What is Cybercrime and How Can Cyber Security Prevent it?
Small and medium-sized companies might assume that they won’t be the target of cyber criminals, but in fact, they are more likely to be victims of cybercrime and suffer financial or data losses as a result. The Sophos State of Ransomware Report 2021 found that 39% of Canadian businesses had suffered a ransomware hit the prior year, and 65% of them anticipated being subject to a ransomware attack in the future. The average cost to remediate ransomware for a Canadian company is $1.92 million. So, it is clear that good cyber security is vital to all organizations, but it can be hard to know where to start. Keeping your business safe shouldn’t be daunting. That’s why we at BSC Solutions Group have produced a 20-point Cyber Security Checklist for small and medium-sized organizations to follow to get the basics of cyber security in place fast.
What Exactly is Cybercrime and Why is it Important to Protect Against it?The RCMP defines cybercrime as: ‘Any crime where a cyber element (that is, the internet and information technologies such as computers, tablets or smartphones) has a substantial role in the commission of a criminal offence’. Cybercrime could consist of:
- Theft of sensitive or regulated information – such as personal information or financial data
- Hardware damage and data loss – that prevents your business from running
- Malware / viruses – that disrupt everyday business or spread to customers, damaging reputation
- Ransomware – file access is blocked and a ransom is demanded for access to be reinstated
- Cyber criminals
- Insiders – disgruntled or former employees
- Foreign governments
Why are Small and Medium Sized Businesses Particularly Vulnerable to Cyber Crime?The Leger / ICB survey mentioned previously found that 47% of businesses are allocating nothing from their annual budget to fund cyber security and one in 10 businesses have no cyber-attack defenses in place currently. Cyber criminals know smaller businesses are likely to have poor cyber defenses and so will target them for easy wins, or even to test out new cybercrime methods. The Canadian Centre for Cyber Security suggests small and medium organizations should follow best practice recommendations for cyber security and do as much as you can. Even basic security steps are going to make a big difference compared to having nothing in place.
How to Develop a Cyber Security Strategy for Your BusinessIn developing your organization’s cyber security strategy, there are 7 key areas to address. This 20-Point Cyber Security Checklist will get you started with the basics for protecting your computer network and data: Hardware
- Keep up-to-date documentation of your computer equipment to know exactly what devices, users, software, and other IT assets you have.
- Your firewall should be a business-class device with an annual paid subscription for enhanced gateway security features and web content filtering.
- All computer operating systems should be currently supported by Microsoft (or other vendor as applicable). *Operating systems that are unsupported don’t receive security patches. This makes your network more vulnerable to attack.
- Ensure Windows and third-party software updates and security patches are regularly applied. These protect you from newly discovered software vulnerabilities.
- Upgrade to a next-generation antivirus software. Traditional antivirus solutions are no longer adequate.
- Keep anti-virus/anti-malware software up to date on all computers.
- Implement Multi-factor Authentication (MFA) for all employees in order to access Microsoft 365 (if applicable) and any other applications, banking or payment sites where MFA is available.
- Implement a reliable, image-based data backup of your Server(s) and any critical workstations, with both local copies and cloud-based copies.
- Implement a third-party backup solution for your cloud data, e.g., Microsoft 365 data backed up to another cloud provider.
- Ensure corporate data is not being stored in non-sanctioned cloud storage, such as Dropbox or Google Drive.
- Restrict user file and folder access to only what is absolutely needed.
- Enforce strict password policies. Ideally implement a company-wide Password Manager.
- Create and enforce an Acceptable Use Policy for employee use of network resources.
- Create and enforce a Mobile Device Policy (corporate-owned and employee-owned).
- Ensure all employees are unable to load software onto their computer without prior authorization.
- Establish procedures to follow in the event of a cyber-attack.
- Regular testing and training of employees on how to identify Phishing emails and other types of cyber threats is essential. Employee error is your weakest link.
- Regular network security scanning (internal and external), monitoring, alerting and reporting is critical to keeping your finger on the pulse of your computer network activity and any unusual or suspicious events.
- Ensure best practices are being followed for your network setup and configuration. One example would be ensuring any remote users accessing your network are doing so in a secure fashion.
- Get cyber liability insurance coverage but be sure to talk with a broker who is knowledgeable in this area so you fully understand what will and won’t be covered.