Business cybersecurity: Protect yourself from attacks

What is cybersecurity?

Cybersecurity is the art of protecting your assets while ensuring the confidentiality, integrity and availability of your data.

No matter how big or small your business is, you could be hacked by someone who thinks there’s something to be gained by accessing your intellectual property, financial affairs, production capacity or other sensitive data.

What are the challenges of cybersecurity for businesses?

It can happen to anyone

All businesses face cyber threats, whether they’re cloud companies or neighbourhood coffee shops offering Wi-Fi to customers. Hackers sometimes go after very specific targets for political or other reasons, but they could also attack to test your system and see if there’s something to steal.
We’re in the digital age

Businesses are going more and more digital, so information is stored on computer media, such as hard drives, clouds, etc. Your data is crucial to running your business, so you wouldn’t want to lose access to it.
Although remote work has become frequent with the pandemic, a lot of businesses are still using systems designed for the office and haven’t necessarily made sure they are secure.

Privacy and data security are important

You may be managing confidential data like your clients’ contact information or credit card numbers. Your reputation could be seriously damaged if your data is stolen. If you have been negligent, you could even be subject to legal action.

There are corporate cybersecurity laws to follow

Governments now require businesses to take action on cybersecurity.

Nationally: In June 2022, the federal government introduced Bill C-26, An Act respecting cyber security, which introduces significant new cybersecurity requirements for certain federally regulated businesses so that they prepare for cybersecurity incidents, prevent them and respond appropriately.

Provincially: Except for British Columbia, Alberta and Quebec, which have their own privacy legislation—for example, Bill 25 in Quebec—all other provinces have the Personal Information Protection and Electronic Documents Act (PIPEDA).

How can you improve the cybersecurity of your business?

Although it’s best to consult an expert to get personalized advice, here are some possible solutions:

• Appoint a privacy officer within your organization. If you don’t, the person responsible for the business will have to assume that role.
• Implement a governance framework.
• Complete a privacy assessment using this Government of Canada tool (link to external site).

What cyber-attack risks are there for businesses?

The main risks associated with slack cybersecurity can be divided into 4 broad categories:

Cybercrime

Cybercriminals steal information to exploit or resell it (banking data, login credentials to merchant sites, etc.).

Phishing and ransomware are known examples of malware. Without a protection mechanism, you’ll be more vulnerable to attacks.

Damage to your public image
Attacks to destabilize governments or businesses are frequent and generally unsophisticated.
From stealing personal data to exploiting vulnerabilities, they damage the business’s public image by replacing website content with political or religious claims, among other things, which are then relayed onto social networks.

Espionage
Corporate espionage is highly targeted and sophisticated and can have serious consequences for national interests. It can take years for a company to realize it’s been the victim of such an attack, because cybercriminals want to maintain access for as long as possible to capture strategic information in a discreet and timely manner.

Sabotage
Computer sabotage is the act of rendering inoperative all or part of a company’s information system through a cyber attack. This can include causing systems to crash or self-destruct.

How can I protect my business from cyber threats?

• Be wary of attachments and links in messages of suspicious origin.
• Question your automatic trust in the sender’s name.
• Perform regular backups on external devices, such as a hard drive.
• Update all of your main software packages regularly, preferably through automatic software updates.
• Use complex passwords and change them regularly.
• Manage access rights for each directory on your site.
• Implement technical measures such as adaptive security architecture, system isolation, firewalls, etc.
• Make sure you have an effective security policy if your site is hosted by a service provider, especially hosting is shared (several hosted sites).

What best practices should I implement?

Before heading off in all directions, ask yourself a basic question: What are my organization’s assets and what do I need to protect? Consider everything—information flow, access, third-party service providers, etc. The key question is  “What have I done to prepare, regardless of the type of attack?”

Consult with cybersecurity professionals

Don’t hesitate to bring in an outside firm to examine your business. It can help you understand all the ways you can protect yourself and help raise awareness among staff.
A specialized cybersecurity firm can help you set up your technology infrastructure and prepare various fictitious incident response scenarios. For example, you can run simulations to identify people within the business who will know what to do when the time comes. You can also identify a third party.

Nationally: CyberSecure Canada (link to external site) is a certification program for small and medium-sized businesses. It provides additional resources you’ll find helpful, such as guides, templates and sample policies and plans to help you get certified.

Provincially: Canadian companies also have the option of bringing in private cybersecurity consulting companies to make sure they are protected from online threats. There are more than 100 corporate cybersecurity firms in Canada (link to external site). In Quebec, PROMPT is an example of an organization helping businesses with cybersecurity certification.

Train your employees

Training your employees in cybersecurity is critical to make sure they’re careful with clickable links, attachments, etc. They need to be familiar with the different types of fraud so they don’t put the business at risk from the inside (business email compromise, phishing, etc.).
How can you make sure your employees understand and consider cybersecurity?

Develop a cybersecurity culture by engaging with your employees. This won’t happen on its own. For example, at National Bank, we say Cybersecurity is everyone's business! Everyone has a role to play in identifying risky situations. You have to get everyone involved. You can also do cybersecurity awareness workshops.

Invest time and money

You need to budget for cybersecurity so that you can prevent and react quickly to cyber attacks. For example, you could have a dedicated internal team or use an outside firm. Very often, the cost of not taking action is higher (risk to your public image, loss of clients, loss of revenue, etc.).

Consider getting cyber insurance

A good way to protect your business from the costs and risks associated with cybersecurity is to have insurance.

Cybersecurity insurance will help limit your losses, whether related to the attack or the loss of sensitive data, but it comes with a lot of conditions and is quite costly. Being cyber smart is still your best bet.

Where can I learn more?

There are many resources available to learn more about corporate cybersecurity. For example, National Bank is a founding member of Cybereco, the multi-sectoral cybersecurity leader in Quebec and across Canada.

Train your workforce and make your business more resilient by using the Cyberkit (link to external site). The kit has tools to build awareness among employees, managers and IT staff, suggestions for writing a cybersecurity policy, and basic tips for the general public to protect themselves at home.
Protecting your business is crucial. To stay in business, you must comply with Canadian laws and regulations and protect your sensitive data. Learn more about fraud prevention and online security.