At Adaptive Office Solutions, we hear it every day… Cyber attacks won’t affect us. Really? Nothing could be further from the truth. Just recently, Canada’s foreign affairs department was hit with a cyberattack. And, if Cybercriminals can breach government offices, your business is child’s play.
In excerpts from an article by ABC News, they wrote, “The hack of Global Affairs Canada, the government entity responsible for diplomatic and global relations, occurred on Wednesday January 19th.
It came days after the government issued a malware warning.
As a result of the attack, some access to the internet and internet-based services are not currently available, but mitigation measures were being taken to restore them.
‘We are constantly reviewing measures to protect Canadians and our critical infrastructure from electronic threats, hacking, and cyber espionage. We encourage all government and non-government partners to use cyber security best practices,’ the statement says.”
Needless to say, Cybercrime can have a significant negative impact on your life or business if proper precautions are not taken to prevent it. So, what can you do, starting today?
According to an article by Mass.gov, they suggest…
Secure your networks and databases
“Protect your networks by setting up firewalls and encrypting information. This will help minimize the risk of cyber criminals gaining access to confidential information. Make sure your Wi-Fi network is hidden and the password is protected. Make sure to be selective of the information that is being stored in the company databases. Databases can be a great means for companies to have a central location of data and documents, but this does not mean it is favorable to store any and all information. Automatic backing up of company data should be set to be completed either once a day or once a week, depending on the level of activity within your company. Backing up your company’s data will increase the likelihood that with a cyber attack, your company’s data will not be lost completely, which is all too common.
—————————————————————————————————————
***Adaptive Pro-tip: Make sure your backups are redundant and stored in different locations. Also, it’s imperative that you test your backups to be sure they are working. Not once, continuously.
A client of ours had their IT department faithfully doing backups, but they never tested them. When their server failed we discovered that the RAID drive for their data had failed (Redundant Array of Independent Disks). 3 of the 4 drives were completely empty. There was NO data on any of them; nothing from the last three months was stored for any of their users, their clients, or their organization.
Fortunately, we had our own hard drive in the back of the server (that their IT team wasn’t aware of) for redundancy and that’s where their backups were found. All three months of data that they NEVER would have recovered was on the hard drive that Adaptive installed as a precautionary measure… knowing the risks they were taking by not inspecting their own hard drives.
—————————————————————————————————————
Educate your employees
Talk to your employees about their role in securing and protecting the information of their colleagues, customers, and the company. Have policies set in place so they know what practices are acceptable and unacceptable. Limit the number of users within the company who will have administrative access. This will minimize the amount of programs they will be able to download, therefore, minimizing the risks of downloading viruses and malicious software
Create security policies and practices
Establish practices and policies to protect your company from cyber attacks and provide guidelines for resolving issues if they arise. Make sure to outline how situations will be handled and the consequences if an employee violates the policies. Control physical access to company devices and dispose of them properly. Prevent access to company computers and handheld devices from unauthorized users. Laptops and cellphones are easy targets for cyber theft since they can be misplaced easily or stolen quickly. Reset devices that are being disposed of back to factory setting. Never get rid of a cell phone or laptop without completing this step. Failure to do so could result in company information winding up in the hands of the cyber criminal.
Know how to distinguish between fake antivirus offers and real notifications
Train your employees to be able to recognize fake antivirus warning messages and alert IT as soon as they notice anything questionable occurring (if necessary). Make sure your company has a policy in place for the steps to be taken should an employee’s computer become infected with a virus. Malware is a sneaky program that can obtain information by making its way onto devices via the Internet, social media, email, attachments, and downloads. For example, key-logging malware can track everything the user types on their keyboard. This means cyber criminals could access bank accounts, customer information, passwords, and other company-sensitive information. Make sure to keep your security software up-to-date to help prevent malware from sneaking onto your system and networks.
Inform your customers
Let your customers know the reasons why you collect their personal information and what it is used for. Assure them that your company will not request any sensitive information such as their social security number or their bank account information over unprotected methods of communication, such as through text message or email. Ask them to report suspicious communications.”
These are great birdseye tips, but in a recent article by BDC, they got more in the weeds – about Canada specifically. They wrote…
How to protect your business from cyberattacks
“From ransomware to data breaches and stolen funds, cyberattacks cost Canadian businesses millions of dollars every year.
While many entrepreneurs think they’re too small to be targeted, cyberattacks can happen to any business at any time. A fifth (16%) of Canadian small businesses and 28% of medium-sized businesses were the target of a cyberattack in the 12 months before November 2021, according to a BDC survey.
By taking the risks seriously and adopting cybersecurity measures to defend against them, businesses of all sizes can protect themselves and their customers.
What are the main cyber threats?
Cyber threats are the dangers caused by cyberattacks, these can be significant and include:
Financial threats: Attacks come with high price tags. 30% of businesses that suffered a cyberattack in the 12 months before November 2021 reported costs of at least $50,000, according to a BDC survey.
Strategic threats: The loss of intellectual property (IP), damage to networks and systems, and more can undermine the ability of a business to compete effectively.
Privacy threats: Data leaks can put personal or private information in the hands of bad actors, with potential harms to customers, employees and the business as a whole.
Safety threats: When a cyberattack damages or takes control of assets such as public infrastructure, human health and safety can be put at risk.
Reputational threats: Public and customer confidence in a business can be severely damaged by a breach.
Even though the threats—and consequences—can be severe, many businesses are unprepared to face them. Only 55% of businesses train their employees against possible cyberattacks, according to a BDC survey.
Common myths about cybersecurity
In many cases, that un- or under-preparedness is due to common myths and misconceptions about cybersecurity.
Cyberattacks won’t happen to us.
Fact: Cyberattacks are targeted and can happen to anyone.
Cyberattacks come from the outside.
Fact: They are often the result of malicious insiders working with outside hackers.
Cyberattacks are unstoppable.
Fact: A methodical approach to cybersecurity implemented through small, manageable changes can protect you.
Technology will keep us safe.
Fact: Technology is an essential tool, but vigilance is still key.
Our industry is safe.
Fact: Every industry can and has been targeted by cyberattacks.
2020 saw an alarming spike in cyberattacks in Canada and the average ransomware demand increased 170% between the first half of 2021 and the first half of 2020. Smaller businesses are often targeted because they’re perceived to have both valuable IP and extensive funding.
Types of cyberattack
Cyberattacks come in all shapes and sizes.
- Malware is software that accesses a computer or system without authorization and damages it.
- Ransomware locks data and holds it hostage until money is paid.
- Compromised credentials and phishing attacks let hackers steal passwords with the help of malicious insiders or by manipulating unsuspecting users.
- Cloud breaches target potential security weaknesses in third-party cloud service providers,
- “Island hoppers” bounce around from a company to its partners and customers, looking for vulnerabilities.
No matter the type, cyberattacks tend to follow a common four-stage pattern.
- Survey — The target is investigated.
- Delivery — An attacker enters a system through malware, compromises credentials, etc.
- Breach — Vulnerabilities are exposed once the attacker is inside.
- Affect — The attack is launched to cause damage, extort money or extract data.
The results of an attack can be devastating. Hackers targeting the Finnish mental health start-up Vastaamo in 2020, for example, gained access to patient records and sent extortion emails to both the CEO and its patients. They demanded 40 bitcoins and threatened to release 100 patient records a day until the ransom was paid. Months after the breach went public, the company filed for bankruptcy.
4 steps to strengthening your cybersecurity
A four-step approach can significantly strengthen your defenses against cyberattacks.
1. Identify risks
Countering cyber threats starts with asking questions.
- What are our most valuable assets?
- Do we integrate cyber risk with overall business risk?
- What are some potential threats we are facing?
- Are our current security controls effective?
- Do we have clear cybersecurity policies and have those been communicated?
- Do our people understand the impacts of cyber risk and our collective responsibilities?
- Who is currently responsible for cybersecurity?
Look at people, processes and premises as technology as potential risk areas. Identify what’s most valuable—and potentially most likely to be targeted—among your information and data.
2. Create controls
Put in place measures such as malware detection, security protocols and policies, training, data encryption, and asset and supply chain risk management to protect your assets and systems.
Consider implementing the following measures:
- a formal information security management program
- malware protection
- information and security policies, identity and access control
- staff information security training, security team competence
- encryption, physical and environmental security
- patch management, network and communications security
- asset management
- supply chain risk management
3. Establish a security culture
Train staff to think in terms of cybersecurity and adopt safe practices: a strong security culture can go a long way toward keeping an organization safe.
Developing the skills of your people internally can take a long time and will entail more than simply having them complete a class. If you urgently need these skills in your team then asking for short-term help from a consultant or specialist may be the best course of action.
4. Monitor and improve
You’ll need to install software or hire a service provider to monitor your network and watch for anomalies and potential cybersecurity incidents before they cause damage.
Over time, you’ll be able to set benchmarks and measure how effective your solution is at responding to threats and keeping systems protected with the latest software.
Create a cybersecurity incident response plan
If a cyberattack does happen, a cybersecurity incident response plan can lower your data breach costs. The plan should cover how you’ll investigate the attack, how you’ll communicate it to partners and customers, and how you’ll notify third parties such as police, regulators or stakeholders.
Most incident response plans will cover six steps:
- Identify — Find the breach.
- Contain — Limit damage.
- Eradicate — Eliminate the root cause of the breach.
- Recover — Restore systems.
- Re-assess — Decide what and how to improve.
- Share knowledge — Transfer knowledge of the attack and how to prevent similar ones in future to other businesses and authorities.
Boost your cyber skills
With some investment of time, training and money, there’s a lot that can be done to prevent cyberattacks and minimize their harm.
Common methods used by attackers to take over a network can be defended against by putting basic cyber security controls in place. Making sure you follow a set of standards or getting a cybersecurity certification—such as ISO 27001—will help ensure you have implemented the basics of cybersecurity. It will also signal to your customers and partners that you take security seriously and have invested in processes and systems to protect customer data.”
At Adaptive Office Solutions, cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca