9 FAQs About Cyber Security for Small Businesses in Canada

In our increasingly digital world many small businesses continue to lack proper cyber security. Did you know? Data breaches exposed 4.1 billion records in the first half of 2019 (source). Or that, on average, only 5% of companies' folders are properly protected (source)? If your company hasn't invested in a robust cyber security plan, and you're wondering where to start, this article will cover some of the most frequently asked questions about cyber security along with ways to protect your business.

In this article, we will explore the top FAQs about cyber security for small businesses, including: what it is, why companies need a cyber security policy, how to create a password that is strong enough to protect your sensitive data, and more. 

1. What is Cyber Security?

Cyber security refers to the protection and recovering of networks, devices, data, and programs from unauthorized access, criminal use, or cyberattacks. Cyber security helps to ensure confidentiality, integrity, and the availability of company and client information tied to the internet.

Cyberattacks are increasingly becoming a danger for organizations, their employees, and consumers. Cyberattacks can target, hold hostage, or destroy sensitive data. They can also extort money and destroy businesses. By having a robust cyber security plan, companies can help secure their most important information.

2. What Is the Difference Between Cyber Security and IT (Information Technology)

IT security protects data and information systems from unauthorized access. This involves implementing processes to prevent the misuses, modification, or theft of sensitive company information. 

Cyber security refers to the protection of data on the internet. In particular, cyber security protects companies from hackers and other cybercriminals. 

Cyber security is seen as a subset of IT. 

3. Does Every Company Need a Cyber Security Policy?

Lacking a clear workplace cyber security policy can mean employees accidentally exposing the company to a number of risks. Businesses are vulnerable, particularly now while many employees are working remotely or using their personal devices to access company accounts.

Some things to include in your cyber security policy:

• Which devices employees are allowed to use, ex: only company issued devices vs their own devices (think laptops, phones, tablets, and so on),
• Password requirements,
• How to handle suspicious e-mails,
• When it's appropriate to share your work e-mail,
• When it's okay to open attachments,
• How to handle sensitive data, including: where it should be stored, when it can be shared, how to identify it, and how to destroy it,
• How to store devices when not in use,
• How often to update software,
• What company information is appropriate to share on social media,
• What to do in the event of a cyber incident, and
• What to do in the event of a lost, stolen, or broken company device.

Make sure to take a look at your cyber security policy regularly to ensure it's up to date. Technology changes frequently and policies should reflect these changes.

4. How Often Should You Train Employees on Cyber Security?

A vulnerable piece of a company's cyber security is human error. Whether it is by opening a dangerous attachment, or using simplistic passwords, employees frequently put companies at risk by accident. 

The solution? Train your team on the importance of cyber security. 

However, simply performing annual training isn't enough. Cyber security risks are continuously evolving, and with that employees should be being frequently updated on the risks and best practices. 

Some ways to get buy-in from your team:

• Explain the importance of cyber security for your business from day one,
• Have employees undergo a simulated attack,
• Communicate new risks as they emerge and how to avoid them,
• Stress the importance of cyber security for their personal data, and
• Reward employees that report suspicious e-mails.

5. What Is a Firewall and Do You Need One?

A firewall is a security device used to protect a network by filtering the traffic and blocking outsiders from gaining unauthorized access to the private data stored on a computer. 

With firewalls you can set rules for individual applications. For example: allowing certain applications on a mobile device to access the internet and not others.

There are multiple types of firewalls, ranging from more simple to complex in function. The newest versions can do much more than simply filter what traffic is and is not allowed to pass into a network. Be sure to choose a firewall that works based on your company's needs.

Firewalls are commonly appliances built by individual vendors, but they can also be bought as software that customers install on their own hardware.

6. How Do You Create a Strong Password?

If you haven't already, it's time to stop using the same password across accounts.

Here are some tips for creating a secure password:

• Avoid reusing passwords. If you have trouble remembering all the different passwords you use, consider investing in a password manager.
  
  
• Use a passphrase for maximum security, ex: "This Is The Best Job 100%." Why? Most password hacking software only works for 10 or fewer characters, it can't be easily guessed by people you know, and it fulfills the complexity requirements of using upper and lower case as well as numbers and symbols.
  
  
• Don't use the same e-mail address for work and personal accounts. If you do, and a hacker figures out your password, far more sensitive data becomes vulnerable.

7. What Is Multi-Factor Authentication?

Multi-factor authentication is a method of electronic authentication where you are only granted access to a website or application after successfully presenting two or more pieces of evidence to an authentication mechanism.

This could be:

• Entering knowledge only the user knows,
• Using a possession only the user owns, or 
• Using something only the user physically has (like a finger-print).

The purpose of multi-factor authentication is to protect the user from an unknown person gaining access to their data, which could be personal or financial details. 

Two-factor authentication is a type of multi-factor authentication where in order to gain access to a website or application the user must confirm two factors, like a password and a code sent to their phone. 

For this to work, a third-part authenticator (like an authentication app, explained below) will typically show a randomly-generated and constantly refreshing code which the user can use.

8. What Is an Authenticator App?

An authenticator app, like the free Google Authenticator, is a security app that can add an additional level of security to your computer use.

Authenticator apps work by creating a two-factor authentication process for services like Gmail, Facebook, Twitter, Instagram, and more. 

These apps work by randomly generating a code that is used to verify your identity when logging into various services. The code is sent to your phone, and once you confirm you've received the code on your phone you're able to gain access to the services.

9. How Often Should You Back-Up Data?

Important files should be backed up a minimum of once a week, however once every 24 hours is preferred. For certain industries there will be regulations associated with how often and where you can back information up to. 

There are software programs which can be scheduled to automatically run a backup at a chosen time. Or, you can manually back-up data to an external hard drive, USB stick, or CD.

If you aren't regulated for backups, and choose to do so manually, you'll want to prioritize which data is the most important to be backed-up.

Consider Backing-Up:

• Company information,
• Customer data,
• Billing information,
• Photos,
• Branding materials,
• Bookkeeping, and
• Orders.

Keeping cyber security top-of-mind is increasingly important as the world continues to move toward digitally run businesses. During November, we released two podcast episodes that dive deeper into the world of cyber security for small businesses.

Listen to Part 1:

Listen to Part 2: