As a business owner, you have a lot of things that need your focus on a daily basis. As the world continues to shift online, the frequency and severity of cyber threats is increasing—becoming a major danger to business owners. As such, it's becoming more important to understand potential online risks to your business and proactively plan the steps needed to contain them.
Acknowledging cyber threats can have an impact on your business is the first step in protecting it. Seven out of 10 business leaders say that their cyber security risks are increasing and cyber readiness is more important given the potential risk that a cyber incident poses.
When you understand the potential online risks to your business and plan the steps you need to take to contain them, you can concentrate more on growing your business.
Here are considerations for business owners to help develop their cyber readiness:
Developing cyber readiness starts with:
- Increasing your awareness of successful cyber threats, and understanding how they might affect your business operations
- Learning effective tactics you can practice against cyber threats, and focusing on the protections that are within your control
- Keeping alert to cyber threats, practicing healthy cyber habits, and committing to continuous learning and adapting your cyber hygiene habits to meet these threats
- Knowing the relevant reputational, legal, and operational risks to your business from below standard cyber security practices
- Planning ahead to reduce the potential impact of cyber threats to your business, your employees, and your customers
“Owners should pay as much attention to their operational cyber readiness as they do to their employee safety, customer experience, cash flow, supply chain, or equally business-critical parts of your business,” says James Lee, a cyber security consultant for Royal Bank of Canada. “Think about cyber security when you think about your people, your processes, your technologies and your customers' user experience.”
Be informed about and prepared for cyber security risks before they happen. Then you can concentrate more on growing your business and worrying less about your cyber risks.
Where to start: Cyber security for your small business
1. Determine what needs protection
Identify your most valuable information, Lee explains. “Think about, ‘What kind of data do I have,’ ‘What does it mean to me if I lose control of that data,’ and ‘What steps can I take to increase the possibility that, if I lose control of that data, I can recover it.’”
2. Protect your data
Lee recommends following cyber security best practices. These include:
- Use strong and different passwords to log into different systems
- Implement multi-step authentication
- Install antivirus software and keep it updated
- Remain current with software security updates
- Back up your data
3. Learn about common threats and the precautions to take
Protecting your business against cyber risks requires you to know about common threats and the precautions to take.
|Threat||Entry point||Root cause||A way to avoid it|
|Unauthorized access to a system||Compromised login||Same password used for email, social media, banking||Use a different strong password for each purpose|
|Ransomware||User-opened attachment||Strengthen awareness of suspect messages – when in doubt, delete|
|Distributed denial of service (DDoS) attacks||Network||Massive amounts of traffic sent by hackers||Limit what traffic reaches your systems with a firewall|
|Spear phishing||Fake messages targeted at business leaders||Educate users on social engineering techniques|
|Smishing||SMS text message||User tricked into providing sensitive information||Teach users not to click on suspicious links in text messages|
4. Think safety first
Teaching employees to “think before they click” is crucial to avoid social engineering attacks embedded in suspect emails, texts or social media messages. Even the most well-intentioned employees can expose your business to cyber threats if they aren't careful.
Cyber security best practices for small businesses include training employees on:
- Safely browsing the internet
- Creating strong passwords
- Protecting sensitive data
For example, educating employees about how to recognize fake emails may help prevent business email compromise, in which cyber criminals dupe companies into sending money to false accounts by appearing to send legitimate emails requesting payments or funds transfers.
5. Protect log-in credentials
Theft of login credentials is one of the biggest risks, Lee says. Cyber criminals often steal this information through “phishing” emails that trick recipients into providing sensitive data or getting them to click on a link that infects their computer with a virus.
Criminals could use stolen credentials to access your company's bank accounts, customer data or other similarly sensitive information, which is why teaching employees to spot malicious emails is important.
6. Consider software-as-a-service (SaaS) risks
Using an external software provider doesn't necessarily protect you from cyber attacks. While they may have benefits like storing data and requiring two-step authentication, like an activation code sent to your phone, it doesn't mean your information is without risk.
Even with multi-factor authentication, a criminal may be able to steal the activation code sent to your phone and use it to log into your account, Lee says. To help mitigate risk, confirm that your SaaS provider checks where a user logs in from an unauthorized location can't log into your account.
7. Put a plan in place
Document your plans to protect your business, ensuring steps are customized based on your business operations. You'll also want to document your expected response if you are attacked. For example, if your business uses mobile devices, you should consider implementing protections for accessing your company data remotely.
As threats evolve, ensure you're updating the plan. If you read of a major incident like the recent ransomware attack that shut down gasoline distribution in the southeast United States, consider how you would respond if a cyber criminal seized control of your systems and demanded payment to restore access.
“You have to be able to separate out moments of panic versus, ‘I understand what's happening,’” says Lee. You must also be ready to assess whether a threat would be an issue for your business, he says.
“You always have to think about, ‘What's my role, what's my content, and am I outsourcing it to a software-as-a-service provider or am I running it all’,” Lee says.
Developing—and maintaining— cyber readiness may be a continuous process but it's worth the effort to protect against ongoing risks. Lee likens maintaining cyber readiness to walking across a street. Even if you have the walk sign, you still check both ways before crossing to protect yourself.
This article was originally published on RBC Discover and Learn.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.
In Quebec, financial planning services are provided by RBC Wealth Management Financial Services Inc. which is licensed as a financial services firm in that province. In the rest of Canada, financial planning services are available through RBC Dominion Securities Inc.