Cybersecurity First Steps
Simple Cybersecurity Activities Every Canadian Business Should Be Doing
Cyber risk is a reality of doing business in the 21st century and needs to be a significant part of every business’s risk management strategy. Understanding the cyber risk exposure and tolerance of your business is an important first step, but for many small and medium business directors these first steps into understanding cyber risk can be overwhelming.
There is an abundance of documentation, tools, best-practices available to cover every facet of cybersecurity. For the uninitiated, though, this presents a nearly impenetrable fog of security controls. Some of these controls are highly valuable and attainable, but many are simply beyond reach for a small business.
Fortunately, there are a few key activities that any business, regardless of size and budget, can undertake to reduce their cyber risk and improve their resilience to attacks. While not comprehensive, we believe they represent a significant and important first step toward building a cybersecurity program that effectively protects your business.
Get your entire organization on board.
For some organizations, the realization that cybersecurity it not primarily an IT concern represents a major paradigm shift. Every employee that handles data is part of your cybersecurity initiative and at the very least should be aware of their important role in keeping that data safe. Proactive organizations invest in security awareness training for their employees, including best behaviours, how to recognize and resist attacks (such as phishing), and to be conscientious about handling data.
Think about business continuity.
On the most basic cybersecurity level, this means backups. Most businesses plan for various contingencies in their day-to-day operations. Data and information systems, which have become the lifeblood of most businesses, often are not afforded the attention they deserve. Make sure that your data and systems are a major consideration in your business continuity planning. Review and test the plan often as systems and data change frequently in a fast-paced business environment.
Backups are the primary survival mechanism against ransomware and a failsafe when prevention and detection are ineffective. Ensure that measures are in place (including remote storage, history retention, or write-protection) to protect the backups from ransomware.
Automatically update operating systems and applications.
Many of the major cyber attacks in recent years could have been prevented by updating operating systems and legacy applications. The pace at which new vulnerabilities are being discovered is accelerating as are the tools available to attackers for identifying and exploiting vulnerable systems. Keeping systems up-to-date is an industry proven cybersecurity measure.
A common objection is legacy applications that are incompatible with modern operating systems or are no longer receiving patches. This is a business risk decision that needs to be accounted for and managed, but the growing trend of compromise indicates that replacing these systems (or pressuring vendors to stay up-to-date) is a worthwhile investment.
Install endpoint protection.
Another extremely simple and time-proven prevention strategy is to deploy endpoint protection. This may consist of a simple anti-malware solution or may include more complex functionality such as content filtering, DLP and application whitelisting. Regardless of the chosen features, it is important to subscribe to a solution that is regularly updated and easy to monitor.
In our experience, the free versions of anti-virus software are inadequate.
Understand and apply the principle of least privilege.
The principle of least privilege is something that most businesses intuitively grasp on an organizational level yet fail to implement in their technology. Therefore, this is another activity that may involve friction for some organizations and requires firm commitment and buy-in from the directors.
In a nutshell, this principle dictates that every employee has access only to perform the functions necessary for their day-to-day work. This may mean occasional extra work for IT when a new application needs to be installed, or to adjust permissions as job roles change, but the benefits in terms of cyber risk reduction cannot be overstated.
One common sticking point is convincing executives and managers that, because of their increased access to sensitive and business critical data, they should have their own security privileges reviewed with extra scrutiny. One sign of an organization with high security maturity is that executives and managers will prefer a minimal set of privileges.
Next steps
There is much more to implementing a comprehensive cybersecurity program, but the above activities are well within the reach of any business and represent a few of the high-value risk reduction activities we’ve identified. For a more thorough understanding of your organization’s posture, and accompanying remediation guidance, we recommend an Organization Cyber Health Check.