Prevent Cyber Security Breaches: A Checklist for Small Scale Businesses in Canada

If you are a small scale business in Canada, it is likely that you already know just how important it is to be online. In today’s digital economy, being online gives you the ability to expand your business, attract new customers and avenues of revenue to you, and complete your day to day business operations. However, being online requires you to have a secure network, otherwise you are opening yourself up to possible cyber security beaches and hacking. Let’s take a look at why cyber security for small businesses is important and what areas you need to pay attention to in order to prevent cyber security breaches.

What Is the Importance of Cyber Security for Small Businesses?

According to the Insurance Bureau of Canada, about 44% of small businesses do not have the proper defences to ward off cyber attacks and about 60% do not have insurance to help with the recovery process [1]. This means that those who are hit with an attack will not be able to properly recoup the cost of the attack, and in many cases, the cost can range between $15,000-$100,000 in total damage. For small businesses, this could mean the closure of the business itself and possible negative recourse if employee and client information is compromised.

What Are The 3 Main Goals of Cyber Security?

Cyber security focuses on three main goals, the first is to keep critical information such as client information, employee information, or financial information confidential. The second is to maintain the integrity of the information and assets, so that it does not become corrupted or incomplete. The third is to maintain the availability of systems like networks, services, and information when they are being accessed by the business or clients. If at any time, none of these goals are met, a cyber security breach can do insurmountable damage.

What Does a Checklist in IT Security for Small Businesses Look Like?

There is a lot that goes into ensuring your small business is secure, so we’re going to briefly pinpoint 9 key areas that you will need to pay attention to in the checklist below.

1. Implement Human Resource Policies for Staff.

   You need to make sure that your small business has a clearly defined information security policy that explains security practices. This includes policies on what the acceptable guidelines are for passwords, information use, and security protocols. Beyond this, there needs to be confidentiality agreements in place for any information passing between contractors, vendors, employees, and clients. You need a privacy policy in place as well.

2. What Does Your Data Backup Look Like?

   You must decide for critical data, whether to store the information on a centralized server or in a remote location. Depending on your choice, there are different cyber security measures that can be put in place. This decision needs to be made for critical data that is backed up on a daily basis and for data that is semi-regularly backed up.

3. Using Computers?

   Make sure that every single computer has working anti-virus software and a security policy in place for how software is downloaded and installed. Also decide on how passwords are handled, how often they change, and what the minimum number of characters are needed.

4. How Does Your Network Security Stack Up?

   Make sure that all of your web connections have a firewall attached to them and intrusion detection (for hackers). Consider the use of virtual private networks for an added layer of security. Make sure that all physical modem connections are secure and that all wireless access connections are protected.

5. What Does Your Web Security Look Like?
   1. You may want to restrict websites that employees access to help exclude other networks that might compromise yours.
   2. Outside requests for information needs to be verified.
   3. An internet usage policy needs to be in place and every employee needs to follow it so that they know what can be shared and where it can be shared online. Have this go hand in hand with a social media usage policy.
   4. Decide on whether work emails will be used for employees to sign up for social media sites and newsletters.
   5. All business software needs to be up to date. Notifications must come through to remind you to update the software. You do not want to run outdated business software as this can lead to attacks.
   6. Make sure that employee passwords are complex, using letters, numbers, and symbols.
   7. Do not take on any type of communication that comes from an unknown source.
6. Brief Tips for Point of Sale Protection. Cyber security for small businesses that use point of sale, will want to minimally do the following.
   1. Your point of sale system must be behind a firewall.
   2. All data that gets transmitted, must be encrypted.
   3. Change up the password and username for the point of sale system to a complex password that is given out to only key personnel.
   4. All anti-malware must be up to date and security updates must be done immediately.
   5. Limit access to only employees or clients who need it.
7. Must Haves for Email Security Protection.
   1. Always have a spam filter implemented so that you filter out spam emails that may cause security breaches if accidentally interacted with.
   2. Warn your employees, clients, or personnel to never click on unverified emails or suspicious links within emails. Doing so can give away sensitive data.
   3. All employee emails and other information should be kept confidential. Why? It can be used against them to hurt the business.
   4. For web-based email, always have it on an HTTPS server. You want all information that is sent through the web browser to be encrypted.
   5. Try to use generic company emails if you need them to be placed on social media pages or websites.
8. How Remote Access Should Be Handled. While providing remote access is fantastic for employees who work from home or need to work while travelling, it can also open you up to cyber security threats. Here are a few brief tips on how to handle remote access.
   1. Have all personnel use a virtual private network (VPN) to do work while at home or on the road.
   2. Always limit the access to your network to personnel who are authorized to do so. You will need to implement a sign in authorization that is encrypted and secure.
   3. All employees or personnel who work from home must have a secure WiFi network before using the provided virtual private network.
   4. When travelling, a WiFI connection should be provided. Using public or unknown WiFI connections make you extremely vulnerable.
   5. A remote access agreement needs to be drawn up and signed by all employees who choose to work from home or need to do work while on the road. This will outline the rules around remote access and guidelines that must be followed.
   6. Those with remote access should have their privileges and responsibilities adjusted so that they do not have access to resources that could be damaging to you. This works really well if the individual is fired or leaves your business, as it means they can do less damage if leaving on bad terms.
   7. Ask for the serial numbers of devices being used for remote access. This helps you track their sign ins and configurations, which is helpful if they get lost or are stolen. Also treat these devices as assets, give them asset numbers, contact information, and a business name.
9. Must Have Points for Data Security.
   1. Always have automatic backup software installed and make sure that backups are timed on a regular basis. All data should be backed up to an external hard drive, server, or online service, with multiple backups being stored in multiple places in case of backup failure or breaches.
   2. All backups should be stored off-site.
   3. Emergency boot systems need to be in place in case of system crashes.
   4. When disposing of data, it needs to be shredded. This includes paper documents, USB sticks, and CDs.

Beyond these 9 key areas, make sure that when going through your IT security for small businesses, that you also include physical security for employees, mobile device security, and make sure that roles and responsibilities are clearly defined. While there is a lot more that goes into each of these key areas, these brief points will get you headed in the right direction.