This year’s Small Business Week, an annual recognition of entrepreneurship and small business in Canada, has a special resonance. The COVID-19 pandemic has created an unprecedented environment for small businesses everywhere: while opportunities have arisen for some enterprises, many other companies have faced significant hardships. It seems only fitting that the theme of this year’s event is “Resilience”.
While business resilience takes many forms, our focus today is on cybersecurity. Small businesses have traditionally had challenges in maintaining an appropriate IT security posture, particularly due to lack of resources and available expertise. The pandemic has had a multi-pronged effect on worsening this situation: businesses have been scrambling to maintain viability, reducing the focus on cybersecurity even further. Small enterprises have had to provide support for work-from-home, potentially rushing into remote access without providing sufficient cybersecurity infrastructure. And external threats have escalated during the pandemic, with phishing attacks, spoofed websites, and denial of service attacks more sophisticated and prevalent than ever before.
Maintaining business resilience against these pervasive cyber threats is critical. Small businesses have enough on their plates without dealing with a successful cyber attack. A 2019 report commissioned by the Insurance Bureau of Canada (IBC) found that 18% of small businesses had been affected by a cyber incident or data breach in the previous two years. Half of the businesses surveyed felt their businesses may be vulnerable to attack. And 44% said they had no defenses, while 37% estimated that the cyber incidents cost them more than $100,000 to recover. Clearly, the threat is real, and a cyber incident could deliver a knockout punch to a small enterprise.
To help you defend yourself, ISA has compiled a list of the top eight cybersecurity activities any small business must consider:
Employee awareness: You and your staff form an essential line of defense against phishing attacks and other social engineering threats. Regular training and testing help build “muscle memory” to help ensure that that phony link doesn’t get clicked and that infected attachment doesn’t get opened.
Strong passwords and multi-factor authentication: Passwords need to be complex, need to be changed regularly, and need to be “single use” – that is, never use the same password for different online services or accounts. Never use default or out-of-the box passwords for new equipment or services. And augment your security by employing two-factor (or more) authentication wherever you can.
Backups: Despite your best efforts, you may suffer a cyber attack. Ransomware can lock up your data and your systems, putting you out of business. Having regular backups of your essential data – and testing that you can restore from those backups – could make all the difference.
Anti-malware: The use of anti-virus/anti-malware software is a fundamental practice that anyone connected to Internet should be following.
Patching: It’s essential that you keep your systems up to date. Some of the biggest breaches you’ve seen in the news have exploited operating system bugs that were fixed months ago. Many patches can be automated, but even if applying the latest versions of your mobile phone software, computer operating systems, applications, and anti-malware software takes you some time, it is one of the most important activities you can do to protect yourself.
Device and service defenses: For your personal devices and hosted equipment, it’s important to use firewalls and VPNs to protect your assets and your communications with those devices to the Internet. This applies to your computing equipment in your office, as well to all those work-from-home devices you and your staff are using today.
Incident Response Planning: Imagine your office computer has been locked by ransomware, or you’ve just learned your client data has been stolen and posted for sale on the “dark web”. What do you now? Planning for the worst can be a depressing exercise, but is time well spent. Reflecting on how to react to a crisis can help you explore and fix vulnerabilities, and will help you face a difficult situation in a more organized fashion.
IT and Security Policies: As your small business grows, it becomes increasingly important to develop IT policies and best practices to ensure that you, your staff, and any cloud services or third parties adhere to the standards that you establish.
Remember: these are just the basics. Your cybersecurity posture will be defined by the kinds of assets you’re protecting and the kinds of threats your business face. These issues may seem overwhelming, especially when you have so many other things to worry about. This is where ISA can help: through our network of IT provider partners, we offer easy SMB-focused cybersecurity services that can help you understand and protect your digital assets. Our cloud-based hosted services include endpoint protection, vulnerability management, security awareness, IR preparedness and monitoring and alerting – all to give you a peace of mind, and let you focus on running and growing your business.
Contact us anytime to talk – we’re help to help!
We’ve included some additional resources for small businesses – these links offer insights to many aspects of managing your small business beyond cybersecurity:
The Canadian government has a range of services and supports for small business. An extensive list of topics and links is provided, supported by print materials and a new Canada Business app that can help you navigate the offerings.
The Canadian Centre for Cyber Security (CCCS) provides numerous resources for Canadian businesses to sustain their cybersecurity programs, including a focused section on cybersecurity fundamentals for small business.
Business Development Canada (BDC) is another terrific resource for small business. They provide a wealth of resources on business operations, technology, and finance.
The Insurance Bureau of Canada (IBC) has a cybersecurity section on their website, as well as some basics for businesses considering cyber insurance.