6 tips to protect your company’s data
Do you know the weakest links in your company’s cybersecurity?
While cyber thieves can be based anywhere in the world, the weak links are usually your employees, notes cybersecurity expert Ryan Duquette.
“We’re not talking about hacking into a company,” says Duquette, founder and principal of Hexigent Consulting in Oakville, Ontario.
“Some employees feel they are entitled to the information in a project they have worked on, even if it’s only a small slice of it.”
About 75% of the work that Duquette’s cybersecurity firm does is internal theft of intellectual property.
Cybersecurity is everyone’s responsibility
“Employees can say, ‘Security isn’t my thing,’ and expect their IT department to take charge, but it shouldn’t be that way,” says Duquette.
Business owners need to take the time to get everyone thinking about cybersecurity—from the cleaning staff right up to the top executives, including the company president, he recommends.
Consider the consequences of your company’s information being stolen and have measures in place to deal with any breach, he says.
He suggests starting by asking a series of questions: “What is it that you are trying to protect? Who has access to it and what controls have been put in place? Would it be very damaging if the information got out?”
Your business could be increasingly vulnerable
“I would say that these threats are actually increasing for small to mid-sized businesses because a lot of these companies hold very important information about clients,” Duquette says.
Cybercriminals, whether they’re your employees or hackers in a distant location, will also steal financial information.
“You have a lot of start-ups with high-value intellectual property (IP) that people would love to get their hands on,” Duquette adds.
6 tips to protect your company’s data
1. Conduct regular cybersecurity audits
Businesses should have regular cybersecurity audits to identify what are the gaps, strengths and weaknesses of the company’s data management procedures, says Sem Ponnambalam, co-founder and president of xahive, a cybersecurity company in Ottawa.
2. Know what to do in case of a breach
Develop a cybersecurity protocol to define what steps need to be taken to deal with a breach, says Ponnambalam. That includes a policy to notify your clients, vendors and the authorities immediately. You may also want to notify your bank.
3. Back up your data daily
Companies should back up their information daily, not just in the cloud, but also on a hard drive. Installing regular software updates is another good habit, according to Ponnambalam.
4. Know who has access and why
When an employee leaves, make sure they no longer have any access to your company’s information by resetting passwords. Have a policy on who has access to your company’s sensitive information and know how often it’s being accessed and why
5. Encrypt your communication, including email
Ponnambalam says your communications, which includes any personally identifiable information or personal health information, should be encrypted to protect their content. Encryption keys should not be stored on servers because they can be unlocked.
6. Buy cybersecurity insurance
Cybersecurity insurance can help mitigate losses from a variety of cyber incidents, says Ponnambalam. They also show that you take the threat seriously
What to do if your company is breached
Businesses must now report any breach involving personal information under its control, including with a service provider, to the federal Privacy Commissioner. This applies if it is reasonable to believe that the breach creates a real risk of significant harm to the individuals involved.
Statistics Canada’s 2017 figures found that the annual average expenditures on cyber security differed greatly based on size of business. (These figures were released in 2018.)
Large businesses (250 employees or more) spent $948,000, medium-sized businesses (50 to 249 employees) spent $113,000 and small businesses (10 to 49 employees) spent $46,000, Statistics Canada reported.
Cybercrimes can take many forms
Here are other types of cybercrimes targeting businesses:
Malware and Ransomware
Cyber thieves may not be as interested in stealing your company’s information as they are in trying to get you to pay money or ransom to get it back. Ransomware is a software that blocks access to computers or files until a ransom is paid.
Phishing is still a threat to entrepreneurs Criminals will sometimes use chat bots or email scripts to obtain your personal financial or health information to steal your money or identity, or will sell it on the black market at a premium to other criminals looking to use your personal information for identity theft.
Distributed Denial of Service (DDoS)
DoS disrupts access to your web properties by flooding them with traffic. This makes your website and services unavailable to legitimate users. It can be used as a means of cyber extortion.
Sometimes cybercriminals don’t want to attack their targets directly, instead they want to breach a server and take everyone’s information at once, says Ponnambalam. They will do this with rainbow tables, which essentially is a method of looking at password algorithms and gaining access to an entire server in a matter of minutes compromising every user of that service.