Tuesday, March 3, 2015


Cyber security risks are present in almost all organizations, irrespective of size, as we all become increasing dependant on information technology to manage operations, HR, financial and customer information. These operational risks should be considered by all organizations as part of their risk management program.

While Small to Midsized Enterprises (SME) don't have the luxury of dedicated information security teams and resources that large enterprises can afford, they still face many of the same threats. According to the Government of Canada, over 31% of cyber-attacks intentionally targeted small to medium sized businesses in 2012 and that number has increased in the past two years. They also report that the average financial impact to such businesses is in excess of $15,000 per attack, although this number is conservative when compared to other studies.

Customers and employees naturally expect personal and financial data to be kept secure, and a data breach can be a painful and expensive ordeal. But it can be daunting for a small business that may have a small IT department, to think about how to tackle IT security.

The response of many SME’s is the “security through obscurity” approach. In other words, we’re too small to be on anyone’s radar and the cyber-criminals are only going after the big guys. It is true that many of the well-publicized stories of data breaches have involved very large enterprises like Home Depot, TJ Maxx and JP Morgan. But these cases only represent a very small faction of the actual number of cyber security incidents that happen every day, which are increasingly focused on SMEs.

The reason why SME’s are increasingly becoming the victims of cyber criminals is the same reason why criminals target the vulnerable members of a society. Smaller companies are simply easy pickings and they don’t fight back like bigger companies. They represent a low risk of apprehension as SME’s would typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.

That being said, the most pressing IT security problem facing Canadian entrepreneurs is not computer hackers. The majority of security breaches actually come from a company’s own employees. They’re usually not doing it on purpose as most breaches are accidents, such as; an employee mistakenly emailing confidential client information outside the company, a cashier leaving a customer’s credit card information on a publicly viewable computer, or a manager inadvertently deleting important files. So where do you start?

IT Security has grown in complexity as IT systems and the methods used to compromise them have grown. There are however some first steps that can be taken to mitigate the risk. The following 6 steps are a starting point that a small business can use to evaluate its current cyber security risk and how to manage it:

1. Strategy and Human Resources Policies

  • Does your company have a clear IT security policy that’s known to staff?
  • Do you provide security awareness training to your staff, or promote a culture of security and protection within your organization?
  • Do you have a policy on acceptable IT use, password guidelines and security practices?
  • Do you have confidentiality agreements for contractors and vendors?
  • Does your company have a privacy policy? Remember privacy law applies equally to how you protect employee information as well as customer information.

2. Data Backup

  • For critical data (this is anything needed in day-to-day operations, including customer information), do you centralize it on a server and back it up nightly to a remote location?
  • For important data (anything important to the business but that doesn’t get updated frequently), do you centralize it on a server and back it up semi-regularly off-site?

3. Desktop Security

  • Do all computers have working anti-virus software?
  • Do you have a security policy for downloading and installing new software?
  • Do you have passwords with a minimum of eight alphanumeric characters that are changed every 90 days?
  • Are all computers updated with the latest system updates and security patches?

4. Internet and Network Security

  • Do you have a firewall and intrusion detection on all web connections?
  • Do you use a virtual private network for remote access?
  • Are all modem and wireless access connections known and secured?

5. Privacy and Sensitive Information

  • Have you restricted access to applications and information to those who need it? Do you periodically review access levels?
  • Is customer financial information encrypted and accessible only to those who need it?
  • Are paper files kept in locked filing cabinets with controlled access?

6. Audit

  • Do you do a periodic audit (every six months at least) of your IT security checklist?

These steps do not represent a comprehensive approach to IT security, but they will start you on the road to having a more secure and reliable network. Remember, technology is evolving very quickly and the methods used to compromise networks are evolving just as quickly, so managing your cyber risk must be a dynamic and iterative process.

The Government of Canada has published a useful guide for small businesses which can provide more information on how to protect your operations, systems and information. It is a very useful resource and it is available here.

Ivan McClelland (click to see Ivan’s profile)

Other Article Written by Ivan McClelland:
"No Risk, No Reward" - Identifying and Managing Risk Tolerance for Your Business