Know the Risks. Protect Yourself. Protect Your Business. · Know the Risks. Protect Your Business....

iGetCyberSafe Guide for Small and medium buSineSSeS

Protect Yourself.

Know the Risks.

Protect Your Business.

G E T C Y B E R S A F E G U I D E F O R S M A L L A N D M E D I U M B U S I N E S S E S

Protect while you connect.

iiiGetCyberSafe Guide for Small and medium buSineSSeS

Table of Contents

1 Introduction 22 Cyber Security Fundamentals 33 Management Issues 53.1 Security Awareness 53.2 DefiningRolesandResponsibilities 63.3 DevelopingPoliciesandStandards 63.4 CyberSecurityPlanning 73.5 BudgetingforCyberSecurity 8

4 Web Security 94.1 ProtectingPersonaland BusinessInformationOnline 94.2 BrowsingtheWebSecurely 104.3 SocialMedia 114.4 SocialEngineering 124.5 SoftwareSecurity 134.6 SafeHostingandBusiness WebSecurity 144.7 Malware 154.8 AuthenticationBestPractices 164.8.1 Passwords 164.8.2 Passphrases 174.8.3 Two-FactorAuthentication 18

5 Point-of-Sale (POS) Security 196 Email Security 206.1 Spam 206.2 Phishing 226.3 SendingEmailSecurely 23

7 Data Security 257.1 BackupandRecovery Options 25

7.2 CloudSecurity 277.3 ClassifyingandLabelling SensitiveInformation 287.4 HandlingSensitive Information 29

8 Remote Access Security 308.1 RemoteComputing SecurityBasics 308.2 WorkingFromHome 318.3 WorkingWhileTravelling 32

9 Mobile Device Security 339.1 TabletsandSmartphones 349.2 PortableDataStorage 34

10 Physical Security 3610.1 EmployeeSecurity 37

11 Getting help 3811.1 WhentoAskforHelp 3811.2 WheretoGet SecuritySafeguards 38

12 Appendices 3912.1 AppendixA:CyberSecurity StatusSelf-Assessment 3912.2 AppendixB:Glossary 4312.3 AppendixC:CanadianCyber SecuritySitesandContacts 4512.3.1 CanadianGovernment Security Sites 4512.3.2 Cyber Security Member AssociationsinCanada 46

2

Ifyou’relikemostsmallormediumbusinessesinCanada,theInternetisanindispensabletooltosucceedintoday’sdigitaleconomy.Gettingonlineallowsyoutoreachnewcustomersandgrowyourbusiness.Andevenifyoudon’thaveawebsite—oraFacebookpageorTwitteraccount—youprobablydependontheInternetforeverydaybusinessoperationslikebanking,payrollororderingsupplies.

However,beingonlinerequiresbeingsafeandsecure.Asasmallormediumbusiness,it’seasytothinkthatyouaretoosmalltowarranttheattentionofcybercriminals.Infact,cybercriminalsarenowactivelytargetingsmallerbusinessesbecausetheybelievetheircomputersare vulnerable. This guide is designed to help Canadians who own or manage a small or medium business understand the cyber security risks they face, and provide them with practical advice on how to better protect their business and employees from cyber crime.

Inotherwords,ifyouareasmallormediumbusinessowner,thisguideisforyou.Cybersecurityisasharedresponsibilityand,dependingonhowyourbusinessisstructured,therearelikelyotherpeople—co-owners,managersoremployees—whoshouldalsobefamiliarwiththeinformationyou’llfindinthisguide.

YoudonotneedtobeacomputerorWebexperttoreadorimplementthemeasuresinthis guide.Althoughsomecybersecuritytermsareused,youcanlookupanytermsyouareunfamiliarwithintheglossaryattheendofthisguideoronlineintheGetCyberSafe.caglossary.

The self-assessment tool in Appendix A can help you determine where your business needs the most help.

If you are experiencing a serious cyber incident, contact the police, seek professional assistance and consult Appendix C of this guide for additional resources.

Cyber crime and smaller businesses • Smallandmedium-sizedbusinesses(i.e.,businesseswithfewerthan500employees) employed10millionpeoplein2012,nearly90%ofallemployeesinCanada.1 • In2012,87%ofCanadianbusinessesusedtheInternet,and46%hadawebsite.2 • Thelargestgrowthareafortargetedcyberattacksin2012wasbusinesseswithfewerthan 250employees—31%ofallattackstargetedthem.3 • Overa12-monthperiodin2012,69%ofCanadianbusinessessurveyedreportedsomekind ofcyberattack,costingthemapproximately$5.3million,orabout$15,000perattack.4

1 Source:KeySmallBusinessStatistics-August2013,IndustryCanada,http://www.ic.gc.ca/eic/site/061.nsf/eng/02805.html 2 http://www.statcan.gc.ca/daily-quotidien/130612/dq130612a-eng.htm 3 Symantec2013InternetSecurityThreatReporthttp://www.symantec.com/security_response/publications/threatreport.jsp 4 ICSPAreport:StudyoftheImpactofCyberCrimeonBusinessesinCanada, https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf

Introduction

3GetCyberSafe Guide for Small and medium buSineSSeS

Cybersecurityisaboutprotectingyourinformation,whichisoftenthemostcriticalandvaluableassetabusinesswillown.Cybersecurityisbasedonthreefundamentalgoals:

• Confidentiality:Anyimportantinformationyouhave—suchasemployee,clientor financialrecords—shouldbekeptconfidential.Thisinformationshouldonlybeaccessed bypeople(orsystems)thatyouhavegivenpermissiontodoso. • Integrity:Youneedtomakesuretomaintaintheintegrityofthisinformationandother assets(suchassoftware)inordertokeepeverythingcomplete,intactanduncorrupted. • Availability:Youshouldmaintaintheavailability ofsystems(suchasnetworks),services andinformationwhenrequiredbythebusinessoritsclients.

Achievingandmaintainingthesegoalsisanongoingprocess.Goodcybersecurityinvolves thefollowing:

1. Determiningwhatassetsyouneedtosecure(essentially,anythingofvaluemanagedor ownedbyyourbusiness). 2. Identifyingthethreatsandrisksthatcouldaffectthoseassetsoryourbusinessoverall. 3. Identifyingwhatsafeguardsyoushouldputinplacetodealwiththreatsandsecureassets. 4. Monitoringyoursafeguardsandassetstopreventormanagesecuritybreaches. 5. Respondingtocybersecurityissuesastheyoccur(suchasanattempttobreakinto businesssystems). 6. Updatingandadjustingtosafeguardsasneeded(inresponsetochangesinassets, threatsandrisks).

CyberSecurityFundamentals

4

Thetermthreatreferstoanypotentialdangertoyourbusiness,itsassetsoremployees.Threatscanbenatural,suchasfireandflood.Theycanalsobehumaninorigin.Infact,humanthreatsarebecomingmorecommonandrequirealotofyourattention.

Thebiggestchallengeforyourbusinessistodefineandprioritizeassets,threatsandthepotentialriskofthosethreats.Then,youhavetoapplyappropriatesafeguards.Safeguardsareanythingyoucanusetocounterthreatsandreducerisk.Thesecanbeanythingfromsoftwareandhardwaretopoliciesandspecificprocedures(foremployeesorclientstofollow).Inmany cases,asafeguardismadeupofacombinationoftheseelements.

Therestofthisguideprovidesadviceonhowyourbusinesscansetupasoundcybersecurityprocess,includingidentifyingthreatsandrisk,establishingsafeguardsandputtinginplacethemanagementstructuresyouneedtokeepyourprotectionsuptodate.

CyberSecurityFundamentals

Identify Assets

Apply and Moni

tor

SafeguardsRespond to

Security Incidents

Evaluate Threats and Risks

Evaluate Threats

and RisksM

ake

Adju

stm

ents

if

Nee

ded

Figure 1


Quick tips from this section:• Developandimplementacybersecurityplanthatclearlyoutlinesbestpracticesfor allemployees. • Assignatleastonepersontoberesponsibleforyourbusiness’scybersecurity,andmake suretogivethemclearinstructionsonwhatyouexpectfromthem. • Determinewhatriskstoyourbusinessarelow-,medium-orhigh-levelthreats—thiswill helpyouprioritize. • Makesurethatemployeesunderstandwhycybersecurityisimportantforthemand your business. • Ifyouhaveanylegalconcernsaboutcybersecurity,don’thesitatetoconsultwithexperts (e.g.,legalcounsel). • Explainpoliciesandstandardstoemployeessothattheywillunderstandwhyyouneed theminplace,towhomtheyapplyandtheriskstothemselvesorthecompanyifthey don’tfollowthem. • Itiseasytounderestimatehowmuchapropercybersecurityplancancost,somakesure tobudgetproperly.

3.1 Security Awareness

Tryingtokeepupwithcybersecuritycanseemoverwhelming.Agoodfirststepisputtinginplaceasecurityawarenessprogram.

Asecurityawarenessprogramisawayofkeepingyouandyourstaffinformedaboutgoodcybersecuritypractices.Itcanbeverysimpleandreadilydevelopedbyyouorotheremployees.Itshouldstartwithbasictrainingforstaff.Overtimeitshouldexpandtoincludeupdatesandremindersonpolicies,standardsandbestpractices.Yoursecurityawarenessplancanincludearegular,scheduledreviewtoupdateexistingsecuritymeasuresforyourbusiness,includingadoptingnewmeansofprotection(bothsoftwareandhardware) asneeded. “A security awareness program very simple and readily developed by you or other employees.”

Trainingandeducatingpersonnelisvitaltohavingastrongcybersecuritysysteminplace.Choosetopicsthataresimple,focusedandconcise.Keymessagesshouldberepeated,butitisimportanttoengagewithpersonnelinmultiplewaystoavoidhavingyourmessagesignored.Forexample,spamadvicecouldbereinforcedthroughemails,postersandstaffmeetings.Youcouldevensupplementthiswithperiodicquizzes,contestsandrewardstokeepemployeesinterestedandinvolved.

ManagementIssues

6

3.2 Defining Roles and Responsibilities

Youshouldputat leastonepersoninyourbusinessinchargeofcybersecurity.Thispersonwouldberesponsibleforthefollowing:

• Learningaboutthreats,trendsandsecurityoptions. • Planning,acquiringandimplementingsecuritysafeguards. • Helpingotherpersonnelunderstandcybersecuritybestpracticesandpolicies. • Enforcingcybersecuritybestpracticesandpolicieswithmanagementsupport. • Maintainingandupdatingthesecuritysafeguardsusedbyyourbusiness.

Evenwithaclearpersonorgroupinchargeofcybersecurity,theirsuccesswithinabusinessofanysizereliesonmanagementsupport.Thesupportyouprovidewilldependonthesizeofthebusiness,butsomeofthethingsallmanagersareresponsibleforincludethefollowing:

• Providingguidancetoallemployeesontheimportanceofcybersecurityaspartof operations,includingpoliciestooutlineaccountabilityforcybersecurity. • Supportingandmonitoringcybersecurityprojects. • Consultingwithexperts,suchaslegalcounsel,foranyexternalobligationssuchas provincialorfederallaw.

3.3 Developing Policies and Standards

Theonlywayemployeeswillknowhowtoconductthemselvesisifyouputsoundcybersecuritypoliciesandstandardsinplace.

A security policyisadocumentthatexplainswhatemployeesmayormaynotdowithrespecttocybersecurity.Internetusepolicies,socialmediapoliciesandacceptableusepoliciesareallexamplesofsecuritypolicies.Anacceptableusepolicymightstate,“youmay notconnectapersonalcomputertothebusinessnetwork,”or“whenaccessingthebusinessnetworkfromhome,youmustusetheprovidedsecuritytools.”

Cybersecuritypoliciesdonotneedtobelongorcomplicated.Buttheyareessentialinhelpingyouremployeesunderstandtheirrolesandresponsibilities.

A security policy is a document that states what personnel may or may not do with respect to cyber security.

A standard is a document that explains how a specific task should be done. Standards most often apply to setting up and using technical systems.

A standardisadocumentthatexplainshowaspecifictaskshouldbedone.Standardsmostoftenapplytosettingupandusingtechnicalsystems.Forexample,apasswordstandardwoulddescribeexactlywhatanacceptablepasswordcanorcannotinclude,howlongitshouldbeandhowoftenitshouldbechanged.

ManagementIssues


You’llprobablywanttowriteyourowncyberpoliciesin-houseastheyneedtobespecificandmaychangeovertime.Youwillalsomostlikelyhavecertainareasthatparticularlyconcern you.

Whendevelopingandusingcybersecuritypoliciesandstandardsinyourbusiness,considerthefollowing:

1. Beginwithacomprehensive,butrelativelysimple,cybersecuritypolicytoclearlylay outkeyprinciplesandrulesforcybersecuritywithinyourbusiness. 2. Identifyandadaptexistingstandardstodealwithspecificcybersecurityissuesor technologiesinthebusiness,orwriteyourown. 3. Explainpoliciesandstandardstopersonnelsothattheywillunderstandtherationale forrules,towhomtheyapplyandanyconsequencesfornotfollowingthepolicy. 4. Aftertheinitialcybersecuritypolicyandassociatedstandardsareinuse,youmaywishto revisitthoseandaddmoredetailed,specificinformationsuchasthoseidentifiedinthe varioussectionsofthisguide.Forexampledetailsregardingtheuseofasocialmediaif yourbusinessusesalotofitorexpectationsandobligationsregardingmobilesecurity ifanumberofyourstaffareissuedmobiledevices.

3.4 Cyber Security Planning

Astudyin20121foundthat83%ofsmallandmediumbusinessesdonothaveacybersecurityplaninplace.Developingacybersecurityplanshouldbeapriorityforanybusiness.Acybersecurityplanwillidentifywhatassetsneedtobesecured,whatthreatsandriskstofocuson,andwhichsafeguardstoimplement—allinorderofpriority.

Herearesomestepstohelpyouprepareacybersecurityplanforyourbusiness:

1. CompletethesimpleCyberSecurityStatusSelf-AssessmentToolinAppendixAofthis guide.Thiswillidentifygapsandoptionsincybersecurityinyourbusiness. 2. Identifyallbusinessassets(suchascomputersandbusinessinformation)anddetermine theirimportanceandvaluetothebusiness. 3. Discusscybersecuritythreatswithemployeesoroutsideexperts(asrequired) anddeterminewhichassetsareatriskofharmifoneormoreofthosethreatsoccur. 4. Prioritizerisksashigh,mediumorlow. 5. Withthehelpofemployeesoroutsideexperts,determinewhatcanbedonetoreduce thoserisks. 6. Evaluatethethreats,risksandpotentialsecuritysafeguardsandthendecidewhatcan andshouldbedonetoimprovecybersecurityinthecurrentyear.Oftenoneimprovement canbeplannedinconjunctionwithanothertohelpreduceoverallcosts.Forexample, ifyouarealreadysettingupanetworkfirewall,theremaybeoptionstohelpdealwith malwareorspamwithinthefirewall. 7. Setattainabletargetdatesforallidentifiedcybersecuritytasksandsecuritysafeguards thatyouplantopurchase.

ManagementIssues

12012NCSA/SymantecNationalSmallBusinessStudy.

8

8. Identifyresourcesthatwillbeneededtoimplementtheplaninthefirstyearincluding people,timeandmoney. 9. Listanyissuesthatmayhinderyourplan(suchasalackofpersonnelorbudget). 10. Startimplementingtheplan. 11. RepeatStep3,threatevaluation,ataminimumofonceperyear.

Makesuretokeeptrackofanychangesintheplanandinformallaffectedparties(suchasvendors)toavoidconfusion.Forexample,ifyouhavehiredasecurityexperttohelpsetupafirewallandfindthatspamhasbecomeamoreurgentpriority,youmayneedtoadjustyourplaneithertofocusonspamortoincorporatespamblockingwithinthefirewall. You should also evaluate progress at every year-end and make any necessary adjustments. In most cases, a multi-year cyber security plan will need some updates each year to accommodate changing priorities and business capability.

Whiletheprocesstodevelopacybersecurityplanmayseemdauntingatfirst,rememberthatyoucanalwaysrevisitandexpandyourplanovertime.

3.5 Budgeting for Cyber Security

Havinganeffectivecybersecurityplancostsmoneyandmustbetakenintoaccountwhendrawingupyourannualbusinessplansandbudgets.Fortunately,therearesomefreeservices,toolsandadviceavailable.Additionally,policiesorinternaldocumentscanoftenbedevelopedin-houseatminimalcost.

Butsomekeythings,likesecuritysafeguards,willhavetobepurchasedandmayalsoinvolveannualsubscriptionfees.Forexample,unlikesoftwarethatyoutypicallypayaone-timefeefor,asubscriptiontoanti-malwaresoftwaremightneedtoberenewedeachyearforafee.

Toavoidsurpriseexpenses,itisbesttoallowforthefollowing:

1. Thefirst-timecostofanysecuritytools,aswellasupgradeorupdatefees. 2. Anysupport,consultingortrainingcosts. 3. Contingencies.

Contingencyfundsareimportanttodealwithunforeseenemergencies (suchasmalwareinfection).

Insomecases,yourinsurancemaycoverlossesduetoacybersecurityincident. Itisimportanttodiscussthiswithyourinsuranceproviderinadvance.

ManagementIssues


Quick tips from this section:• Restrictingthetypesofwebsitesthatemployeesareallowedtovisitcanhelpyouexclude thesitesthatcouldcompromiseyournetwork. • Adviseemployeesonwhatsoftwareissafetoinstallontheircomputers,andtoseek permissionwhendownloadingnewprograms. • Whensomeoneoutsideofyourbusinessrequestsanypersonalorbusinessinformation, verifythattheyareasafepersontosendtheinformationto. • WriteanInternetUsagePolicyforpersonneltofollowandpostitinanaccessibleplace foralltoseeandreferto. • Setrulesonwhatkindsofbusinessinformationyouremployeescanshareonline, andwhere. • Createinstructionsonwhetheryouremployeesshouldusetheirworkemailtosignup forsocialmediasitesandnewsletters. • Considertheimplementationofacompanysocialmediapolicy,sothatemployeesknow whattheyshouldandshouldnotpostonline. • Updateallofyourbusinesssoftwarewhenyoureceivenotificationstodoso,sothatall securityfixesareuptodate. • Requireallofyouremployeestohavecomplexpasswordsthathaveletters,numbersand symbolssotheyareharderforcybercriminalstosteal. • Alwaysbesuspiciousofphonecalls,emailsorothercommunicationsfromanunknownsource.

4.1 Protecting Personal and Business Information Online

Fortheirownsecurityandthesecurityofyourbusiness,employeesshouldprotecttheirpersonalandbusinessinformationonline.Personalandbusinessinformationincludesprivateorconfidentialdetailslikefullnames,socialinsurancenumbers,emailandphonenumbers,addresses,bankingandotheraccountinformationandpasswords.

It’simportantthatallemployeesunderstandwhyprotectinginformationonlineisimportant.Criminalswhowanttoharmorstealfromyourbusinessoftenbeginbycollectingpersonalorbusinessinformationinordertogainaccesstoyourcomputersystemsandconfidentialinformation.

Herearesomesimpletipsforallemployees:

• Onlyvisitlegitimateandtrustedwebsiteswhileusingbusinesscomputersorworking withbusinessinformation. • Beforeprovidingpersonalinformationtoanyone,verifythattheyareatrustedsource (forexample,abankwouldnotsendoutpersonalinquiriesbyemail,soacalltothe actualbankmightbeadvisedifsuchanemailwerereceived).

WebSecurity

10

• Ifsomeoneisseekingyourpersonalinformation,askwhytheinformationisrequired. • Iftheanswerdoesnotseemsatisfactory,donotprovideit—oraskfortheirsupervisor togetmoredetails. • Neverremoveordisableanysecuritysafeguardsputintoplaceonbusinessnetworks andcomputers(suchasanti-virussoftware).

4.2 Browsing the Web Securely

Research,collaboration,communicationwithclients,purchasingandmanyotherbusinessactivitiesrelyontheInternet.However,therearemanythreatstoyourbusinessontheWeb,startingwiththoseencounteredwhiledoingasimple,everydaytask:browsing.

Safebrowsinginvolvesacombinationofsecuritysafeguardsandpractices.Herearesomestepsyoucantaketomakesurethatyourbusinessbrowsessafelyandsecurely:

1. BeginbywritingandpublishinganInternetUsagePolicythatclearlyexplainsto employeeswhattheycanandcannotdowhenusingbusinesssystemstoconnect totheInternet.ExamplesofInternetUsagePoliciescanbefoundonline. 2. TrainyouremployeesonthecontentofyourInternetUsagePolicy. 3. Encourageongoingsecurityawarenessbyregularlycommunicatingwithemployees aboutsafebrowsingpractices. 4. ExplaintoemployeeshowtochecktheURLofwebsitestheyaregoingtovisittoavoid visitingdangerouswebsites(seethetipboxthatfollows). 5. Implementasite-ratingtoolasanextensiontothebrowseronusercomputers (Figure2).Thiswillhelpemployeesidentifysafewebsites.

WebSecurity

Figure 2: A Sample Screen from a Site Rating Tool


WebSecurity

How to identify suspicious links on Web pagesHoveringyourcursoroveralinkwilldisplaytheactualdestinationURLeitherinasmalltextboxthatappearstemporarilyoverthelink,oratthebottomofthebrowserwindow.Trythisbeforeclickingonalinkandcheckforthefollowing:

• IfthelinkedtextisaURL,compareitwiththeactualdestination.Cybercriminalsoften usetextlike“Logintowww.mybank.comtoupdateyouraccountinformation,”butthe actualdestinationisalookalikesiteatanotherlocationsuchaswww.myfakebank.com. • CheckforURLsthataresimilartositesyouknow,butareslightlydifferent(suchas Goggle.comorGoogle1.cominsteadofGoogle.com).Thistechniqueiscommonlyused totrickpeopleintofalseconfidencewhenvisitingsites.Inmanycases,thefakesitesare madetolookalmostidenticaltotheoriginalitiscopying. • AlwaysbesuspiciousofURLsyoudon’trecognize. • Rememberthatimagesaswellastextcanbelinked,sousethesamecautionclickingon imagesasyouwouldwithtext. • Whenindoubt,copyandpastetheURLintoasearchenginetoidentifythesitewithout visitingit.

4.3 Social Media

SocialnetworkingsiteslikeFacebook,TwitterandLinkedIncanbepowerfultoolsforyourbusinesstoreachpotentialcustomersandbuildstrongerrelationshipswithclients.However,socialnetworkingsitesandservicesarebecominganincreasinglypopularwayforcybercriminalstotrytogetyourpersonalorbusinessinformationtohackintoyourpersonalorbusinesscomputersystems.

Ifyourbusinessusessocialnetworkingsitesformarketingorprofessionalpurposes,youwillneedtochooseoneormoreemployees,andallowonlythemtopostcontentinyourbusiness’s name.

Socialnetworkingshouldbeaddressedinyourbusiness’sInternetUsagePolicy,withclearadvicetoemployees.Herearesomesocialnetworkingissuesthatyoushouldconsider:

• Beclearonwhatinformationaboutyourbusinesscanbepostedandwhoisauthorized todoso. • Refrainfromincludingsensitivebusinessinformationinthebusinessprofileoryourposts. • Becarefulusingapplicationsonsocialnetworkingsites.Manyofthesecomefromthird partiesandmaynotbesecure.Alwayscheckontheapplicationproviderfirst. • Whencommunicatingthroughsocialmedia,besuspiciousofanymessagesthatare askingforsensitivebusinessinformationoraboutemployeesandtheirfamilies. • Thinkbeforeyoupost!Whatyouposttosocialmediasitesisgenerallypermanent.You maysomedaychangeyourmindaboutwhatyousaidonline,butyoucan’tremoveor changeit.

12

Whileatwork,youremployeesarealsolikelytousesocialmediaforpersonalreasons,whethertoconnectwithfriendsandfamilyorkeepupwithnewsandevents.Itisimportantthatemployeesfollowsimilarguidelinestoprotecttheirowninformationwhensocialnetworkingaswellasyourbusiness’snetworksanddevices.

Herearesomeadditionaltipsforemployeeswhenusingsocialmediaforpersonalpurposes:

• Criminalsareinterestedintheinformationyoupost.Tohelpyourbusinessstaysafe,make sureyouusethesite’sprivacycontrolsandignorerequestsfrompeopleyoudon’tknow. • Reviewandstayuptodatewiththesocialnetworkingsite’sprivacypolicies(mostare updatedfrequently)andadjustpersonalprivacysettingsappropriately. • Neverrevealyourpreciselocationonline.

4.4 Social Engineering

Socialengineeringiswhenacybercriminalmanipulatessomeoneinordertoobtaininformationaboutabusinessoritscomputersystems.

Cybercriminalsusesocialengineeringtogathertheinformationtheyneedtocommitfraudorgainaccesstocomputersystems.Theywillseemearnestandrespectable.Theymayeventellyouthattheyhavealegitimateconnectiontoyourbusiness(forexample,asaclientorthroughanotherbusiness)andoffer“proof.”Somewillimpersonatethegovernment.Theywilloftenaskforinformationsuchasphonenumbersoraccountinformation,oraskthatyouopenemailswithattachmentsorvisitspecificwebsites.Onlylaterdovictimsrealizethattheseclaimswereaconfidencetrickandthattheyhavebeenmanipulated.

Thesetacticsarepopularbecausetheywork.Itisimportantforyoutoverifywhopeoplearebeforeyougivethemanypersonalorbusinessinformation.

Beaware.Protectyourbusinessandemployeesbyadvisingemployeestodothefollowing:

• Besuspiciousofanyphonecalls,visitsoremailmessagesfromindividualsasking aboutemployees,theirfamiliesandsensitivebusinessmatters.Thisshouldbe reinforcedaspartofanongoingsecurityawarenessprogram. • Askanyonemakingunusualinquiriestoverifytheiridentitywithofficialdocumentation. Whenindoubt,askasupervisororacolleagueforhelp. • Followemail,socialnetworking,browsingandothersafepractices(asdescribed throughoutthisguide),andalwaysprotectpersonalinformationonline. • Alwaysreportanysuspiciousactivity,includingsocialengineeringattempts, toasupervisor.Thisisespeciallyimportantifyouthinkthatyourbusinesshas beencompromised.

WebSecurity


• Ifyourbusinessmayhavelostorrevealedsensitiveinformationaspartofsuchan incident—orifthereisasuspiciouspatternofinquiries—determinewhatassets maybeatriskandtakeactiontofurthersafeguardthem.Forexample,ifthereisreason tobelieveyourbusinessbankinginformationmayhavebeenobtained,contactyourbank immediatelyandaskforassistanceinprotectingyouraccounts. • Considerreportingtheincidenttothepolice. • ContacttheCanadianAnti-FraudCentreandaskforadviceorfileareport.

4.5 Software Security

Yourbusiness’scybersecurityisonlyasgoodasthesoftwareyouuse.Infact,ifyoumakeallofyoursoftwaresecure,alargenumberofsecuritythreatswillbereducedorresolved.

Softwarecanincludethefollowing:

• Desktopapplications(apps). • Mobiledeviceapps. • Webserverandrelatedsoftware. • OperatingSystems(OS)andmore.

Softwarecanhaveissues(usuallyknownas“bugs”)thatcanmakeitinsecure.These bugscanbeexploitedbyattackersandallowthemtoaccessyourinformation.Sometimes,softwarewillalsocarrymalicioussoftware—commonlyreferredtoasmalware. Apply security updates to your software as soon as they are available from the developer.

Tipstomaintainsoftwaresecurity:

• Onlyuselegitimatesoftwarethathasbeentestedandusedbyothers.Thiscaninclude softwarefromknownvendorsorindependentsoftwaredeveloperswhomayeven providethesoftwareforfree. • Donotuseunauthorizedversionsofsoftwareillegallydownloadedthroughonline file-sharingsystemsasitisofteninfectedwithmalware.Illegallycopiedsoftwareis notsupportedbydevelopers,whichmeansthatyourbusinesscannotexpectany sortoftechnicalsupportifyouexperienceproblems. • Limitaccesstosharedapplicationsonlytothosewhogenuinelyneedit.Sometimes thisisdoneinthesoftwareitselfandsometimesthroughtheoperatingsystem.

WebSecurity

A big part of cyber security involves being alert to things that seem to be “out of the ordinary.” Your employees should always feel that they can report security questions, concerns or observations to someone in authority (technical or business) who will listen, document what occurred and take appropriate action.

14

• Minimizethenumberofemployeeswithadministrativeprivilegestosoftware,especially importantapplicationsandsecuritysafeguards.Thiswillmakeyourbusinessless vulnerabletointernalerrororexternalattack.Manyattackerstargetuseraccounts withadministrativeprivilegesbecauseitgivesthemahighlevelofcontroloversoftware andsystems. • Mostimportantly,applysecurityupdates(patches)toyoursoftwareassoonastheyare available.Somesoftwareupdatenoticesareautomated,butforothersyouwillneedto checkthevendor’swebsiteregularly.

4.6 Safe Hosting and Business Web Security

Ifyourbusiness’swebsiteisnotproperlysecureditcouldbeeasilycompromised,whichcouldleadtovandalism,disruptionofservice,orthetheftofbusinessorclientdata.All ofthesecanhavesevereconsequences.

Websitesvaryfrombusinesstobusiness,buttherearesomebasictipstofollow:

1. Ifhostingyourwebsite(s)internallyonserversbelongingtoyourbusiness: • Restrictaccesstoauthorizedemployeesonly. • ApplyallavailableandrelevantpatchestotheWebserveroperatingsystems, andanyothersoftwarethatisrunning,tohelpresolveanyknownissues. • Implementregularbackupsofyourbusinesssystemstoaserverataseparatelocation. • Turnonserverloggingandhavewhoeverisinchargeoftheserver(s)reviewthoselogs regularlyandkeepaneyeoutforsuspiciousactivity. 2. IfyourbusinessusesaWebhostingservice,makesuretheyhaveasecurityplanand thatthey: • ScantheirWebserversandyourwebsiteforpotentialissuesandthenfixthoseissues tofurtherprotecttheserverandyoursite. • Monitoryourwebsite(andanysystems)forintrusionorattemptedvandalism. • Protectyourwebsitefromintrusionanddisruption. • Willrestoreyoursitetoserviceintheeventofafailureordisruptionbycybercriminals. 3. Donotpostanypersonalemailsonyourbusinesswebsiteasspammersandotherswill usethem(e.g.,forphishing)[email protected] or [email protected]. 4. Bepreparedincaseyourbusinesswebsiteiscompromised.Youmayneedtoreduce service,switchtoabackupserverorserviceprovider,oreventakeyoursiteoffline temporarily.Considerallofthisbeforeasecurityincidenttakesplacesoeveryonein thebusinessknowswhatneedstobedone.

WebSecurity


4.7 Malware

Malicioussoftware(malware)isanysoftwarecreatedanddistributedtocauseharmorstealinformation.Malwareisdesignedtohidewithintheoperatingsystemandavoidsecuritysafeguards.Itmaybeimpossibleforyoutodetectorremovewithoutspecializedtoolsorexpertise.Malwareexistsforalloftheinformationprocessingsystemsthatmaybeinuse inyourbusiness,includingdesktopcomputers,laptops,smartphonesandtablets.

Themostcommontypeofmalwareisthevirus.Avirusissoftwarethatcancopyitselffromonesystemtoanother,infectingeachcomputeralongtheway.Onceavirushasinfectedabusinesssystemitcandeleteorcorruptyourfiles,stealdataoreven(inrarecases)damagehardware.Virusescanoriginateasemailattachments,websitedownloadsoroninfecteddiskssharedbetweenusers.

Manyothertypesofmalwareexistbutallsharethesameobjective:tocaptureandstealsensitiveinformation(e.g.,passwords)andtransmitthisinformationbacktoitsoriginatorwithouttheknowledgeofthesystemuser. Use anti-malware software to scan all incoming files and block anything suspicious or that is embedded with malware.

Whiledealingwithmalwarecanbechallenging,youcancounteralotofthesethreatswithanti-malwaresoftwarethatscansincomingfiles(e.g.,emailattachments)andblocksfilesiftheyaresuspiciousorconfirmedtoincludemalware.Thesamesoftwarewillscanforinfectionsthatmayalreadyexist,warnusersandprovideclean-upoptions.Somemalwarecannotberemovedwithoutthehelpofasecurityexpert.Preventionisalwaysbest.Installyourmalwaresafeguardsbeforeyougetinfected.

Mostanti-malwaresoftwaretodaycoversallthetypesofmalwaredescribedinthissection,butsomearestillreferredtoas“antivirussoftware.”Beforebuyingorusinganti-malwaretools,checkwhattypesofmalwareitaddressesandfindouthowoftenthesoftwareisupdated.Themorefrequenttheupdates,thebetter,asnewmalwareappearshourly.

Yourbusinessmayalsoneedafirewalltohelpblockconnectiontomaliciouswebsitesand tostopsomeformsofmalwarebeforetheyaredownloadedorbroughtinwithemails.

Implementinganti-malwaresoftwareandafirewallisagreatfirststeptowardstrengtheningyourbusiness’scybersecurity.Goodemployeehabitsarealsoessential.Allemployeesneedtobeprovidedwithsecurityawarenesstrainingandpoliciesthatexplaintheirresponsibilities.Forexample,theyshouldbewarnedthattheyarenotallowedtotamperwithordisablesecuritysafeguards,includinganti-malwaresoftware.

WebSecurity

16

Herearesomethingsyoushouldtellyouremployeestolookoutfor:

• Watchforwarningsonwebsitesoremailsthathavebeenflaggedas potentiallydangerous. • Report(e.g.,toasupervisorortechnicalsupportperson)anyalertsfromtheanti- malwaresoftwareintheirworkcomputer—includingalertsthatindicatethatthe softwareisoutofdateorhasidentifiedasuspiciousfile. • Neverforwardsuspiciousemailsorfilestoothersinyourbusiness.

4.8 Authentication Best Practices

Authenticationisasecuritypracticedesignedtoverifythatauseriswhotheyclaimtobe,priortograntingthemaccesstospecificsystemsorservicesthatyourbusinessuses.

4.8.1 Passwords Passwordsarewidelyusedtoprotectaccesstobusinessinformationandonlinetools,butifemployeesarenotcareful,otherscanusetheirpasswordstoaccesscrucialfilesandinformation.

Thereareseveralcommonproblemswiththeuseofpasswordsinbusinesses:

• Employeeswritetheirpasswordsdownandposttheminplaceswhereotherscancopy them—ortheysimplysharetheirpasswordswithothers.Inbothcases,thelossof controloverthatpasswordmakesitimpossibletoguaranteethatthepersonaccessing systemsisactuallyauthorizedtodoso. • Employeesuseweak,easy-to-guesspasswords,makingitpossibleforotherstogain accesstosensitivesystemsorinformation. • Theyre-usethesamepasswordacrossmultiplesystemsorservicessothatifone iscompromised,allareatrisk. • Theydonotchangetheirpasswordregularly.

Haveastrongpasswordpolicythatidentifieswhatrulesapplytopasswordsusedinyourbusiness.Thefollowingguidanceshouldbeincludedinthatregard:

• Avoidcommonwordssuchas“password”or“login.” • Avoidsimplesequencesofnumberssuchas“1234.” • Avoideasy-to-guesspersonalnamessuchasachild’sfirstname. • Createpasswordsthatareat leasteightcharactersinlength—themorecharacters thatareused,themoresecurepasswordswillbe.

WebSecurity


•Createstrongpasswordsbyincludingacombinationofthefollowing: • Uppercaseletters. • Lowercaseletters. • Numbers. • Specialcharacters(e.g.:!,$,#,or%).

Explaintoyouremployeesthatstrongpasswordsareimportanttothesecurityofthebusiness,andthattheyshoulddothefollowingtoprotecttheirpassword: • Keeptheirpasswordsconfidential. • Changetheirpasswordsregularly.Yourbusinessshouldrequireemployees tochangetheirloginpasswordseverythreemonths. • Avoiduseofthesamepasswordformultipleaccountsorsystems.

Alternatively,youcouldconsiderusingapasswordmanager(aprogramthatgeneratesandstoresrandompasswords)thatcreatesevenstrongerpasswordsforemployeestouse.

4.8.2 PassphrasesIfyouneedenhancedsecurity,considerusingapassphraseinsteadofapassword. Apassphraseisawholesequenceofwords.Forexample,insteadofthepassword“Mypassw0rd,”thepassphrase“!mgladMypassw0rdisgr8!”wouldbemuchhardertoguess.

Apassphrasethatisanacronymreducesthenumberofkeysinvolved.Forexample,“IamsogladIwentonvacationinJanuaryasIlovethesun!”wouldbecome“IASGIWOVIJAILTS!”Eventhiskindofacronymismoresecurethanaregularpasswordasitislonger,morecomplexandunpredictable,makingitveryhardtoguess—evenwiththesoftwaretoolsthatcybercriminalsuse.

Thereareanumberoffreetoolsonlinethatyoucanusetodemonstratetherelativestrengthofpasswords.Whiledifferenttoolsmayyieldslightlydifferentresults,tryingseveralwillgiveagoodindicationofthestrengthofyourchosenpassword.

WebSecurity

Figure 3: Passphrase Strength Example

18

4.8.3 Two-Factor AuthenticationTwo-factorauthentication(2FA)isasecuritypracticethataddsanothermeansofidentification,whichcanmakeabusinesssystemmuchmoresecure.

Thefirstfactorissomethingthepersonknows(e.g.,apassword)andthesecondfactorissomethingadditionaltobeusedinconfirmingtheperson’sidentity.Thesecondfactorcanbesomethingtheuseralwayshas(e.g.,theirfingerprint,whichisnowusedatmanybordercrossings)orsomethingtheytemporarilyhave,suchasaone-timepassword(OTP).Unlikearegularpassword,anOTPcannotbeguessedandasthenamesuggestsitcannotbere-usedeither.

AnOTPisgeneratedbytheuserwitheitherasecureapp(e.g.,ontheirsmartphone)oradedicatedhardwaredevice(oftencalledatoken).Eitherisportableandcanbeusedasneeded.Incombinationwitharegularusernameandpassword,anOTPgreatlyenhancesauthenticationsecurity.

Itisstronglyrecommendedthatyouimplementtwo-factorauthenticationinyourbusinessespeciallywithrespecttotheprotectionofcriticalsystemsandinformation.Youcanoftenstartimplementingtwo-factorauthenticationwithsimpleservices,suchaswebmailandsomebanking,togetasenseofhowitworksandthenexpanditsuseasyourtimeandbudgetallow.

WebSecurity

Figure 4: An Example of an OTP Showing that it Will Expire in 17 Seconds


Quick tips from this section:• MakesureyourPOSsystemisbehindafirewall. • Setupstrongencryptionforalltransmitteddata. • Donotusethedefaultusernameandpasswordprovidedbythemanufacturer. • Limitaccesstoclientdatatothoseemployeeswhoabsolutelyneedit. • Ensurethatallanti-malwaresoftwareisuptodate,asfrequentsecurityupdatesoccur tofightnewtypesofmalware. • IfyouhaveanyconcernswiththesecurityofyourPOSsystem,contactthePOS serviceprovider.

It’slikelythatyourbusinessreliesonelectronicpoint-of-sale(POS)systemsforprocessingfinancialtransactions.CustomershavecometoexpecttheconvenienceofPOSforinstantdebitorcreditcardtransactions,makingitessentialtoyourbusiness.

YourPOSsystemscanbeanotherwaytoaccessyourcomputernetworks,anditisextremelyimportanttoprotectthem.CybercriminalscanhackintoPOSsystemstostealpaymentcardnumbersandtheassociatedpersonalidentificationnumber(PIN),whichtheycanthenuseto access your customers’ accounts.

TherearestepsyoucantaketoimprovePOSsecuritytohelpsafeguardyourcustomersandyourbusiness:

• EnsurethatyourPOSsystemisbehindafirewall.Afirewallisasecuritycontrol,whichis usedtorestrictincomingandoutgoingnetworktraffic.YourInternetServiceProvider(ISP) mayincludeafirewallwiththerouterorotherhardwareorsoftwarethattheyprovide you,butitisimportanttocheck.Iftheydon’tprovideone,youwillneedtopurchaseone. • Setupstrongencryptionforthetransmissionofalldata(e.g.,cardholderdata)between yourPOSsystemandthePOSserviceprovider.Theserviceprovidershouldimplement thisbydefault.AskyourPOSserviceprovideroracybersecurityconsultant(withPOS experience)forhelpifyouarenotsurewhattodo. • DonotusethedefaultusernameandpasswordforyourPOSsystem(whichwillhave beenshippedwithit).Cybercriminalswillusethosecredentialstogainaccesstoyour system.Instead,setupanewusernameandpasswordthatisuniquetoyourbusiness. • Alwayslimitaccesstoclientdataonlytothoseemployeeswhohaveaneedtoaccessit andareauthorizedtodoso. • Keepanti-malwaresoftwareuptodate.

Point-of-Sale(POS)Security

20

Quick tips from this section:• Implementaspamfilter—doingsowillhelpyougetridofmostpotentiallyharmful emails sent by cyber criminals. • Youshouldnotclickonanyunverifiedorsuspiciouslinks—evenjustclickingalink couldgiveawaysensitiveinformationthatacybercriminalcanusetohurtyouand your business. • Keepyouremployees’emailsandinformationconfidential,asinformationonanymember ofyourbusinesscanbeusedtohurtemployeesoryourbusiness. • EnableHTTPS,whichencryptsdataandessentiallymakesitimpossibleforcybercriminals toaccesstheinformationinyourbrowser,forWeb-basedemail. • Setstrictpasswordstandardsforallemailaccounts(businessorpersonal)beingused atwork. • Whenpossible,usegenericemails([email protected])foremailaddresses thatarepostedinpublicplaces(suchasonyourwebsiteoronsocialmedia). • Donotforwardpotentiallyharmfulemailstootheremployees.

Anumberofsecurityconcernshavedevelopedwiththeuniversaladoptionofemailincludingspam,phishingandthenon-secureexchangeofconfidentialinformation. Theseareallthingsthatcouldhaveanegativeeffectonyourbusiness.

6.1 Spam

Spamisemailthathasbeensentwithoutthepermissionorrequestofthepersonithasbeensentto.Spamrepresentsapproximately69%ofallemailsentovertheInternet.1Notonlycanspamcontainlinksthatifclickedoncouldharmyourbusiness,butspamcanslowdownyournetworks,serversandcomputers,increasingcostsandreducingproductivity.

Spamisusedwidelyto:

• Sellyouaproductorservice(muchliketelemarketing,butbyemail)andmakeyou visitanunsafewebsite,leadingtothedownloadofmalwareontoyourcomputer. • Convinceyoutodiscloseconfidentialpersonalorbusinessinformation (suchaspasswords).

Email Security

1http://www.symantec.com/security_response/publications/threatreport.jsp


How to identify potential spamHerearesomewaysyoucanidentifypotentialspam: • Ifyoudon’trecognizethesender,treatitwithcaution. • Lookformisspelledwordsinthebodyoftheemail.Thisisatrickfraudsters usetobypassspamfilters(seetheexplanationtofollow). • Lookforunusualphrasinginthemessage,whichmaysuggestthattheauthor isnotlegitimate.

Alwaysbesuspiciousofemailsthatcontainthefollowing: • Offersthatsoundtoogoodtobetrue. • Requeststhatyouclickonalinkinthemessage. • Requestsforyourpersonalinformation.

Spamisannoyingandpotentiallyharmfultoyourbusiness.Buttherearesomewaysyoucandealwithit:

• Implementaspamfilterthatwillblockmostspamandonlyallowlegitimateand acceptableemailstogettoyou.Ifyourbusinessisusingemailhostedbyanother company,askthemaboutwhatspamfilteringservicestheyoffer.Ifitisnotworkingwell, askforabetterspamfilterorchangeemailserviceproviders. • Keepyouremployeeemaillistconfidential.Ifyouneedtoshareanemailaddresswith someoneoutsideofyourbusiness,useagenericemail,[email protected]. • Developabasicsetofemailguidelinesforyouremployeesandmakesureallemployees readandapplythem.Theseshouldincludethefollowing: • Neverclickonthelinksthatareincludedinspam—eveniftheyareofferingto removeyoufromtheirdistributionlist.Thisisacommontricktheyusetogetpeople tovisitdangerouswebsites. • Neveropenattachmentsinspamorsuspectedspammessages. • Donotwritetothespammerforanyreason,evenifitistocomplain.Doingsowill onlyconfirmthatyouremailaddressisvalidandwillactuallyresultinmorespam. • Deletespamifyouarecertainitisnotlegitimate.Ifyouareuncertainaboutwhatto do,askasupervisorortechnicalsupportpersonforhelp.Generally,ifyourbusiness doesnothaveatechnicalsupportpersonavailable,itisbesttocontacttheemail serviceprovider.Intheworstcases,ifyoususpectthereisasignificantrisktoyour business,youshouldcontacttheauthoritiesaslistedinAppendixC.

Email Security

22

6.2 Phishing

Phishingisaspecifickindofspamthattargetsyoubysimulatingalegitimatemessagefromabank,governmentdepartmentorsomeotherorganization,inanattempttogetyoutogiveupconfidentialinformationthatcanbeusedforcriminalpurposes.

Oftenthesemessagesarewrittentoseemhelpfulorwilloffer“goodnews”(Figure5)sothatyouwillbemorelikelytotrustthesenderandfollowinstructionsintheemail.Inothercasestheytrytoincitefearandgetyoutosendareactionaryreply(e.g.,“...yourbankaccountisbeingclosed.Clickheretotakeurgentaction.”)

Becausethesemessagesoftenappeartobefromrealorganizations—possiblyusingreallogosandfamiliarcolours,layoutandfonts—itcanbehardforyoutorecognizeitasillegitimate.Inalmosteverycase,themessagewillincludeawebsiteURL(link)thattheywantyoutoclickandarequest or demand for confidential information.

What to do with potentially criminal emailIfyoureceiveoffensive,abusiveorpotentiallycriminalemail(whetherornotitseemstobespam)—orifyouthinkyouarebeingaskedforconfidentialinformationbycriminals—youshouldsavethemessage(donotemailittoothers)andcontactyoursupervisororITsupportpersonnel.Youmaybeaskedtoprovideacopyofthemessagetohelptheauthoritieswithanysubsequentinvestigation,whichiswhyyoushouldnotdeleteitunlesstoldtodoso.SeeAppendixCformoreinformationonwhotocontact.

Email Security

Figure 5 1

1http://www.cra-arc.gc.ca/ntcs/nln-rfnd-eng.html


Strategiesfordealingwithphishingshouldalignwithyourbusiness’sapproachtospamandshouldbeginwithspamfiltering.AllofyouremployeesshouldbealertedtothisissueandunderstandthatanyapparentphishingemailscontainingpersonalinformationonemployeesmightneedtobereportedtotheCanadianAnti-FraudCentre.

Someadditionaltipstogiveemployeesonphishing:

• Donotanswersuspiciousemailsorprovideanyconfidentialinformationrequestedin emailseveniftheyappearlegitimate.Ifuncertain,speaktoasupervisor. • Donotclickonanylinksinsuspiciousemails. • Donotforwardtheemailtoothers.Ifyouneedtoshowittoasupervisor,askthemto comeandseeitonyourscreenorprintitout. • Ifasuspiciousemailappearstobefromarecognizedorganizationorclient,contactthe legitimateclientororganizationthroughanothermeansofcommunication(e.g.,by phone)andaskiftheysentsuchanemail.

6.3 Sending Email Securely

Phishingandspamaretwoissuesassociatedwithyourincomingmail,butwhataboutthesecurity of your outgoing email?

Asemailoftencontainssensitiveandconfidentialinformation,andisrelativelyeasy tocompromise,youneedtoimplementappropriatesecuritymeasuresto:

• Makesurethatonlyauthorizedemployeescansendemailsfromyourbusiness. • Maintaintheconfidentialityofyourmessagesoremailattachmentsuntildelivered totheintendedrecipient. • Archiveyoursentemailforfuturereference(e.g.,incaseofaninvestigationorfor financialorlegalreasons).

Oncecriminalshaveaccesstoalegitimateaccountinyourbusiness,theycanuseittogetthecontactinformationassociatedwiththataccount,sendoutspam,launchphishingattacksandmore. Enable the security protocol HTTPS for all communication between business computers and webmail servers. This will help to maintain email confidentiality.

Yourbusinessshouldchooseasingleemailserviceforyourbusinesstohelpyousimplifysecuritymeasures.Securityshouldbeoneofthekeycriteriainselectinganemailservice.Ifyouuseawebmailservice,enablethesecurityprotocolHTTPS(Figure6)forallcommunicationbetweenbusinesscomputersandthewebmailservers.HTTPSwillencryptallemailsyousendandreceive,whichwillhelptomaintainmessageconfidentiality.

Email Security

24

Developemailguidelinesforemployeesthatincludethefollowing:

• Alwaysfollowthecompany’spasswordstandard,includingtheuseofastrongpassword foremailwhethertheaccountisinsidethebusinessorhostedaswebmail.Thisis importantwithwebmailservices,astheyaremoreaccessibleforcybercriminalswhowill usecompromisedaccountsforothercriminalactivities(suchasemailingspam). • UsetherecommendedsecurityandprivacysettingsintheWebbrowseroremailclient softwareunlessthepersonresponsibleforcybersecurityinthecompanytellsyouto changethem.Thesecurityfeaturesbuiltintothoseapplicationsaretheretoprotectthe business.(Inyourbusiness,itispossiblethatyouremployeessetuptheirownemail software.Ifthat’sthecase,itisbestthattheyfollowthesecurityrecommendationsof thebrowseroremailclientdeveloper). • Beforesendingemailsorattachmentsthatcontainsensitiveinformation,alwaysask yourself:“Couldtheunauthorizeddisclosureofthisinformationcauseseriousharmtome ormybusiness?”Iftheansweris“Yes,”thenuseanothermoresecuremethod. • Ifthereisaneedforyoutosendpotentiallysensitiveinformationoutsideofthebusiness, asktherecipienttoverifythattheyreceivedit.Also,encryptattachments(e.g.,Word documents)beforesendingthemovertheInternet.SeeFigure7.

Writeandfollowanemailretentionstandardappropriateforyourbusinessandanyprovincialorfederallegislation.Forexample,ifyourbusinessisrequiredtokeepclientrecordsforsevenyears—andyoucommunicatewithclientsbyemail—thenyouneedtomaintainemailarchivesforatleastsevenyears.Thiscanbedonebybackingupyouremailtoaninternalstoragesystemorbyarrangingscheduledbackupswithyouremailserviceprovider.Ifyouarenotsurehowlongyouneedtokeepemails,checkwithyourlawyer,accountantoranotherresponsiblepartytoconfirmanyrequirements.Onceemailarchivingissetupyouwillbereadyifcalledupontoprovideolderemails.

Email Security

Figure 7: Encrypting an Attachment

Figure 6: HTTPS is enabled


Quick tips from this section:• Frequentlybackupyourdatatoanexternalharddrive,serverand/oronlineservice— havingmultiplebackupsofyourdataiskeyincaseofthefailureofoneofthem. • Downloadorpurchaseautomaticbackupsoftwaretoensuretimedbackupsof yoursystem(s). • Storeyourphysicalbackups(e.g.,externalharddrive)offsiteinasafeplace. • HaveemergencysystembootDVDsorUSBstickspreparedincaseofasystemcrash. • Properlylabelanysensitiveinformationyouhavetoensuresecurehandling. • Whendisposingofyourdata,thoroughlydestroyit—shredallpaperandCDs—sothat noinformationcouldpotentiallybegatheredandusedtoharmyou.

7.1 Backup and Recovery Options

Abackupplanisessentialforyourbusiness.Withoutone,yourbusinesswillrisklosingcriticalinformation(suchasclientrecords)andservices(suchaspaymentprocessing).Suchlossescanhurtyouroperations,damageyourreputation,resultinlegalactionorevencausethefailureofyourbusiness.

Backupsareusedtorestorelostordamagedfiles.Backingupdatawillhelpensurethatyourbusinessisabletorecoverquicklyandcompletelywhenasystemcrash,datacorruptionorothersetbackoccurs.

Thereareseveraloptionsyoucanuseforbackupandrecoveryincludingthefollowing:

1. Portable or desktop USB hard drive: Thisisagoodplacetostartifyourbusinessonlyhas afewcomputers.Youcanprovideonedriveforeachcomputerorshareoneforupto threesystems.Backupsoftwarewillallowyoutoautomatethisprocessandtrackchanges toyourdatabetweenbackups.Thesamesoftwarewillallowyoutorestoreanythingfrom asinglefiletotheentiresystem. 2. Server: IfyourbusinesshasaLocalAreaNetwork(LAN),datashouldbestoredonyour serverandbackedupfromthere.Serverbackupscanbecompletelyautomatedandrun asoftenasneeded. 3. Online:AnotheroptioninvolvesbackingupyourdatatotheInternet.Backupand restorationserviceproviderswillmaintaincopiesofyourbusinessdata.Onlinebackups mightnotbesuitablefor:

• Yourhighlyvaluableorsensitivedata. • StorageofprivatedataonbehalfofCanadianclientsorpatients—especiallysince manyonlinebackupserviceprovidersoperateoutsideofCanada. • Restoringyourdataquicklyaslocalbackupsaretypicallyfaster. • Guaranteedon-demanddatarestoration,sincetheInternetcangodown. • Continuousorveryfrequentbackups,whichcanoverwhelmyourInternet connectionandpreventotherwork.

Data Security

26

Bestpracticeswhenbackinguporrestoringinformation:

• Haveaplanandbeginyourbackupsassoonaspossible.Startbybackingupallfiles andfoldersthatmaybeofvalue.Thisisoftenreferredtoasa“full”backupanditsetsa foundationforfuturebackups.Afterthis,youwillonlyneedtobackupnewormodified filesandfolders. • Backupyourdataregularly,whetheritisdaily,hourlyorasappropriateforyourbusiness. • Chooseabackupapplicationwithautomaticandcontinuousbackuptomakesurethat yourbackupsarecompleted. • Keepcopiesofyourbackupsinasecurelocationoff-site.Theideaistoprotectthe backupsfromtheftoradisaster(suchasfire).Ifanoff-sitelocationsuchasabanksafety depositboxisimpractical,considergettingasmallfire-resistantsafe.Ensureoff-site backupsarekeptuptodate. • Alwaysincludesystemandsoftwaresettingsaspartofyourbackups. • HaveemergencybootdiscsorUSBsticksreadyincaseofasystemcrashandkeepatleast onecopyoff-sitewithotherimportantbackups. • Testyourbackupsperiodicallybyrecoveringanimportantfile,folderorevenawhole drive.Whenthereistime,atleastonceayear,alsodoacompletesystemrestorationto a“test”computer(e.g.,notacomputerthatisinusebyyourbusiness)tomakecertain thatyourbusinesscanusethebackupsonhandtoperformacompletesystemrecovery intheeventofadisaster.

Things to think about when developing your backup plan:

• Whatdoyouneedtobackup?Buildalistofyourcriticalfilesandwheretheyarelocated andyouwillknowwhatyouneedtobackup. • Howoftendoyouneedtobackup?Somedatamaychangeinfrequentlywhileotherfiles changeallthetime.Iftheinformationisimportant,backitupasoftenasyouneed,which maybeonceaday,hourlyorevenmorefrequently. • Howlongshouldyoukeepbackups?Youmayonlyneedtokeepthemostrecentbackups, oryoumayhavelegalorcontractualobligationstokeepsomedataforspecificperiods— possiblyyears.Checkwithyourlawyer,accountantoranotherresponsiblepartyto confirmtherequirements.

Data Security


7.2 Cloud Security

CloudcomputingisusingresourcesandprogramsthatareavailableontheWeb,outsideofyourbusiness.Youmaybefamiliarwithcloudserviceslikedatastorage,butcloudcomputingalsoincludesbillingandpaymentservices,documentandaccountmanagement,andmarketingandproductivitytools.

Therearemanyreasonsforasmall-ormedium-sizedbusinesstoconsiderusingcloudcomputing.Cloudservicesofferpowerfulsoftware,similartowhatisusedinmuchlargercompanies,atcompetitiveprices.What’smore,someservicesallowforcustomizationtofityourbusiness’sneeds,andcanoffertheflexibilitytoaccesscloudservicesfromnearlyanydevicethatconnectstotheWeb.Finally,agoodcloudservicesproviderwillsupporttheirproductstoimprovetheirsecurityandstability.

Asattractiveascloudcomputingis,cloudservicesmeanthatyouwillbeplacingdatainthehandsofsomeoneoutsideofyourbusiness,soyouneedtobeabletotrusthowtheywillhandlethatinformation.Yourbusinessneedstoconsiderseveralsecurityissuesindecidingwhetheracloudserviceisrightforyou.

1. Readreviewsandgetrecommendationsonpotentialcloudserviceproviders.Research thesecuritycapabilitiesofpotentialcloud-computingserviceproviders,including thefollowing: • Anti-malwareprotection. • Softwarepatchingandmaintenance. • Strongencryptionduringthemovementofdataandwhileinformationisstored. • Redundantpowerincaseofapowerfailure. 2. Beyondsecurity,askaboutacloudserviceprovider’sreliability,servicelevelsandpast performance.Forexample,youcanaskhowtheybackuptheirdataandwhathappensif theservicegoesdown. 3. Manageaccesstoyourcloudservices.Youshoulddecidewhoinyourbusinesscanaccess aservice,andwhataccountprivilegestheywillhave.Decidewhetheremployeescan accessbusinessdataonpersonaldevicesandtheproceduretofollowifadeviceislostor stolen.Ifanemployeeleaves,besuretoremovetheiraccesstoyourservices. 4. Exerciseyourduediligence.Talktoyourlegalcounseltounderstandwhatliabilitiesyou mayfaceifclientinformationwerelostorstolenwhilehostedinthecloud,andlook closelyatagreementswithcloudserviceprovidersonwhoownsproductsandbears responsibilityforthedata. 5. Understandanyfederalorprovinciallegalrequirementsrelatedtostoringdifferentkinds ofinformation.InformationuploadedfromCanadamaybestoredonaserverinanother country.Dependingonyourlineofbusiness,governmentregulationsmaystipulatehow yourdataishandled,includingwhereitisstored,forhowlongandthelevelofsecurity required.Thisisespeciallytruewithrespecttomedicalorfinancialrecordsthatyour businessmayhold.

Data Security

28

Using a Secure Cloud-Based File-Sharing Service

Oneaspectofcloudcomputingthatyourbusinessmayfindusefulisfile-sharingandsynchronizationservices.Theseallowyoutouploadfilestothecloudforclients,consultantsorotherpersonneltoview,downloadandmodify.Ifchangesaremadebyanyoftheusers,filesaresynchronizedsothateveryonehasaccesstothemostcurrentversion.

Yourbusinesscanlimitassociatedsecurityrisksbydoingthefollowing: • Consideringwhichtypesofinformationcanbesafelysharedthisway. • Choosingaservicethatrequiresuserstologin,ideallywithtwo-factorauthentication, soonlypeopleyouauthorizecanaccessthesharedfiles. • Limitingthenumberofpeoplewithaccesstothosewhoneedit. • Usingaservicethatcansendyounotificationswhenafileisreceivedorchanged. • Encryptingsensitiveinformationbeforeyouuploadorshareit.

7.3 Classifying and Labelling Sensitive Information

Classifyingandlabellingsensitiveinformationiscriticaltoitssecurehandlinginyourbusiness.Manyclassificationsystemscanbeemployedtohelpdeterminehowsensitiveinformationisandthentolabelit(e.g.,asdocuments,files,records,etc.).

Thekeyistohaveasysteminplacethatallofyouremployeesunderstandandfollow. Yourbusinesswillneedtodevelopamethodforclassifyinginformationandguidelines forlabellingandhandlingthatinformation.

How to determine which information is sensitive:

1. Identifyyourinformationandwhereitislocated(e.g.,onaserver,inthecloud,etc.). 2. Askyourselfwhatharmwouldresultfromthelossortheftofeachgroupofinformation yourbusinessholds.Ratethelossfrom1–5where1is“insignificant”and5is “catastrophic.”Sorttheresults. 3. Informationthatisratedhigherismore“sensitive”andshouldbelabelledandhandled withpropercareforitssecurity(e.g.,controlofaccess,backup,etc.).

Asimpleclassificationmodeliseasiertorememberandfollow.Forexample:

1. Publicinformationisavailabletoeveryoneandanyone,insideoroutsideofyourbusiness, andrequiresnoprotectionorspecialmarkingorhandling.Newspostedtoyourbusiness’s websiteisanexampleofpublicinformation.

Data Security


2. Restrictedinformationneedstobeprotectedinsomemannerandisusuallylimitedtoa selectgroupofpeopleincludingemployeesandcertainclients,serviceprovidersor others.Thisinformationwouldbecontrolledthroughvarioussecuritysafeguardsyou haveputinplaceandshouldbelabelled“Restricted.”Anexampleofrestricted informationispayrollinformation. 3. Confidential informationislimitedtoaccessbyselectindividualsinyourbusiness.Its lossorexposurecoulddamageyourbusiness.Confidentialinformationmustbelabelled, carefullyhandledandshouldnotbeallowedtoleavebusinesspremisesorsystems. Anexampleofconfidentialinformationisintellectualpropertyownedbythebusinessor sensitiveclientdata.

Youshoulddocumentandexplaintoemployeesoraffiliates(e.g.,forbanking)therulesonhowinformationshouldbelabelled,handledorshared,includingthefollowing: • Alwayscheckingtheclassificationofinformationtodeterminehowitshouldbehandled. • Whenusingorsharingclassifiedinformation,limitingaccesstothosewhoareauthorized.

7.4 Handling Sensitive Information

Someofyourbusinessinformationwillbeparticularlysensitive(e.g.,financialorcustomerrecords),meaningthattheunauthorizedaccessto,loss,misuseormodificationofthatinformationcouldcauseseriousharmtoyourbusinessorclients.

Tipsforhandlingsensitiveinformation:

• Lockupandrestrictaccesstosensitiveinformationwhenitisnotbeingused.With digitaldocumentsthiswillinvolveacombinationofelectronicandphysicalsafeguards tolimitaccessonlytoauthorizedemployeesorclients.Forpaperdocumentsitmay involvelockedfilingcabinetsorasafe. • Alwayslabelsensitiveinformationandtrainemployeestofollowguidanceonthe handlingoflabelledinformation.Ifinformationisnotlabelled,employeesshouldaskfor assistanceorclarificationtomakesuretheyarehandlingitcorrectly.Digitalinformation canbegroupedbysensitivityonacommonserver,inaspecificdatabaseorindividually labelled. • Ifyouhavetodestroyanysensitiveinformation,theelectronicdestructionmethods mustalsobethorough.Usuallyifyou“delete”afileonyourcomputer,thefileisnot actuallyremoveduntilthespaceisoverwrittenbysomethingelse.Commercial“secure erase”ordeletiontoolscancompletelydestroyyoursensitiveinformation,muchlike puttingapaperdocumentthroughashredder. • Whenyoudisposeofstoragemedia,itisbesttodestroyitphysically.Forexample,CDs andDVDscanbeputthroughsomepapershredders. • Whendestroyingpaperrecords,ahigh-qualityshredderthatcrosscutsthepaperinto smallpiecesshouldbeused,orconsiderpayingaprofessionaldocumentandmedia destructioncompany.

Data Security

30

Quick tips from this section:• ConductyourremotecomputingthroughaVirtualPrivateNetwork(VPN). • Limitaccesstoyournetworktoauthorizedpersonnelwithaclearbusinessneed. • Whenworkingfromhome,properlysecureyourWi-FibeforeusingyourVPN. • DonotuseunknownorunfamiliarWi-Ficonnectionswhentravelling.

Providingremoteaccesstoyourbusinessnetworkandinformationallowsyouandyouremployeestoworkfromhomeorwhileontheroad,savingtimeandmoney,andincreasingproductivity.Butallowingremoteaccesscanexposeyourbusinesstocyberthreats.Manyofthesethreatscanbeaddressedthroughgoodsecurityhabitsonthepartofemployeesalongwithstrongtechnicalsafeguardsyoucanputinplace.

8.1 Remote Computing Security Basics

Ifemployeesareprovidedwithremoteaccesstoyourbusiness’scomputers,itwillnormallybeovertheInternetandshouldinvolvetheuseofasecureVirtual Private Network(VPN).

AVPNisanextensionofyourbusiness’sinternalnetwork(orfromonecomputertoanother)overtheInternet.TheInternetisnotconsideredsecurefortheexchangeofconfidentialinformationonitsown,soalltrafficinaVPNisencrypted,renderingitunusabletoanyoneexceptthelegitimatesenderandreceiver.AVPNisaprovensolutionthatisrelativelysimpleforyoutosetupwithcommercialorfreesoftwareorasaservice.Somehardware,suchasarouterandfirewall,isalsorequired.

Onceinplace,aVPNcanallowyouruserstoaccessandsharebusinessfilesorapplicationsfromtheirremotelocation,andtocommunicatewithfellowemployeesusingemail,asiftheywereintheoffice.

AVPNshouldalwaysbeusedwithothersecuritysafeguards(asdescribedinthisguide)includingup-to-dateanti-malwaresoftwareandtwo-factorauthentication.

Belowaresomebasicstepsyoucantaketoprotectyourbusinesswithrespectto remotecomputing:

• Limitremoteaccesstoauthorizedemployeeswithaclearbusinessneed.Access shouldonlyextendtotheapplications,informationandservicesthatarerequired forworktobeperformed. • Allemployeesauthorizedtohaveremoteaccessprivilegesshouldberequiredtosign asimpleRemoteAccessAgreementtoindicatethattheyunderstandtheassociated rulesandresponsibilities.

RemoteAccessSecurity


• Youshouldadjustremoteaccessprivilegesasresponsibilitieschange.Forexample,an employeemovingfromAccountingtoSalesmaynolongerneedaccesstocertain accountingresourcessotheiraccessshouldbechanged.Remembertorevokeall remoteaccessprivilegeswhenanindividualleavesyourbusiness. • Whenpossible,provideemployeeswithbusinesscomputers,configuredwith appropriateapplicationsoftware,remoteaccesstoolsandsecuritysafeguards,instead ofusingtheirhomecomputers. • Recordserialnumbersforallpersonalcomputingdevicesusedforremoteaccessor workoutsideoftheoffice—includinglaptops,smartphonesandtablets—tohelp tracktheirconfigurations(includingsecuritysoftware)andtohelpwithrecoveryif theyarelostorstolen.Thisinformationwillalsohelpwithpolicereportsandinsurance inthecaseoftheftorloss. • Labelallyourbusinesscomputersthatareusedoutsideoftheofficewithyour businessname,contactinformationandanassetnumber.

8.2 Working From Home

Loggingintoworkfromhomeisconvenientforyouandyouremployees.Butworkingfromhomeonapersonalcomputerintroducessomeadditionalrisksthatneedtobeaddressed:

• Aspartofthewirelesssystem,asmalldevicecalledacableorDigitalSubscriberLine (DSL)modemconnectshomenetworksandcomputerstotheInternet.Usually,arouter isalsorequiredforcommunicationsinsidethehome.Youremployeesshouldconnectthe computerdirectlytotherouterusingastandardEthernetcable.Similarly,therouter shouldbeconnected,viaanEthernetcable,tothemodem.Ifthesestepsaretaken,there isnowirelesscommunicationthatcanbelistenedtobyoutsideparties. • WhenusingWi-Fi,youmustsecureitsothatpotentialattackerscannotmonitorthehome networkandstealyourbusiness’ssensitiveinformation.Toguaranteeasecureconnection, allemployeesshouldberequiredtodothefollowing: • ChangethedefaultWi-Finetworknameandtherouteraccesspasswordonthe networkrouter.ThenameiscalledtheServiceSetIdentifier(SSID)andchangescan usuallybemadequiteeasilyonline,followingthemanufacturer’sinstructionsforuse. • Turnonnetworkencryptiontomakesurethatanyinterceptedcommunications cannotbeusedbycybercriminalsagainstemployeesoryourbusiness. • Thehomeworkenvironmentisonlyassecureastheworkspace.Employeesshould beadvisedtolimitaccesstothecomputertheywilluseforwork.Forexample, childrenshouldhaveaseparatecomputerfortheirownusetopreventaccidental compromiseofthecomputerusedforbusinessaccess.


32

8.3 Working While Travelling

Yourbusiness’sportablecomputingdevicesandtheinformationonthemareparticularlyvulnerablewhenworkingawayfromtheofficeorhome.Manyhotels,coffeeshops,conferencecentresandotherpublicplacesofferWi-Fi,oftenforfree.Thisisconvenient, but rarely secure.

Herearesometipsforyouandyouremployeeswhileontheroad:

• Avoidunknown,unfamiliarandfreeWi-Ficonnectionsunlesstheyaresecuredwith apasswordandencryption.Eventhen,usecautionwhensendingyoursensitive information.IfanunencryptedWi-Ficonnectionmustbeused,businessdocuments andemailsshouldnotbetransmittedunlessabusinessVPNisused.TheVPNwill encryptthetransmittedinformation. • Don’tleaveyourlaptoporrelatedmaterialsunattendedinapublicworkspace,evenfora moment.Theftoflaptops,smartphonesandtabletsiscommonandontherise.Ifpossible, securelaptopswithacablelock—evenwhenattendedandinsight.Loseabusiness laptoporotherelectronicdeviceandyoulosealltheinformation. • Makesurethatyouguardconfidentialinformationonyourscreenfromcuriousonlookers. Ifyou’reonaflight,anyonewithlineofsighttothelaptopcanseewhatisonthescreen. Waittoreviewanysensitiveinformationinamoreprivateandsecurelocation.Ifthisis notpossible,dimthescreenandchangethelaptop’spositiontolimitwhocanseeit.



Quick tips from this section:• Ensurethatallofyourmobilebusinessdevices(phones,tablets)havesystemaccess passwordsandarelockedwhennotinuse. • Properlysafeguarddataonmobiledevices.Mostmobiledeviceshavesecurityfeatures andmanysmartphonesandtabletscanevenrunanti-malwaresoftware. • Encryptallofyoursensitivedataonportablestoragedevices.

Yourbusinesslikelyusesmobiledevicesandportabledatastorage(suchasUSBsticks) inyoureverydayoperations.Theyincreaseproductivity,makecommunicationeasier andallowyoutoeasilycarryimportantdata.

Usingmobiledevicestosendandreceiveyourbusiness’sinformationcanexposeyourbusinesstotheriskofsensitiveinformationbeingviewedorusedbypeopleyouhavenotauthorizedtodoso.Allowingemployeestousetheirbusiness-ownedmobiledeviceforpersonaluse,suchastheinstallationofnon-businessapps,cansometimesexposeyourbusinesstothelossofsensitiveinformation,malwareandotherthreats.

Toaddressmobiledevicesecurityinyourbusiness,itisimportantforyouto

1. Examinetheprosandconsofmobiledeviceuseinyourbusiness. 2. Determinewhichtypesofdevicesyouwillallowinthebusiness. 3. Decidewhetherpersonallyownedmobiledevicescanbeusedby employeesforbusinesspurposes. 4. Developstandalonerulesofuseorintegraterulesintoyourbusiness’s cybersecuritypolicy. 5. Developaplanforthemanagementofyourmobiledevices(whichmayincludeaneed toaccessandcontrolthemremotelyortoblockcertainfunctions)andbuytoolsto supportthatplan.Youcanbeginbyspeakingtoyourmobileserviceproviderandvisiting thewebsiteofthephoneortabletmanufacturerforadvice. 6. Logtheserialnumbersofallmobiledevicesusedinyourbusinessincaseoflossortheft.

Mobile Device Security

34

9.1 Tablets and Smartphones

Tabletsandsmartphonesofferincrediblefunctionality,includingtheabilitytocreate, store,sendandmodifydatawithease.Butthesefeaturescanleadtoaccidentalmisuse byemployeesormanipulationbycybercriminalsifthedeviceishackedorstolen.

Becausethesedevicesaresmallandvaluable,theyarecommontargetsfortheft.Whethercompromisedthroughmalware,misuse,lossortheft,theimpactonyourbusinessmaybesignificant,especiallyifthedevicecontainssensitiveinformationorcommunicationstoolsforconnectiontoyourbusinessnetwork.

Tipstohelpaddressthethreatstoyourmobiledevices:

• Treatsmartphonesandtabletswiththesamesecurityprecautionsandcareasdesktop computersandlaptops,asallofthemcanbecompromisedorstolen. • Setupasystemaccesspasswordandensurethatthesmartphoneortabletisalways lockedwhennotinuse.Yoursensitivepersonalorbusinessinformationcontainedin thedevicewillbemuchhardertoaccessifthedeviceislostorstolen. • Properlysafeguardsensitiveinformationonthesedevices,includingany sensitiveemailstransmittedorreceivedwhiletravelling. • Backupyourdevicecontentsonaregularbasis. • Installandrunappropriatesecurityapps,whichcanincludeencryption,locatorsforalost deviceandanti-malware. • Adviseemployeestopromptlyreportthelossofabusinesstabletorsmartphone assoonasitisnoticedsothateffortscanbemadetoalertthepolice,recoverthedevice or(iftheappropriatesoftwarehasbeensetup)remotelywipedevicecontents.

9.2 Portable Data Storage

Portabledatastoragecanholdmassiveamountsofinformationinaverysmalldevice.Yourbusinessmayevenbeabletostoreallofitselectronicfilesonaportablestoragedevice.

OlderstoragemediasuchasCDorDVDdiscsarebeingreplacedbyportableharddrivesandUSBflashmemorysticks(sometimescalledthumbdrives).Yourbusinessmayalreadyuseoneormoreofthesemethodstostoreimportantinformation.

Althoughconvenientandlowcost,theuseofportabledatastoragedevicesexposesyourbusinesstocybersecuritythreatsincludingthefollowing:

• Infectionbymalware(aproblemmostcommonwithUSBflashdrives). • Thelossofyourdeviceandalloftheinformationonit.Thisproblemis widespreadandagainmostofteninvolvesUSBdrives,butalsoCDsandDVDs. • Informationonthedevicecanbeeasilycopiedbypotentialcriminals (asmostsuchdevicesdonotincludeanysecuritysafeguards).



Toreducethesethreats,hereareafewstepsyoucantake:

• Identifytherulesforuseofsuchdevicesandthehandlingofinformationinyour businesspolicies(asexplainedinothersectionsofthisguide);forexample,makeit clearwhatinformationcanbestoredonmobiledevices,andwhatspecificsafeguards andprotectionsneedtobeinplaceforparticularkindsofinformation—suchas encryptionofclientinformation. • Usethesafeguardsavailableforyourdevice.Mostmobileperipheralshavesecurity featuresandevenmanysmartphonesandtabletscanrunanti-malwaresoftware. • Labelallofyourportablestoragedeviceswithyourbusinessnameandacontact number in case it is lost. • Encryptsensitivefilesonportablestoragesothattheycannotbecopiedorusedby someoneincaseofloss,theftorillicituse.Itmaybemoreeffectiveforyoutoencrypt theentirestoragedevice(e.g.,USBflashdrive)sothatalloftheinformationplaced onitisprotected. • Trainyouremployeesinthesecurehandlingofportablestoragedevicestohelplimit theftorlossand,aswithothermobiledevices,adviseemployeestoreportlossofany devicepromptly.


36

Quick tips from this section:• Onlygiveyouremployeesaccesstowhattheyneed access to. • Haveyouremployeeslocktheircomputersandputawaysensitivedocuments whennotattheirdesk. • Createandenforceanemployeesecuritypolicy.

Allofyourbusiness’scybersecuritysafeguardscouldbeoflimitedeffectifyoudonotuseappropriatephysicalsecurity.Ifadisgruntledemployeeoravisitorgainedaccesstooneofyourcomputers,theycouldquicklyandeasilydownloadsensitivedataontoamemorystick.Cybersecuritysafeguardslikeauthenticationandencryptionneedtobecomplementedbyothersecuritymeasures,likelocksondoorsandsign-inproceduresforvisitors.

Physicalsecurityisatopiconitsown.Thissectionprovidessomekeytipsforyouand youremployees:

• Onlyallowemployeesaccesstoareasofthebusinessthattheyhavealegitimateneedto bein.Forexample,salespeopleusuallydon’tneedtoaccessandmodifyservers.Lockup theserversandonlyprovideaccesstothosewhoneedit. • Haveemployeesfollowbestpracticesfortheirworkstations,knownasthe“cleandesktop” principle.Employeesshouldputawaysensitiveitemswhennotattheirworkarea.These canincludethefollowing: • Documentsthatcontainsensitiveorconfidentialinformationaboutyourbusiness. • Personalinformation,especiallyifitpertainstoclients. • PortableelectronicmediaincludingCDs,USBmemorysticksorotheritemsthat canbeeasilyremoved. • Alwayshaveemployeeslocktheirbusinesscomputerwhentheyleavetheirwork area.Theydon’tneedtoshutdownthecomputertodothis—mostoperating systemsallowuserstoenteracombinationofkeystodisableaccessuntilthey re-entertheirpassword.

PhysicalSecurity


10.1 Employee Security

Employeesecurityincludesprocessesandpracticestoestablishthesuitabilityandtrust-worthinessofemployeesinordertoprotectthebusinesspriortohiring,aswellasongoingvigilancearoundemployeepractices.

Somespecificrecommendationsforyouwithrespecttoemployeesecurityincludethefollowing:

• Publishandenforceanemployeesecuritypolicythatdefineswhatrulesapplyto employeesandwhatdiscipline(includingtermination)isapplicableintheeventofa securityincidentwhereanemployeeisatfault. • Alwaysperformbackgroundchecksforallnewemployees.Referencesalonearenot alwayssufficientgiventhepotentialforfraudthroughsocialengineering. • Beclearabouthownon-competition,non-disclosure,intellectualpropertyrulesand contractualobligationsapplyinthecontextofyourbusiness’scybersecurity.Forexample, youshouldtellnewemployeesthatemailstocompetitorsarenotallowedwithout priorapproval. • Clearlycommunicatesecurityresponsibilitiestonewhiresandcontractorsaspartoftheir orientation,andhavethemformallyacknowledgethattheyhavereadandunderstood thematerialincludingallcybersecurity-relatedpolicies. • Clearlystateandenforcetheconsequencesofsecuritylapsesespeciallywhereemployees mayhaveignoredorbrokenrulesorcausedharmtoyourbusiness.

Finally,theemployeeterminationprocessisrelevanttoyourbusiness’ssecurity.Therehavebeenmanycasesofformeremployeesaccessinginternalnetworksandstealingdataorplantingmalware.Whenanemployeeorcontractoristerminatedorindicatesthattheyareleaving,accesstoyourbusiness’scomputersandinformationmustbeterminated,andbusinesspropertysuchaslaptops,keysandaccessbadgesreturned—assoonaspossibleaftertermination.

PhysicalSecurity

38

11.1 When to Ask for Help

Ifyourunasmallormediumbusiness,youmightnothavetheexpertiseonhandtomanageallaspectsofcybersecurity.Youmayneedsomeassistanceinchoosingandimplementingsomesecuritysolutions.

Ifyoudon’tthinkyoucanhandleyoursecurityneedsonyourown,werecommendyourbusinessseekoutsidehelpfromindividualsorcompaniesthatspecializeincybersecurity.Lookforcompanieswithgoodreputations,knowledgeandexpertiseintheareaswhereyouneedhelp.

Somecybersecuritysolutions,suchasonlinebackupofallyourdata,mightbeimpracticaltomanageonyourown.Cybersecuritycompaniescanhelpprovidethiskindoflong-termservice,includingcustomersupport,moreeffectivelythanyoucouldin-house.

Finally,incasesofseriouscyberattacks,itmaybenecessarytocontacttheappropriateauthorities.Ifyourbusinessoranyofitsemployeesarethreatenedorharmedthroughacybersecurityincident,contactthepolice.AppendixCprovidesalistofothercontactsyoumightfindusefulwhendealingwithacyberattack.

11.2 Where to Get Security Safeguards

Tofindsuchsecuritytoolsyouwilloftenneedtoconsultwithoutsideexpertsandvendorstodeterminewhatisneededandtounderstandtheoptions.Somefreeoptionsexist,butmostcostmoneyinitiallyandovertime.

AlotofsecuritysoftwareisavailableontheInternetforfree.Alwayscheckforusercommentsonlinetoseewhatothershaveexperienced,talktoothersmallbusinessowners,andresearchthesource,historyandvalidityoffreesoftwarebeforeusingit.Makecertainthatitiswidelyacceptedaslegitimateandisnotaformofmalware.Payingforsecuritysoftwareusuallyincludesvendorsupport,includingawarranty,technicalsupportforset-up,aswellasupdates.Thecostcanvarywidelyandcanextendacrossseveralyearsaslicensesforsoftwareormaintenancearerenewed,oftenannually.

GettingHelp


12.1 Appendix A: Cyber Security Status Self-Assessment

Thesequestionswillhelpdetermineyourbusiness’sbasicstatuswithrespecttocybersecurity.Answeringthesequestionsbeforereadingtheguidewillhelpyoudeterminewhichsectionstofocusyourattentionon.

Thesequestionsarebasedontheassumptionthatyourbusiness(irrespectiveofitssize)

1. Usescomputersforbusinesspurposes. 2. Usesmobilecomputingorcommunicationsdevicesforbusinesspurposes. 3. ConnectssomeorallofthosedevicestotheInternetforbusinesspurposes. 4. Mayalsohaveaninternalnetwork,usedtoshareapplicationssoftware,peripheral devices(suchasprinters)andinformationwithinyourbusiness.

Foreachquestion,pleasecircleoneanswer.Ifyoudon’tknowtheanswerorareunabletounderstandthequestion,thenselect“Notsure.”

Totalupyourscorebyaddingtogetherthenumberstotheleftofyouranswers.Forexample,ifyouanswered“Notsure,”thenthatanswerwillhaveavalueofzero(0),orifyouanswered“Yes,”thenthevaluewouldbetwo(2).

Business Questions

1. Is cyber security a priority for your business? 0. Notsure 1. No 2. Yes

2. Has someone in your business been given responsibility for cyber security? 0. Notsure 1. No 2. Yes 3. Ifyes,isthisanongoingrole,supportedbymanagement(circleifyes)?

3. Has your business completed a cyber security threat and risk analysis (of any kind)? 0. Notsure 1. No 2. Yes 3. Ifyes,arerisksprioritizedandtrackedwithregardtoreducingthem (circleifyes)?

Appendices

40

4. Does your business have a Cyber Security Plan? 0. Notsure 1. No 2. Yes 3. Ifyes,isitbeingfollowed(circleifyes)?

5. Does your business have a Cyber Security Policy? 0. Notsure 1. No 2. Yes 3. Ifyes,isitsupportedthroughsecurityawarenesstrainingfor employees(circleifyes)?

6. Does your business have a Disaster Recovery Plan? 0. Notsure 1. No 2. Yes 3. Ifyes,isitkeptuptodateandhasitbeentested(circleifyes)?

7. Does your organization provide employees with guidance on the handling and labelling of sensitive information? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbypolicyorastandard(circleifyes)?

8. Does your organization provide employees with guidance on the secure use of mobile devices? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbyaguidelineandanymobiledevicemanagement tools(circleifyes)?

Appendices


Technical Questions

9. Is there a firewall installed between your business computers, including point-of-sale (POS) systems, and the Internet? 0. Notsure 1. No 2. Yes 3. Ifyes,isitregularlymaintainedandcheckedbysomeonewiththe appropriatetrainingandexperience(circleifyes)?

10. Does your business use an encryption tool (usually software) to secure sensitive information before sharing it outside of the business environment (such as with the transmission of email attachments)? 0. Notsure 1. No 2. Yes 3. Ifyes,doallpersonnelknowhowtousethetoolandisusagemonitored andenforced(circleifyes)?

11. Does your business have a spam filtering or blocking solution in place? 0. Notsure 1. No 2. Yes 3. Ifyes,doallpersonnelknowhowtoreportspamthatisthreateningor seemstobepartofanattempttosolicitpersonalorsensitivebusiness information(circleifyes)?

12. Does your business use an anti-malware solution? 0. Notsure 1. No 2. Yes 3. Ifyes,isitinstalledonallofthebusiness’scomputersandisitregularly (usuallyhourlyordaily)updated(circleifyes)?

13. Does your business follow best practices for strong passwords and password protection? 0. Notsure 1. No 2. Yes 3. Ifyes,arestrongpasswordrulesenforced(circleifyes)?

Appendices

42

14. Does your business back up data and applications on a regular basis (usually daily or more frequently)? 0. Notsure 1. No 2. Yes 3. Ifyes,arebackupstestedonaregularbasisandaresomebackups keptoffsiteincaseofdisaster(circleifyes)?

15. Does your organization provide personnel with guidance on working in a secure manner when travelling or otherwise outside of the business environment? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbyuseofavirtualprivatenetwork(VPN) (circleifyes)?

You have finished the self-assessment questionnaire.

If your score was 0-to-15thenyoushouldconsiderreadingthiswholeguide,assoonas youcan.Then,consultwithothersinthebusinesstobeginplanningandimplementing cyber security in your business.

If your score was 16-to-30thenit’ssafetosaythatyourbusinesshasdonesomeworkwithrespecttocybersecurity.However,youlikelyneedtodomoreandshouldreadtheguidewithparticularfocusonthoseareaswhereyouscoredlow.

If your score was 31-to-45thenyourbusinesshasmadegoodprogressinseveralareasofcybersecurity.However,newthreatsareconstantlydevelopinganditwillbeimportanttostillconsiderthetopicsinthisguideanddiscussnextsteps(asappropriate).

Appendices


12.2 Appendix B: Glossary

Assets:Anyitemsbelongingtoorheldbythebusiness,withsomevalue(includinginformation,inallformsandcomputersystems).

Attack:Anattempttogainunauthorizedaccesstobusinessorpersonalinformation,computersystemsornetworksfor(normally)criminalpurposes.Asuccessfulattackmayresult in a security breachoritmaybegenericallyclassifiedasan“incident.”

Authentication:Asecuritypracticeimplemented(usuallythroughsoftwarecontrols)toconfirmtheidentityofanindividualbeforegrantingthemaccesstobusinessservices,computersorinformation.

Backup:Theprocessofcopyingfilestoasecondarystoragesolution,sothatthosecopieswillbeavailableifneededforalaterrestoration(e.g.,followingacomputercrash).

Breach: Asecuritybreachisagapinsecuritythatarisesthroughnegligenceordeliberateattack.Itmaybecountertopolicyorthelaw,anditisoftenexploitedtofosterfurtherharmfulorcriminalaction.

Cyber:Relatingtocomputers,software,communicationssystemsandservicesusedtoaccessandinteractwiththeInternet.

Encryption:Convertinginformationintoacodethatcanonlybereadbyauthorizedpersonswhohavebeenprovidedwiththenecessary(andusuallyunique)“key”andspecialsoftwaresothattheycanreversetheprocess(e.g.,decryption)andusetheinformation.

Firewall:Afirewallisatypeofsecuritybarrierplacedbetweennetworkenvironments.Itmaybeadedicateddeviceoracompositeofseveralcomponentsandtechniques.Onlyauthorizedtraffic,asdefinedbythelocalsecuritypolicy,isallowedtopass.

HTTPS:HypertextTransferProtocolSecure.

Identity Theft:Copyinganotherperson’spersonallyidentifyinginformation(suchastheirnameandSocialInsuranceNumber)andthenimpersonatingthatpersontoperpetratefraudorothercriminalactivity.

Malware:Malicioussoftwarecreatedanddistributedtocauseharm.Themostcommoninstanceofmalwareisa“virus.”

Patch: Anupdatetoorrepairforanyformofsoftwarethatisappliedwithoutreplacingtheentireoriginalprogram.Manypatchesareprovidedbysoftwaredeveloperstoaddressidentifiedsecurityvulnerabilities.

Appendices

44

OS:OperatingSystem.

OTP:One-TimePassword.

Password:Asecretwordorcombinationofcharactersthatisusedforauthenticationofthepersonthatholdsit.

Phishing:Aspecifickindofspamtargetingoneormorespecificpeoplewhilepretendingtobealegitimatemessage,withtheintentofdefraudingtherecipient(s).

POS:PointofSale.

Risk:Exposuretoanegativeoutcomeifathreatisrealized.

Safeguard:Asecurityprocess,physicalmechanismortechnicaltoolintendedtocounterspecificthreats.Sometimesalsoreferredtoasacontrol.

Server:Acomputeronanetworkthatactsasasharedresourceforothernetwork-attachedprocessors(storingand“serving”dataandapplications).

SMB: SmallandMediumBusiness.

Spam:Emailthathasbeensentwithoutthepermissionorrequestofyouortheemployeeithasbeensentto.

Threat: Anypotentialeventoraction(deliberateoraccidental)thatrepresentsadangertothesecurityofthebusiness.

URL:UniformResourceLocator.

Vulnerability:Aweaknessinsoftware,hardware,physicalsecurityorhumanpracticesthatcanbeexploitedtofurtherasecurityattack.

VPN:VirtualPrivateNetwork.

Wi-Fi:Alocalareanetwork(LAN)thatusesradiosignalstotransmitandreceivedataoverdistancesofafewhundredfeet.

Appendices


12.3 Appendix C: Canadian Cyber Security Sites and Contacts

12.3.1 Canadian Government Security Sites

1. Get Cyber Safeprovidesnews,tipsandguidanceoncybersecurityforindividualsand businessesinCanada • www.GetCyberSafe.gc.ca

2. The Canadian Anti-Fraud Centreforfraudpreventionandreporting (includingcybercrime) • TollFree:1-888-495-8501 • TollFreeFax:1-888-654-9426 • Email:[email protected] • http://www.antifraudcentre-centreantifraude.ca/english/home.html

3. The Canadian Radio-television and Telecommunications Commission Canada siteforreportingscamsbyphone • http://www.crtc.gc.ca/eng/INFO_SHT/G9.htm

4. Office of the Privacy Commissioner of Canada: • SecuringPersonalInformationSelf-AssessmentTool: http://www.priv.gc.ca/resource/tool-outil/security-securite/english/AssessRisks.asp?x=1 • GettingAccountabilityRightwithaPrivacyManagementProgram: http://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.asp

5. Canada’s Anti-Spam Legislation • http://fightspam.gc.ca/eic/site/030.nsf/eng/home • Worriedit’sSpam?5ThingstoLookFor: http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00241.html

Appendices

46

12.3.2 Cyber Security Member Associations in Canada

Cybersecurityindustryassociationsareagoodsourceformorein-depthinformationandadviceoncybersecurityforsmallandmediumbusinesses.Theycanalsoproviderecommendationsonavailableserviceprovidersinyourareaifyouneedoutsidehelp.

1. American Society for Industrial Security(ASIS) • http://www.asis-canada.org/

2. High Technology Crime Investigation Association(HTCIA) • http://www.htcia.org/

3. Information Systems Audit and Control Association(ISACA) • http://www.isaca.org/Membership/Local-Chapter-Information/Browse-by-List/Pages/ North-America-Chapters.aspx

4. Information Systems Security Certification Consortium, Inc.(ISC2) • https://www.isc2.org/chapters/Default.aspx

5. Information Systems Security Association(ISSA) • https://www.issa.org/?page=ChaptersContact

Appendices

http://www.isaca.org/Membership/Local-Chapter-Information/Browse-by-List/Pages/North-America-Chapters.aspx

http://www.isaca.org/Membership/Local-Chapter-Information/Browse-by-List/Pages/North-America-Chapters.aspx

Know the Risks. Protect Yourself. Protect Your Business. · Know the Risks. Protect Your Business....

Documents

Transcript of Know the Risks. Protect Yourself. Protect Your Business. · Know the Risks. Protect Your Business....