Cyber Safety
Don’t ignore the risks of cyber threats to your small or medium-sized business. Be cyber savvy and stay current with cyber safety best practices.
- Safeguard your organization from cyber risk
- Protect your organization from phishing scams
- Keep your employees safe from scams
- What to do after a cyber crime
Safeguard your organization from cyber risk
Cyber protection doesn’t need to be costly or complicated. Start by identifying valuable information and systems, understanding major threats and applying risk management best practices. Make sure you have these measures in place to enhance your cyber security:
Develop an incident response plan. If you have a plan, you can quickly respond to incidents, restore critical systems and data, and keep service interruptions and data loss to a minimum. Your plan should include strategies for backing up data at another secure location.
Patch operating systems and applications. When software issues or vulnerabilities are identified, vendors release patches to fix bugs, address known vulnerabilities, and improve usability or performance. Where possible, enable automatic patches and updates for all software and hardware to prevent threat actors from exploiting these issues or security vulnerabilities.
Use strong user authentication. Implement user authentication policies that balance security and usability. Ensure your devices authenticate users before they can gain access to your systems. Wherever possible, use multi-factor authentication (MFA).
Back up and encrypt data. Copy your information and critical applications to one or more secure locations, such as the cloud or an external hard drive. If a cyber incident or natural disaster happens, these copies can help you continue business activities and prevent data loss. Backups can be done online or offline and can also be done in three different iterations: full, differential or incremental. Test your backups regularly to ensure you can restore your data.
Enable security software. Activate firewalls and install anti-virus and anti-malware software on your devices to thwart malicious attacks and protect against malware. Ensure you download this software from a reputable provider. Install Domain Name System (DNS) filtering on your mobile devices to block out malicious websites and filter harmful content.
Train your employees. Tailor your training programs to address your organization’s cyber security protocols, policies, and procedures. Having an informed workforce can reduce the likelihood of cyber incidents.
Secure cloud and outsourced services. Get to know a service provider before you contract them. Make sure the service provider has measures in place to meet your security requirements and needs. Know where a service provider’s data centres are located. Different countries have different privacy laws and data protection requirements.
Secure websites. Protect your website and the sensitive information it collects. Encrypt sensitive data, ensure your certificates are up to date, use strong passwords or passphrases on the backend of the site, and use HTTPS for your site. If you have outsourced your website, ensure your site’s host has security measures in place.
Secure mobile devices. Choose a device deployment model. Will your organization provide employees with corporately owned devices or will you allow employees to use personal devices for work? Ensure employees can only use approved applications and can only download applications from trusted sources.
Access control and authorization. Apply the principle of least privilege to prevent unauthorized access and data breaches. Employees should only have access to the information that they need to do their jobs. Each user should have their own set of log-in credentials, and administrators should have separate administrative accounts and general user accounts.
Establish basic perimeter defences. Defend your networks from cyber threats. For example, use a firewall to defend against outside intrusions by monitoring incoming and outgoing traffic and filtering out malicious sources. Use a virtual private network (VPN) when employees are working remotely to secure the connection and protect sensitive information.
Configure devices securely. Take the time to review your device’s default settings and make modifications as required. At a minimum, we recommend changing default passwords (especially administrative passwords), turning off location services, and disabling unnecessary features.
Secure portable media. Storing and transferring data using a portable media device, like a USB key, is convenient and cost-effective, but they can be prone to loss or theft. Maintain an inventory of all assets. Use encrypted portable storage devices, if possible, and sanitize devices properly before reusing or disposing of them.
Source: Canadian Centre for Cyber Security
Learn more about Cyber Insurance
Protect your organization from phishing scams
The most common cyber threat is phishing – an attempt to steal personal and financial information. Most legitimate organizations will never ask you to reveal private information through an email, text message, social media direct message or phone call.
Unfortunately, every organization and individual are at risk of a phishing scam. Here are some things to keep in mind to protect yourself from phishing scams:
Be extremely cautious any time you receive a message that asks you to reveal personal information – no matter how legitimate that message may appear on first glance.
Whenever possible, try to verify requests for information through another means. For example: If you receive a message from your bank requesting you take immediate action to click on a link or verify some information, simply call your bank branch directly to verify the message’s legitimacy.
Know the key forms of phishing scams:
Smishing is attempt through SMS (text message)
Spearphishing is a targeted message designed to look or sound like it’s coming from a known personal source
Spoofing is a fake website designed to get someone to share confidential information
Whaling specifically targets senior executives or government officials
Source: Phishing: Don’t get reeled in
Keep your employees safe from scams
Phishing. Deepfakes. Social engineering. Third-party breaches. These are just some examples of online threats to your professional and personal digital identities. Whether your employees are working in the office, at home or on the road, it’s important for everyone to be cyber savvy and protect their identity. Here are some best practices:
Use Wi-Fi securely
Change default network names (SSID) and passwords
Avoid using public Wi-Fi networks
If public Wi-Fi must be used, a virtual private network (VPN) can help protect sensitive information and accounts
Keep security tools and software current
Use a firewall as well as anti-virus and anti-phishing software
Use strong passwords with multi-factor authentication (MFA)
Ensure employees who manage business social media accounts exercise caution when posting information
Regularly monitor financial accounts for suspicious activity
Identify unused accounts and remove identifying information before deleting
Share with caution
Research who your business shares data with and read privacy policies to find out how third parties handle information
Verify the identity of anyone asking for personal or business information and the legitimacy of the request
Don’t click on links in text or email messages. When in doubt, use the contact information posted on an organization’s official website to confirm identity
Source: Canadian Centre for Cyber Security
What to do after a cyber crime
If you’ve experienced a cyber crime it’s important to take immediate action:
change passwords and security questions on the compromised account and all related accounts
determine affected data such as financial information, social insurance numbers, etc.
report the incident:
to your cyber insurer, they can help with the steps to take to protect your data
to the account provider as well as associated or connected accounts
to law enforcement
email Cyber Centre (contact@cyber.gc.ca) to report organizational identity theft
contact the Canadian Anti-Fraud Centre online or at 1 888-495-8501 to report an identity theft incident
submit information about malicious software, electronic threats or spam to Innovation, Science and Economic Development Canada
get notified of changes to your personal data
Use Equifax and TransUnion to analyze credit reports and enable alerts for unauthorized inquiries
Sources: Canadian Centre for Cyber Security and Innovation, Science and Economic Development Canada
You might also be interested
Business insurance basics
Having the right insurance is essential for a business to survive and thrive in a marketplace that is full of both opportunity and risk. Make sure you’re protected against risk.
Managing your business insurance premiums
Insuring your business can be expensive. Shop around. Increase your deductible. Realize the bottom-line benefits of managing risk. By taking proactive steps, you can save money.
Questions about insurance?
Our insurance experts are here to help.
Learn more about our Consumer Information Centre