City of Vaughan

For better or worse, most of us have been working from home for the last six months due to the pandemic. Big enterprises can support their staff with dedicated IT/Cybersecurity personnel to prevent external cyber invasions such as malicious malware. Small and medium-sized enterprises (SMEs) can’t afford such a luxurious option.

Given how quickly the lockdown orders were imposed, SMEs had to make do with existing systems or set up new ones on the fly. Without the guidance of an IT specialist, these systems can have weak cybersecurity and create significant risk for companies already in a survival mode due to COVID-19 restrictions.

How can SMEs protect themselves?

To find out, the City of Vaughan and Vaughan Chamber of Commerce spoke with a cybersecurity expert:

Evgeniy Kharam, Director of Solution Architecture Division, Herjavec Group

In his current role at Herjavec, Evgeniy designs optimum security solutions for clients by taking into account both their current infrastructure and future needs. Evgeniy recently started the Security Architecture podcast to give back to communities and help companies to improve cyber security architecture.

Vulnerable entry points for hackers

The internet, and technology in general, is constantly changing to make the user experience better. Consider how much easier it is to send emails, browse the web without remembering IP addresses, perform audio or video calls, exchange files instantly, etc. The downside of these improvements is that they create more vulnerabilities—flaws in code or design that create a potential point of security compromise for an endpoint or network—for bad guys to explore.

Additional vulnerabilities are created when employees conduct meetings and do work from their homes using personal computers and connecting to their WIFI networks, which are usually less protected.

Once a hacker has access to your networks, they can cause major damage. Evgeniy points out “No business owner wants their company files to become encrypted or corrupted, or their software to malfunction.” In a worst case scenario hackers may use ransomware, which is software that encrypts files and allows the hacker to demand payment to restore access. “It is crucial to incorporate cybersecurity awareness into daily routines especially when interacting by emails with customers and colleagues. Phishing is the major tool for hackers to fulfill their intentions.”

Seven steps to improve cybersecurity

1. Assess the types of data you currently have

Take stock of your data collections and prioritize them.  Which types are more important than others? Confidential customer information, CRM, accounting and payroll data and files or documents that are absolutely necessary to conduct your business should be your highest priority.

2. Create backups for such data and restrict access

First, make sure the data is stored in two safe and different places. These places could be a computer, server, external hard drive, an external hard drive in another physical location, or cloud backup. There are several ways to backup data. In general, you want to back up everything once and then do incremental changes. It’s also crucial to test and validate the backup and restore it every couple of months.

Then assess who needs access to each data type and adjust permissions accordingly. You can even consider sharing files on an as-needed basis. For example, you can upload a specific file in a Google Drive and grant access to a specific email; that way, only the person can access the file, and if anyone else tries to open it, the Drive will require that they request permission from you.

3. Remove access for former employees

Remove this access as soon as possible after the employee leaves or make a point to do it on a regular basis.

4. Establish a basic company security policy

Evgeniy says this type of policy “will provide a guideline for the fair use of company resources.” It might include which employees can or cannot have access to different files, browse different websites, have access to their private emails or cloud storage locations, etc. The security policy should be reviewed and adjusted periodically.

5. Use better passwords

Use complex passwords, ideally phrases rather than words. When changing passwords, don’t just add another digit or change to the next sign on the keyboard and don’t reuse the same passwords between different systems. Password managers are safe and a great way to manage a large number of complex passwords. This way, you will only need to remember the password to your password manager

6. Where possible, mandate your employees to use multi-factor authentication

Multi-factor authentication is a process where a computer user is granted access to a website or application only after presenting two or more pieces of evidence (or factors). For example, you can require that they use a phone app like Google Authenticator or Microsoft Authenticator to validate their usernames and passwords.

7. Inform your employees about these changes

These changes will affect your employees—and some will require their buy-in—so send them an email outlining the new way of doing things. Provide examples explaining why it’s essential for the company.

Daily habits to keep your risk low and information safe

Cybersecurity might be confusing, but in the end, adequate security is affordable for and it doesn’t require hiring designated personnel. It can be achieved by using modern tools, raising security awareness in the organization and, if needed, getting advice from an external consultant.

Evgeniy has created a checklist with more actions you can take. These first steps are simple but crucial for protecting your company. Even more crucial is keeping it up over the long term; by making all of the above part of your daily operations and habits, it will keep your risk low and information safe.

 

DOWNLOAD CHECKLIST

 

The information presented in this article is provided solely for the purpose of bringing ideas to the attention of the business community, as a service to the businesses of the City of Vaughan.

The City of Vaughan does not, whether directly or indirectly, endorse, sponsor or sanction the opinions expressed in this article, nor any services or products that may be offered by the contributor/s in their normal course of business.  The City of Vaughan does not intend by this article to recommend the contributor/s nor to promote them as subject matter experts over any other business persons employed or engaged in similar lines of business.