Logo - Business Development Bank of Canada - BDC

A cyber playbook helps your business respond effectively to an attack

5-minute read

Cyber attacks are constantly evolving. Small and medium-sized businesses are much more vulnerable, often due to a lack of IT expertise or security professionals. They can face attacks, either from cybercriminals, employees acting maliciously or accidentally putting their data at risk.

You may have the belief that your small business is immune to a cyber attack and either way, there’s not much to steal right? But cyber attacks have paralyzed businesses of all sizes. If it does happen, what would you do?

Essential to getting your business up and running again, is a cyber playbook. It’s similar to a disaster recovery plan and helps minimize the risk to your company and your clients.

Building a cyber playbook

Every company needs to accept the reality of the cyberattacks and take proactive steps to manage them.

The first step is to identify all your business’s data, such as intellectual property, client and supplier lists and financial records. So, your business does have assets that can be stolen after all. Then rank them in terms of how critical they are to your business.

You will need your employees to help you gather this information. Be sure to put the focus on your company’s essential assets or “crown jewels” and how your company would do business if a service was disabled or information was compromised for a day, a week or longer. Identify the most common threats and how your team will react.

The goal is to provide all members of your team with a clear understanding of their roles and responsibilities during a cyber security incident.

Protecting your business from an attack

You need to plan for different kinds of attacks such as phishing, ransomware and other common cyber security risks for your business. They are some of the leading causes of data breaches.

With phishing, the email sender’s address appears to be valid but once you or an employee clicks on the hyperlink you are directed to the phisher’s site. Once you enter your username and password on the phisher’s site, it will be saved for fraudulent use to get access to sensitive or financial information.

Other attacks include trying to get you to pay money or ransom to get your company’s information back. Ransomware is a software that blocks access to computers or files until a ransom is paid. Employees can’t send or receive emails.

You will need to educate employees about cyber scams and to report them to you and your IT team right away. You could have team seminars and provide learning materials to help them be aware of common scams.

Who will you contact after a cyber incident?

Establish a chain of command once an incident has been detected, how to contain it and restore the service that has been disrupted. Decide who needs to be notified—the police, your bank, your customers and suppliers, your lawyer—and who will do it.

You may decide to set up an internal crisis team to deal with cyber incidents. Designate a spokesperson to deal with media inquiries, if needed.

A cyber playbook, just like a disaster plan, needs to be tested and updated at least once a year. Make sure you know the weakest links in your company’s cybersecurity.

Businesses must now report any breach involving personal information under its control, including with a service provider, to the federal Privacy Commissioner. This applies if it is reasonable to believe that the breach creates a real risk of significant harm to the individuals involved.

Basic and efficient preventive measures to take

One of the first lines of defense to protect your work environment is a firewall between your network and the Internet. All SMBs should set up a firewall to provide a barrier between your data, the outside world and criminals.

In addition to the standard external firewall, often installed by your Internet service provider, many companies are starting to install their own internal firewalls to provide additional protection.

For employees working at home, they should have a firewall on their home network and a Virtual Private Network (VPN) to connect to the office or to surf the Internet. VPN packages offered by your company’s Internet service provider and usually aren’t too costly per user.

Consider encouraging your employees to purchase a firewall for home networks to ensure compliance with your cyber playbook. A feature to look for is Stateful Packet Inspection (SPI), also known as dynamic packet filtering, which is a firewall functionality that determines which network packets to allow through the firewall.

Another measure to consider is the use of secure (encrypted) USB keys by your employees. Do you have a policy on the use of USB keys and what information that your employees are allowed to access?

If your employees travel with sensitive information, encrypted USB keys are a must. Related to that, a departing employee could decide to take sensitive information, such as a clients list or intellectual property, on a USB key when they leave. How would you deal with this?

Certify your business to be cyber-secure

On this note, the federal government has launched the CyberSecure Canada certification program, a voluntary program to help small and medium-sized businesses learn about cyber threats and how to protect themselves.

According to StaySafeOnline.org, 71% of data breaches happen to small businesses and nearly half of all small businesses have been the victim of a cyberattack. Why are you waiting to protect your business?

Your privacy

BDC uses cookies to improve your experience on its website and for advertising purposes, to offer you products or services that are relevant to you. By clicking ῝I understand῎ or by continuing to browse this site, you consent to their use.

To find out more, consult our Policy on confidentiality.