After reading our last post you might be wondering why an accounting firm that specializes in working with entrepreneurs is focusing on cyber security. The simple reason is that threats ranging from phishing scams to ransomware and malware pose a significant threat to every small and medium-sized business’ bottom line.
To be sure, no organization is immune from IT security threats, and many are highly vulnerable to attacks. As noted in my last post, a PwC Canada survey from 2016 found that Canadian companies experienced a 160 per cent year-over-year increase in cyber incidents. While many Canadian firms are increasing their IT security budgets, the heightened sophistication of hackers and other online malfeasants is making it harder than ever to keep data secure.
That doesn’t mean that you have to sit back and wait for a ransomware or malware attack to cripple your business. As outlined in a recent report by our IT partners at Connected Technologies Inc. (CTI), organizations such as yours can take proactive measures to protect your business. Here’s how:
Focus on education—When it comes to preventing ransomware, malware, and phishing attacks, employee education is your best defence. A simple rule is that if an email, attachment or link looks questionable, it probably is. Your entire IT infrastructure could be compromised with a simple click, so make sure your employees understand company policies around data management and cyber security (and if you don’t have a set of policies in place, now is the time to draft them), as well as common tactics used by online criminals. Remember that many scammers prefer an utterly simple tool: the telephone. Attackers might call unsuspecting employees and casually request sensitive company information over the phone. They’re often successful if employees aren’t trained to spot phishing scams. Remind your staff that caller ID can be replicated, so even if the call comes from a recognized number or source, it can’t necessarily be trusted. In other cases, hackers might pretend to be from a software company such as Microsoft, and ask an employee to click on an email attachment or link that gives them access to their computer under the guise of a service call. The problem is that Microsoft would never need to access one of your computers, and certainly would never call you out of the blue to gain it. At other times, callers will pretend to be from Canada Revenue Agency in an effort to glean sensitive information. These are all potentially dangerous scams, but with the right employee training, their threat can be mitigated.
Strengthen your passwords—Yes, this is a piece of advice that you’ve likely heard a hundred times. The reason you keep hearing it is because so few organizations bother to require employees to use more complex passwords to protect their data. The team at CTI recommends using longer passwords which are harder to decode, avoid replacing characters with symbols or numbers (they seem to add a layer of digital security, but really don’t) and using password managers to force employees to change their passwords every few weeks or months. Last point: never use the same password for multiple websites, particularly those that store data in the cloud. Doing so could give a virtual free pass to any hacker looking to infiltrate your systems.
Report everything—If your organization experiences an IT security-related incident—or someone notices suspicious activities—ensure that you have a simple process to immediately report it, including any lost or stolen hardware. What qualifies as a reportable problem? As the team at CTI defines it, “A computer security incident is any attempted or successful unauthorized access, disclosure, or misuse of computing systems, data or networks, including hacking and theft.” Reporting and recording incidents can help create a paper trail, highlight unusual patterns and serve as a learning tool for employees—particularly if you were able to thwart an attack. Staff should be aware that if they even think their computer or session has been compromised, it’s critical to immediately log out of any cloud-based services and shut down their computer, then report the incident and allow your IT services professional, department or outsourced provider to manage scrubbing of the affected machine.
Build a security-conscious culture—Teaching employees to be more vigilant when it comes to cyber security means ensuring the topic is top-of-mind at all times. Taking a coffee break at Starbucks? Remind staff that the coffee giant’s free internet is anything but secure—as is the case with most public WIFI. When using the latter, always use a VPN, turn off sharing and use SSL connections. In fact, remind employees to keep WIFI off altogether unless they really need it. Cellphone tethering is a more secure option. On that note, remind employees to always update software on their mobile devices (whether or not they’re using a device supplied by your company) and secure them with a PIN. If your organization uses Android phones, be sure to use anti-virus software.
Many in your organization may use USB keys to transfer or hold data. And why not? They’re a simple, inexpensive and convenient tool. But USB keys can easily spread malware and other threatening software, while also carrying the obvious risk of exposing sensitive data to hackers or even competitors when lost (which happens often). Remind employees to be vigilant when using these tiny tools.
Lastly, remember that cyber security is a responsibility of everyone in your organization. A simple breach could cost your business vast sums, compromise its competitive advantage, or worse—cripple it altogether.
The best piece of accounting advice we can give: don’t allow your bottom-line performance to be compromised by an entirely manageable (and avoidable) array of digital threats.
Jenny Lian, Partner