Why Your Business Should Conduct Regular Security Assessments Reason #4 – Non-Compliance

img blog 4 Non Compliance r1

To be sure the cyber security measures you have in place are adequate for your business, regular security assessments must be scheduled to identify internal and external threats. In this article, we will talk about how non-compliance exposes your business to serious cyber threats, which can result in data loss, costly downtime, and damage to your business’s reputation.

But first, let’s gain a better understanding of how and why the cyber security compliance rules are changing…

According to an article by ABA, ‘Enforcement activities of cybersecurity and privacy laws in both Canada and the United States are on the rise. Canada has one federal statute governing commercial privacy matters across the country, except in three provinces where ‘substantially similar’ legislation governs, with specific requirements for particular industries (i.e., banking and health).

For businesses engaged in Canada-U.S. cross-border transactions, understanding the laws and regulations on both sides of the border – and having an appropriate cybersecurity compliance program in place – are imperative to assuring that personal and proprietary information are protected; and to minimize the legal, financial, and operational risks to businesses that may occur through noncompliance with laws.’

But, cyber security compliance should extend much further than the rules that are mandated by the government. Laws are basically the bare-minimum requirements that you need to comply with. As you know, every business, and every individual working within them is unique. There are a myriad of other internal compliance protocols that must be documented to prevent cyber threats to your business. 

And, unlike onboarding – which is done only once with a new employee – it’s imperative to have consistent reminders about cyber security protocols; which can be ever-changing in today’s environment. 

In an article by CLA, they wrote: ‘The current cyber threat landscape is incredibly active — given the rush to remote work as a result of the pandemic, a significant increase in security incidents has occurred. Meanwhile, hackers recognize this and continue to exploit weaknesses in cybersecurity systems and practices.

Regulators understand most businesses are not interested in the investment needed to keep themselves and their data safe, and would rather live under the unwise assumption that they are too small or inconsequential to get targeted by hackers. But proven time and again, hackers are rather indiscriminate when it comes to targets, and sometimes the smaller the organization the easier to operate undetected for months on end.

As a result, cyber regulations have been developed with two general objectives: pre-breach, which forces businesses to spend money to implement protocols to reduce the likelihood of a breach; and post-breach, which requires businesses to notify impacted individuals of potential damages as a result of a breach.

Although the lack of an appropriate cybersecurity program is all too commonplace, a strong, compliant cybersecurity program is as important to your business as enterprise resource planning, human resources, and accurate financials.’

According to an article by Leaf, there are 10 things to consider when addressing your internal compliance protocols…

‘We’ve all heard of enterprises paying huge fines or even going out of business because of a simple hack to their systems. There are simply far too many threats out there to ignore the risks – from ransomware to phishing, that could cost you your livelihood. Prevention is key to safeguarding your business against cyber security threats. Consider the following…

1. Train your staff

One of the most common ways cyber criminals get access to your data is through your employees. They’ll send fraudulent emails impersonating someone in your organisation and will either ask for personal details or for access to certain files. Links often seem legitimate to an untrained eye and it’s easy to fall into the trap. This is why employee awareness is vital.

One of the most efficient ways to protect against cyber attacks and all types of data breaches is to train your employees on cyber attack prevention and inform them of current cyber attacks.

They need to:

  • Check links before clicking them
  • Check email addresses from the received email
  • Use common sense before sending sensitive information. If a request seems odd, it probably is. It’s better to check via a phone call with the person in question before actioning the “request”

2. Keep your software and systems fully up to date

Often cyber attacks happen because your systems or software aren’t fully up to date, leaving weaknesses. Hackers exploit these weaknesses to gain access to your network. Once they are in – it’s often too late to take preventative action.

To counteract this, it’s smart to invest in a patch management system that will manage all software and system updates, keeping your system resilient and up to date.

3. Ensure Endpoint Protection

Endpoint protection protects networks that are remotely bridged to devices. Mobile devices, tablets and laptops that are connected to corporate networks give access paths to security threats. These paths need to be protected with specific endpoint protection software.

4. Install a Firewall

There are so many different types of sophisticated data breaches and new ones surface every day and even make comebacks. Putting your network behind a firewall is one of the most effective ways to defend yourself from any cyber attack. A firewall system will block any brute force attacks made on your network and/or systems before they can do any damage.

5. Backup your data

In the event of a disaster (often a cyber attack) you must have your data backed up to avoid serious downtime, loss of data, and serious financial loss. All businesses should have redundant backup’s.  Redundancy ensures your data is stored in multiple geographically disparate locations.

6. Control access to your systems

Believe it or not, one of the attacks that you can receive on your systems can be physical. Having control over who can access your network is very important. Somebody can simply walk into your office or enterprise and plug in a USB key into one of your computers allowing them access to your entire network or infect it.

7. Wifi Security

Who doesn’t have a wifi enabled device in 2021? And that’s exactly the danger. Any device can get infected by connecting to a public network, if this infected device then connects to your business network, your entire system is at serious risk.

Securing your wifi networks with malware and virus protection and hiding them via a VPN is one of the safest things you can do for your systems. This includes protecting cell phones and tablets with malware and virus protection, and making sure the VPN is on at all times. Never connect to a public wifi without them.

8. Unique Login Information

Every employee needs their own unique login credentials. Several users connecting with the same password can put your business at risk. Having unique logins for staff member visits will help you reduce the number of cyber risks.

9. Access Management

One of the risks as a business owner, and having employees, is when they install software on business owned devices that could compromise your systems. Having managed admin rights and blocking your staff from installing software or even accessing certain data on your network is beneficial to your security. 

10. Passwords

Having the same password setup for everything can be dangerous. Once a hacker figures out your password, they now have access to everything in your system and any application you use. Having different passwords setup for every application you use is a real benefit to your security, and changing them often will maintain a high level of protection against external and internal threats.’

Adaptive Office Solutions suggests using Keeper Security. Keeper manages your passwords to prevent data breaches, improve employee productivity, cut helpdesk costs, and meet compliance standards.

These are great tips, but will they protect you against every cyber threat? The short answer is no. The sole mission for cyber criminals is to gain access to your business and corrupt or steal your data… and the data of your clients. They are technology experts, and most businesses are primarily focused on the products and services they provide. 

At Adaptive Office Solutions, cyber protection is our speciality. We’re the ‘Good IT Guys,’ whose sole purpose is to fight the dark side of technology experts. We do that by conducting continuous cyber security assessments, using a complex set of protection tools designed to protect your greatest asset… your business. 

A big part of cyber security assessments is making sure that your business is following the compliance rules that have been established by both: the government and the policies you’ve instituted for the employees within your business. 

But, you don’t have to take our word for it…  

In an article about cyber security specialists, by Florida Tech, they say, ‘Using a multi-layered approach, cyber security specialists use their expertise and up-to-date knowledge to help protect against Web threats that facilitate cyber crime, including: malware, phishing, viruses, denial-of-service attacks, information warfare and hacking.

Cybersecurity specialists are responsible for keeping cyber crime at bay by using their proficiency in analysis, forensics and reverse engineering to monitor and diagnose malware events and vulnerability issues. 

They then make recommendations for solutions, including hardware and software programs that can help mitigate risk. These professionals typically design firewalls, monitor use of data files, and regulate access to safeguard information and protect the network.

Staying up-to-date on current virus reports and protecting networks from these viruses is a major aspect of a cybersecurity specialist’s job duties. They often train users, promote security awareness, develop policies and procedures, and provide updates and reports to management and executive staff.’

Conclusion: 

The information we provided in this article is just the tip of the iceberg. For a deeper dive, we suggest that you visit all of the links below, and then all of the links on each of those pages. It’s a fantastic resource, and one we suggest that you become VERY familiar with.   

PIPEDA compliance help

The Office of the Privacy Commissioner of Canada has developed a number of resources to help businesses better understand their obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), and how the Act applies in certain situations and to specific issues.

On this page you can access guidance and tips created to help businesses handle personal information in accordance with PIPEDA. For a deeper dive into PIPEDA’s compliance and training tools, CLICK here!

Categories
Archives