Cyber Safety Inspections

Benefits of Cyber Essentials

As a small or medium enterprise (SME) you have a lot to consider when running your operations. One of the last things that you may think about is cybersecurity. Many SMEs believe that they are not at risk for a cyberattack because of size. This couldn’t be further from the truth. In fact, did you know that SME’s are at the greatest risk of being attacked? More than 60% of SMEs were the target of attacks in 2015.

Cybersecurity Ventures predicts global annual cybercrime costs to grow from $3 trillion in 2015 to $6 trillion by 2021. And let’s be clear, cybercrime can be:

  • Damage and destruction of data
  • Theft of intellectual property
  • Stolen money
  • Fraud
  • Lost productivity

And can lead to going out of business!

Let’s face it we use the internet for business. As a result, it puts our business at risk. If you have customer information – accounts, names, data – you are at risk. If you have employee names, bank accounts, social insurance numbers – you are at risk.

We have created, with the assistance of St. Thomas University students, a set of Business Safety Inspection questions to help you assess your business’ safety in terms of cybersecurity risk. These questions will help you quickly assess where you stand and as a result, identify where your gaps are so that you can take action. Like a Motor Vehicle Inspection, this Inspection helps you prepare your business against the unforeseen and dangerous traffic of the information super highway! (We bet you haven’t heard that term in a while!)

 

Lets get started!

Did you know
that the Privacy Law in Canada has changed and will soon require all businesses to report breaches? Will you be prepared to demonstrate how you protected your customers’ data and/or your employees’ data?

Safety Inspection #1 - Awareness and Training

Our greatest assets are our employees! Without them, we could not operate. Given that they are our greatest assets, have we had the time and resources to adequately prepare them to protect the business? The first defence to protecting your business is preparing your employees. All it takes is one email with a bad link or a convincing phishing attempt to cost your business extraordinary amounts of cash…or worse yet, shut you down permanently.

Before we begin, on a scale of 1 to 10, how would you rate the importance of cybersecurity to your company? In other words, do you even think about it?

  • Not Important
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • Top Priority
Awareness

Phishing scenarios encourage employees to click on links that direct them to sites prompting them to give up or update personal or corporate information, for example, using their password. The majority of these emails are masquerading as being sent from an IT Help Desk or even some of your clients, suppliers or partners.

Corporate information could be anything from banking information to intellectual property. It includes all our employee files, sales strategies or information we gather belonging to our clients.

Client data includes their credit card information, health records or any identifying information, like their names, addresses, emails, phone numbers, etc.

Partner data is all of the shared information we use in our supply chains. This could be contracts, purchase orders, banking information, databases and any services we're collaborating on.

All of this information is a treasure trove for hackers and criminals. It could put our staff or clients – or those of our partners – at risk for identity theft or fraud.

Let's do the inspection:

1. How would you describe the level of awareness and training of your employees on cybersecurity?

  • Not Trained
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • Very Well Trained

2. Do you have a process put in place to train employees?

3. How often do you discuss cybersecurity issues with staff? (Hint: this could include formal or informal training, during staff meetings, etc.)

Social media can be a powerful communications tool for businesses. However, it can also leave you exposed to threats. It may be cost-effective in the short run to allow employees to use their own devices, like cellphones or laptops, but it could cost you in the long run. Without proper education and awareness, you could be putting all your corporate data at risk due to the personal habits of employees. Without the right knowledge they could be unintentionally increasing your risk. If attacked, access to all of your corporate, client and partner data could be retrieved.

4. Do you have policies or protocols for social media use and/or mobile device use within your organization?

5. Do you have documented protocols in place for employees to report breaches?

6. Do you have documented consequences for your employees should cybersecurity protocols not be followed?

7. Equally important, have you established protocols to ensure that former employees are no longer able to access your systems?

Did you know
under Canadian legislation, you and your staff are accountable to protect any personal data your company holds?

Are you aware that you are responsible for ensuring your staff are trained and follow protocols set out to protect personal information? This includes making sure secure devices and systems are used when accessing and storing information and that access is limited to those with a need to know to begin with.

Protecting the Supply Chain

There are concrete examples of companies being hacked as a result of a weak link in their supply chain systems. The US retail giant Target learned this the hard way. In their case a small HVAC company was that weak link. Not only were more than 100 million Target customers exposed which lead to lawsuits and nes of upwards of $3 billion dollars. And, something significant: That HVAC company is no longer in business.

FACT: Approximately 70% of companies attacked are notified of the attack by an external entity. They did not detect it themselves.

We need to be prepared now for the challenges of the future.

Let's do the inspection:

1. How often do your communicate about cybersecurity with your partners or supply chain?

2. Do you know what protocols they have in place?

3. Let’s flip the table? If you are a supplier to a large company, can you provide assurance or certification as proof that you are protecting their systems?

Did you know that many large enterprises are now requiring proof and/or certification to demonstrate that your business has taken adequate steps to protect your business and theirs from common internet threats?

4. What are the consequences - if any - if you discover these protocols and processes are not being respected?

Thank you!

Did you know
A threat can be present on your network for an average of 205 days before it is detected? Think about the damage that can be done in this amount of time.

Want to learn more about how to protect your business, your critical data and your supply chain? Visit www.cyberessentialscanada.ca

Looking for more information on Certification and Cybersecurity Updates?