What is cybersecurity?
Cybersecurity is the art of protecting your assets while ensuring the confidentiality, integrity and availability of your data.
No matter how big or small your business is, you could be hacked by
someone who thinks there’s something to be gained by accessing your
intellectual property, financial affairs, production capacity or other
sensitive data.
What are the challenges of cybersecurity for businesses?
It can happen to anyone
All businesses face cyber threats, whether they’re cloud companies or
neighbourhood coffee shops offering Wi-Fi to customers. Hackers
sometimes go after very specific targets for political or other
reasons, but they could also attack to test your system and see if
there’s something to steal.
Privacy and data security are important
You may be managing confidential data like your clients’ contact information or credit card numbers. Your reputation could be seriously damaged if your data is stolen. If you have been negligent, you could even be subject to legal action.
There are corporate cybersecurity laws to follow
Governments now require businesses to take action on cybersecurity.
Nationally: In June 2022, the federal government introduced Bill C-26, An Act respecting cyber security, which introduces significant new cybersecurity requirements for certain federally regulated businesses so that they prepare for cybersecurity incidents, prevent them and respond appropriately.
Provincially: Except for British Columbia, Alberta and Quebec, which have their own privacy legislation—for example, Bill 25 in Quebec—all other provinces have the Personal Information Protection and Electronic Documents Act (PIPEDA).
How can you improve the cybersecurity of your business?
Although it’s best to consult an expert to get personalized advice, here are some possible solutions:
- Appoint a privacy officer within your organization. If you don’t, the person responsible for the business will have to assume that role.
- Implement a governance framework.
- Complete a privacy assessment using this Government of Canada tool (link to external site).
What cyber-attack risks are there for businesses?
The main risks associated with slack cybersecurity can be divided into 4 broad categories:
Cybercrime
Cybercriminals steal information to exploit or resell it (banking data, login credentials to merchant sites, etc.).
Phishing and ransomware are known examples of malware. Without a protection mechanism, you’ll be more vulnerable to attacks.
Damage to your public image
Attacks to destabilize
governments or businesses are frequent and generally
unsophisticated.
From stealing personal data to exploiting
vulnerabilities, they damage the business’s public image by replacing
website content with political or religious claims, among other
things, which are then relayed onto social networks.
Espionage
Corporate espionage is highly targeted and
sophisticated and can have serious consequences for national
interests. It can take years for a company to realize it’s been the
victim of such an attack, because cybercriminals want to maintain
access for as long as possible to capture strategic information in a
discreet and timely manner.
Sabotage
Computer sabotage is the act of rendering
inoperative all or part of a company’s information system through a
cyber attack. This can include causing systems to crash or self-destruct.
How can I protect my business from cyber threats?
- Be wary of attachments and links in messages of suspicious origin.
- Question your automatic trust in the sender’s name.
- Perform regular backups on external devices, such as a hard drive.
- Update all of your main software packages regularly, preferably through automatic software updates.
- Use complex passwords and change them regularly.
- Manage access rights for each directory on your site.
- Implement technical measures such as adaptive security architecture, system isolation, firewalls, etc.
- Make sure you have an effective security policy if your site is hosted by a service provider, especially hosting is shared (several hosted sites).
What best practices should I implement?
Before heading off in all directions, ask yourself a basic question: What are my organization’s assets and what do I need to protect? Consider everything—information flow, access, third-party service providers, etc. The key question is “What have I done to prepare, regardless of the type of attack?”
Consult with cybersecurity professionals
Don’t hesitate to bring in an outside firm to examine your business.
It can help you understand all the ways you can protect yourself and
help raise awareness among staff.
A specialized cybersecurity firm can help you set up
your technology infrastructure and prepare various fictitious incident
response scenarios. For example, you can run simulations to identify
people within the business who will know what to do when the time
comes. You can also identify a third party.
Nationally: CyberSecure Canada (link to external site) is a certification program for small and medium-sized businesses. It provides additional resources you’ll find helpful, such as guides, templates and sample policies and plans to help you get certified.
Provincially: Canadian companies also have the option of bringing in private cybersecurity consulting companies to make sure they are protected from online threats. There are more than 100 corporate cybersecurity firms in Canada (link to external site). In Quebec, PROMPT is an example of an organization helping businesses with cybersecurity certification.
Train your employees
Training your employees in cybersecurity is critical to make
sure they’re careful with clickable links, attachments, etc. They need
to be familiar with the different types of fraud so they don’t put the
business at risk from the inside (business email compromise, phishing,
etc.).
How can you make sure your employees understand and
consider cybersecurity?
Develop a cybersecurity culture by engaging with your employees. This won’t happen on its own. For example, at National Bank, we say Cybersecurity is everyone's business! Everyone has a role to play in identifying risky situations. You have to get everyone involved. You can also do cybersecurity awareness workshops.
Invest time and money
You need to budget for cybersecurity so that you can prevent and react quickly to cyber attacks. For example, you could have a dedicated internal team or use an outside firm. Very often, the cost of not taking action is higher (risk to your public image, loss of clients, loss of revenue, etc.).
Consider getting cyber insurance
A good way to protect your business from the costs and risks associated with cybersecurity is to have insurance.
Cybersecurity insurance will help limit your losses, whether related to the attack or the loss of sensitive data, but it comes with a lot of conditions and is quite costly. Being cyber smart is still your best bet.
Where can I learn more?
There are many resources available to learn more about corporate cybersecurity. For example, National Bank is a founding member of Cybereco, the multi-sectoral cybersecurity leader in Quebec and across Canada.
Train your workforce and make your business more resilient by using
the
Cyberkit (link to external site). The kit has tools
to build awareness among employees, managers and IT staff, suggestions
for writing a cybersecurity policy, and basic tips for the general
public to protect themselves at home.
Protecting your business
is crucial. To stay in business, you must comply with Canadian laws
and regulations and protect your sensitive data. Learn more
about fraud prevention and online security.