
We are well into the days of BYOD: Bring Your Own Device. As an employer, it’s great because you don’t have to buy your employees a device to work on and the employee gets to use whatever form factor they’re comfortable with (smartphone, tablet, laptop, etc.). The drawback to BYOD can be that those devices don’t have the same level of protection that you’ve applied to corporate PCs and mobile devices. There are a couple of ways to address this–either hire employees to install corporate protection software prior to allowing them to connect to the company network, or create a guest network that bypasses the corporate network and goes directly to the internet. Make sure to only allow employee personal devices to connect to the guest network. Both of these approaches are effective in significantly reducing the risk associated with letting your employees use their own devices at work.
Employees face a number of risks when using the Internet such as phishing attempts to steal their corporate or personal logins, malicious links in emails that install bad software, and especially ransomware that can infect not just their computers, but also every other computer connected to the corporate network. Theft of employee personal information is a significant issue for the company and for the affected individuals. Employee awareness training, along with a robust set of tools and policies, help to minimize the risk to your employees and make them an important part of your risk management strategy.
Employees are your greatest strength. They can also be your biggest weakness when they aren’t trained adequately or equipped with the right tools. By teaching your employees about cybersecurity and the risks they face using the Internet, you’re making them part of the solution. Training your employees helps them contribute to the safety and security of your business and its data.
Many companies take a hands-off approach when it comes to controlling what their employees can and can’t do on the company network. This may allow them more freedom to get their work done, but this freedom comes at a cost, and for some companies that cost can be very steep. An employee can inadvertently open a big digital door into your network in a myriad of ways: using a weak password that can be easily guessed, clicking on links and installing malware or ransomware, storing sensitive/confidential company information in unprotected folders on their personal computers. By implementing a “method of least privilege” approach to data management, you ensure that people only get access to the things the absolutely need to have access to, and can only do the things you explicitly allow them to do, everything else is denied by default. This will reduce (but not entirely eliminate) the possibility of an employee’s bad behaviour taking down your entire company network, and in an extreme case taking down your company!
Shared accounts seem to make sense and many small organizations use them. You can save a few dollars on licensing. It’s easy for two or more people to share a role within your company and overall it may just be more convenient. But convenience also means less control. You can’t implement things like 2 factor authentication, for example, because the second factor would have to be shared across a group of people which isn’t practical (for example, a smartphone to receive texts). One of the biggest downsides is lack of accountability. If something goes wrong, the shared account is used to do something that negatively impacts the business, how do you know who actually did it? You want non-repudiation where possible (the ability to prove that a single person is responsible for an action). Having each user with their own account gives you a lot more visibility and control into your network, resulting in more secure systems and reducing risk to your network and data.