Know the Risks. Protect Yourself. Protect Your Business. · Know the Risks. Protect Your Business....
Transcript of Know the Risks. Protect Yourself. Protect Your Business. · Know the Risks. Protect Your Business....
iGetCyberSafe Guide for Small and medium buSineSSeS
Protect Yourself.
Know the Risks.
Protect Your Business.
G E T C Y B E R S A F E G U I D E F O R S M A L L A N D M E D I U M B U S I N E S S E S
Protect while you connect.
iiiGetCyberSafe Guide for Small and medium buSineSSeS
Table of Contents
1 Introduction 22 Cyber Security Fundamentals 33 Management Issues 53.1 Security Awareness 53.2 DefiningRolesandResponsibilities 63.3 DevelopingPoliciesandStandards 63.4 CyberSecurityPlanning 73.5 BudgetingforCyberSecurity 8
4 Web Security 94.1 ProtectingPersonaland BusinessInformationOnline 94.2 BrowsingtheWebSecurely 104.3 SocialMedia 114.4 SocialEngineering 124.5 SoftwareSecurity 134.6 SafeHostingandBusiness WebSecurity 144.7 Malware 154.8 AuthenticationBestPractices 164.8.1 Passwords 164.8.2 Passphrases 174.8.3 Two-FactorAuthentication 18
5 Point-of-Sale (POS) Security 196 Email Security 206.1 Spam 206.2 Phishing 226.3 SendingEmailSecurely 23
7 Data Security 257.1 BackupandRecovery Options 25
7.2 CloudSecurity 277.3 ClassifyingandLabelling SensitiveInformation 287.4 HandlingSensitive Information 29
8 Remote Access Security 308.1 RemoteComputing SecurityBasics 308.2 WorkingFromHome 318.3 WorkingWhileTravelling 32
9 Mobile Device Security 339.1 TabletsandSmartphones 349.2 PortableDataStorage 34
10 Physical Security 3610.1 EmployeeSecurity 37
11 Getting help 3811.1 WhentoAskforHelp 3811.2 WheretoGet SecuritySafeguards 38
12 Appendices 3912.1 AppendixA:CyberSecurity StatusSelf-Assessment 3912.2 AppendixB:Glossary 4312.3 AppendixC:CanadianCyber SecuritySitesandContacts 4512.3.1 CanadianGovernment Security Sites 4512.3.2 Cyber Security Member AssociationsinCanada 46
2
Ifyou’relikemostsmallormediumbusinessesinCanada,theInternetisanindispensabletooltosucceedintoday’sdigitaleconomy.Gettingonlineallowsyoutoreachnewcustomersandgrowyourbusiness.Andevenifyoudon’thaveawebsite—oraFacebookpageorTwitteraccount—youprobablydependontheInternetforeverydaybusinessoperationslikebanking,payrollororderingsupplies.
However,beingonlinerequiresbeingsafeandsecure.Asasmallormediumbusiness,it’seasytothinkthatyouaretoosmalltowarranttheattentionofcybercriminals.Infact,cybercriminalsarenowactivelytargetingsmallerbusinessesbecausetheybelievetheircomputersare vulnerable. This guide is designed to help Canadians who own or manage a small or medium business understand the cyber security risks they face, and provide them with practical advice on how to better protect their business and employees from cyber crime.
Inotherwords,ifyouareasmallormediumbusinessowner,thisguideisforyou.Cybersecurityisasharedresponsibilityand,dependingonhowyourbusinessisstructured,therearelikelyotherpeople—co-owners,managersoremployees—whoshouldalsobefamiliarwiththeinformationyou’llfindinthisguide.
YoudonotneedtobeacomputerorWebexperttoreadorimplementthemeasuresinthis guide.Althoughsomecybersecuritytermsareused,youcanlookupanytermsyouareunfamiliarwithintheglossaryattheendofthisguideoronlineintheGetCyberSafe.caglossary.
The self-assessment tool in Appendix A can help you determine where your business needs the most help.
If you are experiencing a serious cyber incident, contact the police, seek professional assistance and consult Appendix C of this guide for additional resources.
Cyber crime and smaller businesses • Smallandmedium-sizedbusinesses(i.e.,businesseswithfewerthan500employees) employed10millionpeoplein2012,nearly90%ofallemployeesinCanada.1 • In2012,87%ofCanadianbusinessesusedtheInternet,and46%hadawebsite.2 • Thelargestgrowthareafortargetedcyberattacksin2012wasbusinesseswithfewerthan 250employees—31%ofallattackstargetedthem.3 • Overa12-monthperiodin2012,69%ofCanadianbusinessessurveyedreportedsomekind ofcyberattack,costingthemapproximately$5.3million,orabout$15,000perattack.4
1 Source:KeySmallBusinessStatistics-August2013,IndustryCanada,http://www.ic.gc.ca/eic/site/061.nsf/eng/02805.html 2 http://www.statcan.gc.ca/daily-quotidien/130612/dq130612a-eng.htm 3 Symantec2013InternetSecurityThreatReporthttp://www.symantec.com/security_response/publications/threatreport.jsp 4 ICSPAreport:StudyoftheImpactofCyberCrimeonBusinessesinCanada, https://www.icspa.org/fileadmin/user_upload/Downloads/ICSPA_Canada_Cyber_Crime_Study_May_2013.pdf
Introduction
3GetCyberSafe Guide for Small and medium buSineSSeS
Cybersecurityisaboutprotectingyourinformation,whichisoftenthemostcriticalandvaluableassetabusinesswillown.Cybersecurityisbasedonthreefundamentalgoals:
• Confidentiality:Anyimportantinformationyouhave—suchasemployee,clientor financialrecords—shouldbekeptconfidential.Thisinformationshouldonlybeaccessed bypeople(orsystems)thatyouhavegivenpermissiontodoso. • Integrity:Youneedtomakesuretomaintaintheintegrityofthisinformationandother assets(suchassoftware)inordertokeepeverythingcomplete,intactanduncorrupted. • Availability:Youshouldmaintaintheavailability ofsystems(suchasnetworks),services andinformationwhenrequiredbythebusinessoritsclients.
Achievingandmaintainingthesegoalsisanongoingprocess.Goodcybersecurityinvolves thefollowing:
1. Determiningwhatassetsyouneedtosecure(essentially,anythingofvaluemanagedor ownedbyyourbusiness). 2. Identifyingthethreatsandrisksthatcouldaffectthoseassetsoryourbusinessoverall. 3. Identifyingwhatsafeguardsyoushouldputinplacetodealwiththreatsandsecureassets. 4. Monitoringyoursafeguardsandassetstopreventormanagesecuritybreaches. 5. Respondingtocybersecurityissuesastheyoccur(suchasanattempttobreakinto businesssystems). 6. Updatingandadjustingtosafeguardsasneeded(inresponsetochangesinassets, threatsandrisks).
CyberSecurityFundamentals
4
Thetermthreatreferstoanypotentialdangertoyourbusiness,itsassetsoremployees.Threatscanbenatural,suchasfireandflood.Theycanalsobehumaninorigin.Infact,humanthreatsarebecomingmorecommonandrequirealotofyourattention.
Thebiggestchallengeforyourbusinessistodefineandprioritizeassets,threatsandthepotentialriskofthosethreats.Then,youhavetoapplyappropriatesafeguards.Safeguardsareanythingyoucanusetocounterthreatsandreducerisk.Thesecanbeanythingfromsoftwareandhardwaretopoliciesandspecificprocedures(foremployeesorclientstofollow).Inmany cases,asafeguardismadeupofacombinationoftheseelements.
Therestofthisguideprovidesadviceonhowyourbusinesscansetupasoundcybersecurityprocess,includingidentifyingthreatsandrisk,establishingsafeguardsandputtinginplacethemanagementstructuresyouneedtokeepyourprotectionsuptodate.
CyberSecurityFundamentals
Identify Assets
Apply and Moni
tor
SafeguardsRespond to
Security Incidents
Evaluate Threats and Risks
Evaluate Threats
and RisksM
ake
Adju
stm
ents
if
Nee
ded
Figure 1
5GetCyberSafe Guide for Small and medium buSineSSeS
Quick tips from this section:• Developandimplementacybersecurityplanthatclearlyoutlinesbestpracticesfor allemployees. • Assignatleastonepersontoberesponsibleforyourbusiness’scybersecurity,andmake suretogivethemclearinstructionsonwhatyouexpectfromthem. • Determinewhatriskstoyourbusinessarelow-,medium-orhigh-levelthreats—thiswill helpyouprioritize. • Makesurethatemployeesunderstandwhycybersecurityisimportantforthemand your business. • Ifyouhaveanylegalconcernsaboutcybersecurity,don’thesitatetoconsultwithexperts (e.g.,legalcounsel). • Explainpoliciesandstandardstoemployeessothattheywillunderstandwhyyouneed theminplace,towhomtheyapplyandtheriskstothemselvesorthecompanyifthey don’tfollowthem. • Itiseasytounderestimatehowmuchapropercybersecurityplancancost,somakesure tobudgetproperly.
3.1 Security Awareness
Tryingtokeepupwithcybersecuritycanseemoverwhelming.Agoodfirststepisputtinginplaceasecurityawarenessprogram.
Asecurityawarenessprogramisawayofkeepingyouandyourstaffinformedaboutgoodcybersecuritypractices.Itcanbeverysimpleandreadilydevelopedbyyouorotheremployees.Itshouldstartwithbasictrainingforstaff.Overtimeitshouldexpandtoincludeupdatesandremindersonpolicies,standardsandbestpractices.Yoursecurityawarenessplancanincludearegular,scheduledreviewtoupdateexistingsecuritymeasuresforyourbusiness,includingadoptingnewmeansofprotection(bothsoftwareandhardware) asneeded. “A security awareness program very simple and readily developed by you or other employees.”
Trainingandeducatingpersonnelisvitaltohavingastrongcybersecuritysysteminplace.Choosetopicsthataresimple,focusedandconcise.Keymessagesshouldberepeated,butitisimportanttoengagewithpersonnelinmultiplewaystoavoidhavingyourmessagesignored.Forexample,spamadvicecouldbereinforcedthroughemails,postersandstaffmeetings.Youcouldevensupplementthiswithperiodicquizzes,contestsandrewardstokeepemployeesinterestedandinvolved.
ManagementIssues
6
3.2 Defining Roles and Responsibilities
Youshouldputat leastonepersoninyourbusinessinchargeofcybersecurity.Thispersonwouldberesponsibleforthefollowing:
• Learningaboutthreats,trendsandsecurityoptions. • Planning,acquiringandimplementingsecuritysafeguards. • Helpingotherpersonnelunderstandcybersecuritybestpracticesandpolicies. • Enforcingcybersecuritybestpracticesandpolicieswithmanagementsupport. • Maintainingandupdatingthesecuritysafeguardsusedbyyourbusiness.
Evenwithaclearpersonorgroupinchargeofcybersecurity,theirsuccesswithinabusinessofanysizereliesonmanagementsupport.Thesupportyouprovidewilldependonthesizeofthebusiness,butsomeofthethingsallmanagersareresponsibleforincludethefollowing:
• Providingguidancetoallemployeesontheimportanceofcybersecurityaspartof operations,includingpoliciestooutlineaccountabilityforcybersecurity. • Supportingandmonitoringcybersecurityprojects. • Consultingwithexperts,suchaslegalcounsel,foranyexternalobligationssuchas provincialorfederallaw.
3.3 Developing Policies and Standards
Theonlywayemployeeswillknowhowtoconductthemselvesisifyouputsoundcybersecuritypoliciesandstandardsinplace.
A security policyisadocumentthatexplainswhatemployeesmayormaynotdowithrespecttocybersecurity.Internetusepolicies,socialmediapoliciesandacceptableusepoliciesareallexamplesofsecuritypolicies.Anacceptableusepolicymightstate,“youmay notconnectapersonalcomputertothebusinessnetwork,”or“whenaccessingthebusinessnetworkfromhome,youmustusetheprovidedsecuritytools.”
Cybersecuritypoliciesdonotneedtobelongorcomplicated.Buttheyareessentialinhelpingyouremployeesunderstandtheirrolesandresponsibilities.
A security policy is a document that states what personnel may or may not do with respect to cyber security.
A standard is a document that explains how a specific task should be done. Standards most often apply to setting up and using technical systems.
A standardisadocumentthatexplainshowaspecifictaskshouldbedone.Standardsmostoftenapplytosettingupandusingtechnicalsystems.Forexample,apasswordstandardwoulddescribeexactlywhatanacceptablepasswordcanorcannotinclude,howlongitshouldbeandhowoftenitshouldbechanged.
ManagementIssues
7GetCyberSafe Guide for Small and medium buSineSSeS
You’llprobablywanttowriteyourowncyberpoliciesin-houseastheyneedtobespecificandmaychangeovertime.Youwillalsomostlikelyhavecertainareasthatparticularlyconcern you.
Whendevelopingandusingcybersecuritypoliciesandstandardsinyourbusiness,considerthefollowing:
1. Beginwithacomprehensive,butrelativelysimple,cybersecuritypolicytoclearlylay outkeyprinciplesandrulesforcybersecuritywithinyourbusiness. 2. Identifyandadaptexistingstandardstodealwithspecificcybersecurityissuesor technologiesinthebusiness,orwriteyourown. 3. Explainpoliciesandstandardstopersonnelsothattheywillunderstandtherationale forrules,towhomtheyapplyandanyconsequencesfornotfollowingthepolicy. 4. Aftertheinitialcybersecuritypolicyandassociatedstandardsareinuse,youmaywishto revisitthoseandaddmoredetailed,specificinformationsuchasthoseidentifiedinthe varioussectionsofthisguide.Forexampledetailsregardingtheuseofasocialmediaif yourbusinessusesalotofitorexpectationsandobligationsregardingmobilesecurity ifanumberofyourstaffareissuedmobiledevices.
3.4 Cyber Security Planning
Astudyin20121foundthat83%ofsmallandmediumbusinessesdonothaveacybersecurityplaninplace.Developingacybersecurityplanshouldbeapriorityforanybusiness.Acybersecurityplanwillidentifywhatassetsneedtobesecured,whatthreatsandriskstofocuson,andwhichsafeguardstoimplement—allinorderofpriority.
Herearesomestepstohelpyouprepareacybersecurityplanforyourbusiness:
1. CompletethesimpleCyberSecurityStatusSelf-AssessmentToolinAppendixAofthis guide.Thiswillidentifygapsandoptionsincybersecurityinyourbusiness. 2. Identifyallbusinessassets(suchascomputersandbusinessinformation)anddetermine theirimportanceandvaluetothebusiness. 3. Discusscybersecuritythreatswithemployeesoroutsideexperts(asrequired) anddeterminewhichassetsareatriskofharmifoneormoreofthosethreatsoccur. 4. Prioritizerisksashigh,mediumorlow. 5. Withthehelpofemployeesoroutsideexperts,determinewhatcanbedonetoreduce thoserisks. 6. Evaluatethethreats,risksandpotentialsecuritysafeguardsandthendecidewhatcan andshouldbedonetoimprovecybersecurityinthecurrentyear.Oftenoneimprovement canbeplannedinconjunctionwithanothertohelpreduceoverallcosts.Forexample, ifyouarealreadysettingupanetworkfirewall,theremaybeoptionstohelpdealwith malwareorspamwithinthefirewall. 7. Setattainabletargetdatesforallidentifiedcybersecuritytasksandsecuritysafeguards thatyouplantopurchase.
ManagementIssues
12012NCSA/SymantecNationalSmallBusinessStudy.
8
8. Identifyresourcesthatwillbeneededtoimplementtheplaninthefirstyearincluding people,timeandmoney. 9. Listanyissuesthatmayhinderyourplan(suchasalackofpersonnelorbudget). 10. Startimplementingtheplan. 11. RepeatStep3,threatevaluation,ataminimumofonceperyear.
Makesuretokeeptrackofanychangesintheplanandinformallaffectedparties(suchasvendors)toavoidconfusion.Forexample,ifyouhavehiredasecurityexperttohelpsetupafirewallandfindthatspamhasbecomeamoreurgentpriority,youmayneedtoadjustyourplaneithertofocusonspamortoincorporatespamblockingwithinthefirewall. You should also evaluate progress at every year-end and make any necessary adjustments. In most cases, a multi-year cyber security plan will need some updates each year to accommodate changing priorities and business capability.
Whiletheprocesstodevelopacybersecurityplanmayseemdauntingatfirst,rememberthatyoucanalwaysrevisitandexpandyourplanovertime.
3.5 Budgeting for Cyber Security
Havinganeffectivecybersecurityplancostsmoneyandmustbetakenintoaccountwhendrawingupyourannualbusinessplansandbudgets.Fortunately,therearesomefreeservices,toolsandadviceavailable.Additionally,policiesorinternaldocumentscanoftenbedevelopedin-houseatminimalcost.
Butsomekeythings,likesecuritysafeguards,willhavetobepurchasedandmayalsoinvolveannualsubscriptionfees.Forexample,unlikesoftwarethatyoutypicallypayaone-timefeefor,asubscriptiontoanti-malwaresoftwaremightneedtoberenewedeachyearforafee.
Toavoidsurpriseexpenses,itisbesttoallowforthefollowing:
1. Thefirst-timecostofanysecuritytools,aswellasupgradeorupdatefees. 2. Anysupport,consultingortrainingcosts. 3. Contingencies.
Contingencyfundsareimportanttodealwithunforeseenemergencies (suchasmalwareinfection).
Insomecases,yourinsurancemaycoverlossesduetoacybersecurityincident. Itisimportanttodiscussthiswithyourinsuranceproviderinadvance.
ManagementIssues
9GetCyberSafe Guide for Small and medium buSineSSeS
Quick tips from this section:• Restrictingthetypesofwebsitesthatemployeesareallowedtovisitcanhelpyouexclude thesitesthatcouldcompromiseyournetwork. • Adviseemployeesonwhatsoftwareissafetoinstallontheircomputers,andtoseek permissionwhendownloadingnewprograms. • Whensomeoneoutsideofyourbusinessrequestsanypersonalorbusinessinformation, verifythattheyareasafepersontosendtheinformationto. • WriteanInternetUsagePolicyforpersonneltofollowandpostitinanaccessibleplace foralltoseeandreferto. • Setrulesonwhatkindsofbusinessinformationyouremployeescanshareonline, andwhere. • Createinstructionsonwhetheryouremployeesshouldusetheirworkemailtosignup forsocialmediasitesandnewsletters. • Considertheimplementationofacompanysocialmediapolicy,sothatemployeesknow whattheyshouldandshouldnotpostonline. • Updateallofyourbusinesssoftwarewhenyoureceivenotificationstodoso,sothatall securityfixesareuptodate. • Requireallofyouremployeestohavecomplexpasswordsthathaveletters,numbersand symbolssotheyareharderforcybercriminalstosteal. • Alwaysbesuspiciousofphonecalls,emailsorothercommunicationsfromanunknownsource.
4.1 Protecting Personal and Business Information Online
Fortheirownsecurityandthesecurityofyourbusiness,employeesshouldprotecttheirpersonalandbusinessinformationonline.Personalandbusinessinformationincludesprivateorconfidentialdetailslikefullnames,socialinsurancenumbers,emailandphonenumbers,addresses,bankingandotheraccountinformationandpasswords.
It’simportantthatallemployeesunderstandwhyprotectinginformationonlineisimportant.Criminalswhowanttoharmorstealfromyourbusinessoftenbeginbycollectingpersonalorbusinessinformationinordertogainaccesstoyourcomputersystemsandconfidentialinformation.
Herearesomesimpletipsforallemployees:
• Onlyvisitlegitimateandtrustedwebsiteswhileusingbusinesscomputersorworking withbusinessinformation. • Beforeprovidingpersonalinformationtoanyone,verifythattheyareatrustedsource (forexample,abankwouldnotsendoutpersonalinquiriesbyemail,soacalltothe actualbankmightbeadvisedifsuchanemailwerereceived).
WebSecurity
10
• Ifsomeoneisseekingyourpersonalinformation,askwhytheinformationisrequired. • Iftheanswerdoesnotseemsatisfactory,donotprovideit—oraskfortheirsupervisor togetmoredetails. • Neverremoveordisableanysecuritysafeguardsputintoplaceonbusinessnetworks andcomputers(suchasanti-virussoftware).
4.2 Browsing the Web Securely
Research,collaboration,communicationwithclients,purchasingandmanyotherbusinessactivitiesrelyontheInternet.However,therearemanythreatstoyourbusinessontheWeb,startingwiththoseencounteredwhiledoingasimple,everydaytask:browsing.
Safebrowsinginvolvesacombinationofsecuritysafeguardsandpractices.Herearesomestepsyoucantaketomakesurethatyourbusinessbrowsessafelyandsecurely:
1. BeginbywritingandpublishinganInternetUsagePolicythatclearlyexplainsto employeeswhattheycanandcannotdowhenusingbusinesssystemstoconnect totheInternet.ExamplesofInternetUsagePoliciescanbefoundonline. 2. TrainyouremployeesonthecontentofyourInternetUsagePolicy. 3. Encourageongoingsecurityawarenessbyregularlycommunicatingwithemployees aboutsafebrowsingpractices. 4. ExplaintoemployeeshowtochecktheURLofwebsitestheyaregoingtovisittoavoid visitingdangerouswebsites(seethetipboxthatfollows). 5. Implementasite-ratingtoolasanextensiontothebrowseronusercomputers (Figure2).Thiswillhelpemployeesidentifysafewebsites.
WebSecurity
Figure 2: A Sample Screen from a Site Rating Tool
11GetCyberSafe Guide for Small and medium buSineSSeS
WebSecurity
How to identify suspicious links on Web pagesHoveringyourcursoroveralinkwilldisplaytheactualdestinationURLeitherinasmalltextboxthatappearstemporarilyoverthelink,oratthebottomofthebrowserwindow.Trythisbeforeclickingonalinkandcheckforthefollowing:
• IfthelinkedtextisaURL,compareitwiththeactualdestination.Cybercriminalsoften usetextlike“Logintowww.mybank.comtoupdateyouraccountinformation,”butthe actualdestinationisalookalikesiteatanotherlocationsuchaswww.myfakebank.com. • CheckforURLsthataresimilartositesyouknow,butareslightlydifferent(suchas Goggle.comorGoogle1.cominsteadofGoogle.com).Thistechniqueiscommonlyused totrickpeopleintofalseconfidencewhenvisitingsites.Inmanycases,thefakesitesare madetolookalmostidenticaltotheoriginalitiscopying. • AlwaysbesuspiciousofURLsyoudon’trecognize. • Rememberthatimagesaswellastextcanbelinked,sousethesamecautionclickingon imagesasyouwouldwithtext. • Whenindoubt,copyandpastetheURLintoasearchenginetoidentifythesitewithout visitingit.
4.3 Social Media
SocialnetworkingsiteslikeFacebook,TwitterandLinkedIncanbepowerfultoolsforyourbusinesstoreachpotentialcustomersandbuildstrongerrelationshipswithclients.However,socialnetworkingsitesandservicesarebecominganincreasinglypopularwayforcybercriminalstotrytogetyourpersonalorbusinessinformationtohackintoyourpersonalorbusinesscomputersystems.
Ifyourbusinessusessocialnetworkingsitesformarketingorprofessionalpurposes,youwillneedtochooseoneormoreemployees,andallowonlythemtopostcontentinyourbusiness’s name.
Socialnetworkingshouldbeaddressedinyourbusiness’sInternetUsagePolicy,withclearadvicetoemployees.Herearesomesocialnetworkingissuesthatyoushouldconsider:
• Beclearonwhatinformationaboutyourbusinesscanbepostedandwhoisauthorized todoso. • Refrainfromincludingsensitivebusinessinformationinthebusinessprofileoryourposts. • Becarefulusingapplicationsonsocialnetworkingsites.Manyofthesecomefromthird partiesandmaynotbesecure.Alwayscheckontheapplicationproviderfirst. • Whencommunicatingthroughsocialmedia,besuspiciousofanymessagesthatare askingforsensitivebusinessinformationoraboutemployeesandtheirfamilies. • Thinkbeforeyoupost!Whatyouposttosocialmediasitesisgenerallypermanent.You maysomedaychangeyourmindaboutwhatyousaidonline,butyoucan’tremoveor changeit.
12
Whileatwork,youremployeesarealsolikelytousesocialmediaforpersonalreasons,whethertoconnectwithfriendsandfamilyorkeepupwithnewsandevents.Itisimportantthatemployeesfollowsimilarguidelinestoprotecttheirowninformationwhensocialnetworkingaswellasyourbusiness’snetworksanddevices.
Herearesomeadditionaltipsforemployeeswhenusingsocialmediaforpersonalpurposes:
• Criminalsareinterestedintheinformationyoupost.Tohelpyourbusinessstaysafe,make sureyouusethesite’sprivacycontrolsandignorerequestsfrompeopleyoudon’tknow. • Reviewandstayuptodatewiththesocialnetworkingsite’sprivacypolicies(mostare updatedfrequently)andadjustpersonalprivacysettingsappropriately. • Neverrevealyourpreciselocationonline.
4.4 Social Engineering
Socialengineeringiswhenacybercriminalmanipulatessomeoneinordertoobtaininformationaboutabusinessoritscomputersystems.
Cybercriminalsusesocialengineeringtogathertheinformationtheyneedtocommitfraudorgainaccesstocomputersystems.Theywillseemearnestandrespectable.Theymayeventellyouthattheyhavealegitimateconnectiontoyourbusiness(forexample,asaclientorthroughanotherbusiness)andoffer“proof.”Somewillimpersonatethegovernment.Theywilloftenaskforinformationsuchasphonenumbersoraccountinformation,oraskthatyouopenemailswithattachmentsorvisitspecificwebsites.Onlylaterdovictimsrealizethattheseclaimswereaconfidencetrickandthattheyhavebeenmanipulated.
Thesetacticsarepopularbecausetheywork.Itisimportantforyoutoverifywhopeoplearebeforeyougivethemanypersonalorbusinessinformation.
Beaware.Protectyourbusinessandemployeesbyadvisingemployeestodothefollowing:
• Besuspiciousofanyphonecalls,visitsoremailmessagesfromindividualsasking aboutemployees,theirfamiliesandsensitivebusinessmatters.Thisshouldbe reinforcedaspartofanongoingsecurityawarenessprogram. • Askanyonemakingunusualinquiriestoverifytheiridentitywithofficialdocumentation. Whenindoubt,askasupervisororacolleagueforhelp. • Followemail,socialnetworking,browsingandothersafepractices(asdescribed throughoutthisguide),andalwaysprotectpersonalinformationonline. • Alwaysreportanysuspiciousactivity,includingsocialengineeringattempts, toasupervisor.Thisisespeciallyimportantifyouthinkthatyourbusinesshas beencompromised.
WebSecurity
13GetCyberSafe Guide for Small and medium buSineSSeS
• Ifyourbusinessmayhavelostorrevealedsensitiveinformationaspartofsuchan incident—orifthereisasuspiciouspatternofinquiries—determinewhatassets maybeatriskandtakeactiontofurthersafeguardthem.Forexample,ifthereisreason tobelieveyourbusinessbankinginformationmayhavebeenobtained,contactyourbank immediatelyandaskforassistanceinprotectingyouraccounts. • Considerreportingtheincidenttothepolice. • ContacttheCanadianAnti-FraudCentreandaskforadviceorfileareport.
4.5 Software Security
Yourbusiness’scybersecurityisonlyasgoodasthesoftwareyouuse.Infact,ifyoumakeallofyoursoftwaresecure,alargenumberofsecuritythreatswillbereducedorresolved.
Softwarecanincludethefollowing:
• Desktopapplications(apps). • Mobiledeviceapps. • Webserverandrelatedsoftware. • OperatingSystems(OS)andmore.
Softwarecanhaveissues(usuallyknownas“bugs”)thatcanmakeitinsecure.These bugscanbeexploitedbyattackersandallowthemtoaccessyourinformation.Sometimes,softwarewillalsocarrymalicioussoftware—commonlyreferredtoasmalware. Apply security updates to your software as soon as they are available from the developer.
Tipstomaintainsoftwaresecurity:
• Onlyuselegitimatesoftwarethathasbeentestedandusedbyothers.Thiscaninclude softwarefromknownvendorsorindependentsoftwaredeveloperswhomayeven providethesoftwareforfree. • Donotuseunauthorizedversionsofsoftwareillegallydownloadedthroughonline file-sharingsystemsasitisofteninfectedwithmalware.Illegallycopiedsoftwareis notsupportedbydevelopers,whichmeansthatyourbusinesscannotexpectany sortoftechnicalsupportifyouexperienceproblems. • Limitaccesstosharedapplicationsonlytothosewhogenuinelyneedit.Sometimes thisisdoneinthesoftwareitselfandsometimesthroughtheoperatingsystem.
WebSecurity
A big part of cyber security involves being alert to things that seem to be “out of the ordinary.” Your employees should always feel that they can report security questions, concerns or observations to someone in authority (technical or business) who will listen, document what occurred and take appropriate action.
14
• Minimizethenumberofemployeeswithadministrativeprivilegestosoftware,especially importantapplicationsandsecuritysafeguards.Thiswillmakeyourbusinessless vulnerabletointernalerrororexternalattack.Manyattackerstargetuseraccounts withadministrativeprivilegesbecauseitgivesthemahighlevelofcontroloversoftware andsystems. • Mostimportantly,applysecurityupdates(patches)toyoursoftwareassoonastheyare available.Somesoftwareupdatenoticesareautomated,butforothersyouwillneedto checkthevendor’swebsiteregularly.
4.6 Safe Hosting and Business Web Security
Ifyourbusiness’swebsiteisnotproperlysecureditcouldbeeasilycompromised,whichcouldleadtovandalism,disruptionofservice,orthetheftofbusinessorclientdata.All ofthesecanhavesevereconsequences.
Websitesvaryfrombusinesstobusiness,buttherearesomebasictipstofollow:
1. Ifhostingyourwebsite(s)internallyonserversbelongingtoyourbusiness: • Restrictaccesstoauthorizedemployeesonly. • ApplyallavailableandrelevantpatchestotheWebserveroperatingsystems, andanyothersoftwarethatisrunning,tohelpresolveanyknownissues. • Implementregularbackupsofyourbusinesssystemstoaserverataseparatelocation. • Turnonserverloggingandhavewhoeverisinchargeoftheserver(s)reviewthoselogs regularlyandkeepaneyeoutforsuspiciousactivity. 2. IfyourbusinessusesaWebhostingservice,makesuretheyhaveasecurityplanand thatthey: • ScantheirWebserversandyourwebsiteforpotentialissuesandthenfixthoseissues tofurtherprotecttheserverandyoursite. • Monitoryourwebsite(andanysystems)forintrusionorattemptedvandalism. • Protectyourwebsitefromintrusionanddisruption. • Willrestoreyoursitetoserviceintheeventofafailureordisruptionbycybercriminals. 3. Donotpostanypersonalemailsonyourbusinesswebsiteasspammersandotherswill usethem(e.g.,forphishing)[email protected] or [email protected]. 4. Bepreparedincaseyourbusinesswebsiteiscompromised.Youmayneedtoreduce service,switchtoabackupserverorserviceprovider,oreventakeyoursiteoffline temporarily.Considerallofthisbeforeasecurityincidenttakesplacesoeveryonein thebusinessknowswhatneedstobedone.
WebSecurity
15GetCyberSafe Guide for Small and medium buSineSSeS
4.7 Malware
Malicioussoftware(malware)isanysoftwarecreatedanddistributedtocauseharmorstealinformation.Malwareisdesignedtohidewithintheoperatingsystemandavoidsecuritysafeguards.Itmaybeimpossibleforyoutodetectorremovewithoutspecializedtoolsorexpertise.Malwareexistsforalloftheinformationprocessingsystemsthatmaybeinuse inyourbusiness,includingdesktopcomputers,laptops,smartphonesandtablets.
Themostcommontypeofmalwareisthevirus.Avirusissoftwarethatcancopyitselffromonesystemtoanother,infectingeachcomputeralongtheway.Onceavirushasinfectedabusinesssystemitcandeleteorcorruptyourfiles,stealdataoreven(inrarecases)damagehardware.Virusescanoriginateasemailattachments,websitedownloadsoroninfecteddiskssharedbetweenusers.
Manyothertypesofmalwareexistbutallsharethesameobjective:tocaptureandstealsensitiveinformation(e.g.,passwords)andtransmitthisinformationbacktoitsoriginatorwithouttheknowledgeofthesystemuser. Use anti-malware software to scan all incoming files and block anything suspicious or that is embedded with malware.
Whiledealingwithmalwarecanbechallenging,youcancounteralotofthesethreatswithanti-malwaresoftwarethatscansincomingfiles(e.g.,emailattachments)andblocksfilesiftheyaresuspiciousorconfirmedtoincludemalware.Thesamesoftwarewillscanforinfectionsthatmayalreadyexist,warnusersandprovideclean-upoptions.Somemalwarecannotberemovedwithoutthehelpofasecurityexpert.Preventionisalwaysbest.Installyourmalwaresafeguardsbeforeyougetinfected.
Mostanti-malwaresoftwaretodaycoversallthetypesofmalwaredescribedinthissection,butsomearestillreferredtoas“antivirussoftware.”Beforebuyingorusinganti-malwaretools,checkwhattypesofmalwareitaddressesandfindouthowoftenthesoftwareisupdated.Themorefrequenttheupdates,thebetter,asnewmalwareappearshourly.
Yourbusinessmayalsoneedafirewalltohelpblockconnectiontomaliciouswebsitesand tostopsomeformsofmalwarebeforetheyaredownloadedorbroughtinwithemails.
Implementinganti-malwaresoftwareandafirewallisagreatfirststeptowardstrengtheningyourbusiness’scybersecurity.Goodemployeehabitsarealsoessential.Allemployeesneedtobeprovidedwithsecurityawarenesstrainingandpoliciesthatexplaintheirresponsibilities.Forexample,theyshouldbewarnedthattheyarenotallowedtotamperwithordisablesecuritysafeguards,includinganti-malwaresoftware.
WebSecurity
16
Herearesomethingsyoushouldtellyouremployeestolookoutfor:
• Watchforwarningsonwebsitesoremailsthathavebeenflaggedas potentiallydangerous. • Report(e.g.,toasupervisorortechnicalsupportperson)anyalertsfromtheanti- malwaresoftwareintheirworkcomputer—includingalertsthatindicatethatthe softwareisoutofdateorhasidentifiedasuspiciousfile. • Neverforwardsuspiciousemailsorfilestoothersinyourbusiness.
4.8 Authentication Best Practices
Authenticationisasecuritypracticedesignedtoverifythatauseriswhotheyclaimtobe,priortograntingthemaccesstospecificsystemsorservicesthatyourbusinessuses.
4.8.1 Passwords Passwordsarewidelyusedtoprotectaccesstobusinessinformationandonlinetools,butifemployeesarenotcareful,otherscanusetheirpasswordstoaccesscrucialfilesandinformation.
Thereareseveralcommonproblemswiththeuseofpasswordsinbusinesses:
• Employeeswritetheirpasswordsdownandposttheminplaceswhereotherscancopy them—ortheysimplysharetheirpasswordswithothers.Inbothcases,thelossof controloverthatpasswordmakesitimpossibletoguaranteethatthepersonaccessing systemsisactuallyauthorizedtodoso. • Employeesuseweak,easy-to-guesspasswords,makingitpossibleforotherstogain accesstosensitivesystemsorinformation. • Theyre-usethesamepasswordacrossmultiplesystemsorservicessothatifone iscompromised,allareatrisk. • Theydonotchangetheirpasswordregularly.
Haveastrongpasswordpolicythatidentifieswhatrulesapplytopasswordsusedinyourbusiness.Thefollowingguidanceshouldbeincludedinthatregard:
• Avoidcommonwordssuchas“password”or“login.” • Avoidsimplesequencesofnumberssuchas“1234.” • Avoideasy-to-guesspersonalnamessuchasachild’sfirstname. • Createpasswordsthatareat leasteightcharactersinlength—themorecharacters thatareused,themoresecurepasswordswillbe.
WebSecurity
17GetCyberSafe Guide for Small and medium buSineSSeS
•Createstrongpasswordsbyincludingacombinationofthefollowing: • Uppercaseletters. • Lowercaseletters. • Numbers. • Specialcharacters(e.g.:!,$,#,or%).
Explaintoyouremployeesthatstrongpasswordsareimportanttothesecurityofthebusiness,andthattheyshoulddothefollowingtoprotecttheirpassword: • Keeptheirpasswordsconfidential. • Changetheirpasswordsregularly.Yourbusinessshouldrequireemployees tochangetheirloginpasswordseverythreemonths. • Avoiduseofthesamepasswordformultipleaccountsorsystems.
Alternatively,youcouldconsiderusingapasswordmanager(aprogramthatgeneratesandstoresrandompasswords)thatcreatesevenstrongerpasswordsforemployeestouse.
4.8.2 PassphrasesIfyouneedenhancedsecurity,considerusingapassphraseinsteadofapassword. Apassphraseisawholesequenceofwords.Forexample,insteadofthepassword“Mypassw0rd,”thepassphrase“!mgladMypassw0rdisgr8!”wouldbemuchhardertoguess.
Apassphrasethatisanacronymreducesthenumberofkeysinvolved.Forexample,“IamsogladIwentonvacationinJanuaryasIlovethesun!”wouldbecome“IASGIWOVIJAILTS!”Eventhiskindofacronymismoresecurethanaregularpasswordasitislonger,morecomplexandunpredictable,makingitveryhardtoguess—evenwiththesoftwaretoolsthatcybercriminalsuse.
Thereareanumberoffreetoolsonlinethatyoucanusetodemonstratetherelativestrengthofpasswords.Whiledifferenttoolsmayyieldslightlydifferentresults,tryingseveralwillgiveagoodindicationofthestrengthofyourchosenpassword.
WebSecurity
Figure 3: Passphrase Strength Example
18
4.8.3 Two-Factor AuthenticationTwo-factorauthentication(2FA)isasecuritypracticethataddsanothermeansofidentification,whichcanmakeabusinesssystemmuchmoresecure.
Thefirstfactorissomethingthepersonknows(e.g.,apassword)andthesecondfactorissomethingadditionaltobeusedinconfirmingtheperson’sidentity.Thesecondfactorcanbesomethingtheuseralwayshas(e.g.,theirfingerprint,whichisnowusedatmanybordercrossings)orsomethingtheytemporarilyhave,suchasaone-timepassword(OTP).Unlikearegularpassword,anOTPcannotbeguessedandasthenamesuggestsitcannotbere-usedeither.
AnOTPisgeneratedbytheuserwitheitherasecureapp(e.g.,ontheirsmartphone)oradedicatedhardwaredevice(oftencalledatoken).Eitherisportableandcanbeusedasneeded.Incombinationwitharegularusernameandpassword,anOTPgreatlyenhancesauthenticationsecurity.
Itisstronglyrecommendedthatyouimplementtwo-factorauthenticationinyourbusinessespeciallywithrespecttotheprotectionofcriticalsystemsandinformation.Youcanoftenstartimplementingtwo-factorauthenticationwithsimpleservices,suchaswebmailandsomebanking,togetasenseofhowitworksandthenexpanditsuseasyourtimeandbudgetallow.
WebSecurity
Figure 4: An Example of an OTP Showing that it Will Expire in 17 Seconds
19GetCyberSafe Guide for Small and medium buSineSSeS
Quick tips from this section:• MakesureyourPOSsystemisbehindafirewall. • Setupstrongencryptionforalltransmitteddata. • Donotusethedefaultusernameandpasswordprovidedbythemanufacturer. • Limitaccesstoclientdatatothoseemployeeswhoabsolutelyneedit. • Ensurethatallanti-malwaresoftwareisuptodate,asfrequentsecurityupdatesoccur tofightnewtypesofmalware. • IfyouhaveanyconcernswiththesecurityofyourPOSsystem,contactthePOS serviceprovider.
It’slikelythatyourbusinessreliesonelectronicpoint-of-sale(POS)systemsforprocessingfinancialtransactions.CustomershavecometoexpecttheconvenienceofPOSforinstantdebitorcreditcardtransactions,makingitessentialtoyourbusiness.
YourPOSsystemscanbeanotherwaytoaccessyourcomputernetworks,anditisextremelyimportanttoprotectthem.CybercriminalscanhackintoPOSsystemstostealpaymentcardnumbersandtheassociatedpersonalidentificationnumber(PIN),whichtheycanthenuseto access your customers’ accounts.
TherearestepsyoucantaketoimprovePOSsecuritytohelpsafeguardyourcustomersandyourbusiness:
• EnsurethatyourPOSsystemisbehindafirewall.Afirewallisasecuritycontrol,whichis usedtorestrictincomingandoutgoingnetworktraffic.YourInternetServiceProvider(ISP) mayincludeafirewallwiththerouterorotherhardwareorsoftwarethattheyprovide you,butitisimportanttocheck.Iftheydon’tprovideone,youwillneedtopurchaseone. • Setupstrongencryptionforthetransmissionofalldata(e.g.,cardholderdata)between yourPOSsystemandthePOSserviceprovider.Theserviceprovidershouldimplement thisbydefault.AskyourPOSserviceprovideroracybersecurityconsultant(withPOS experience)forhelpifyouarenotsurewhattodo. • DonotusethedefaultusernameandpasswordforyourPOSsystem(whichwillhave beenshippedwithit).Cybercriminalswillusethosecredentialstogainaccesstoyour system.Instead,setupanewusernameandpasswordthatisuniquetoyourbusiness. • Alwayslimitaccesstoclientdataonlytothoseemployeeswhohaveaneedtoaccessit andareauthorizedtodoso. • Keepanti-malwaresoftwareuptodate.
Point-of-Sale(POS)Security
20
Quick tips from this section:• Implementaspamfilter—doingsowillhelpyougetridofmostpotentiallyharmful emails sent by cyber criminals. • Youshouldnotclickonanyunverifiedorsuspiciouslinks—evenjustclickingalink couldgiveawaysensitiveinformationthatacybercriminalcanusetohurtyouand your business. • Keepyouremployees’emailsandinformationconfidential,asinformationonanymember ofyourbusinesscanbeusedtohurtemployeesoryourbusiness. • EnableHTTPS,whichencryptsdataandessentiallymakesitimpossibleforcybercriminals toaccesstheinformationinyourbrowser,forWeb-basedemail. • Setstrictpasswordstandardsforallemailaccounts(businessorpersonal)beingused atwork. • Whenpossible,usegenericemails([email protected])foremailaddresses thatarepostedinpublicplaces(suchasonyourwebsiteoronsocialmedia). • Donotforwardpotentiallyharmfulemailstootheremployees.
Anumberofsecurityconcernshavedevelopedwiththeuniversaladoptionofemailincludingspam,phishingandthenon-secureexchangeofconfidentialinformation. Theseareallthingsthatcouldhaveanegativeeffectonyourbusiness.
6.1 Spam
Spamisemailthathasbeensentwithoutthepermissionorrequestofthepersonithasbeensentto.Spamrepresentsapproximately69%ofallemailsentovertheInternet.1Notonlycanspamcontainlinksthatifclickedoncouldharmyourbusiness,butspamcanslowdownyournetworks,serversandcomputers,increasingcostsandreducingproductivity.
Spamisusedwidelyto:
• Sellyouaproductorservice(muchliketelemarketing,butbyemail)andmakeyou visitanunsafewebsite,leadingtothedownloadofmalwareontoyourcomputer. • Convinceyoutodiscloseconfidentialpersonalorbusinessinformation (suchaspasswords).
Email Security
1http://www.symantec.com/security_response/publications/threatreport.jsp
21GetCyberSafe Guide for Small and medium buSineSSeS
How to identify potential spamHerearesomewaysyoucanidentifypotentialspam: • Ifyoudon’trecognizethesender,treatitwithcaution. • Lookformisspelledwordsinthebodyoftheemail.Thisisatrickfraudsters usetobypassspamfilters(seetheexplanationtofollow). • Lookforunusualphrasinginthemessage,whichmaysuggestthattheauthor isnotlegitimate.
Alwaysbesuspiciousofemailsthatcontainthefollowing: • Offersthatsoundtoogoodtobetrue. • Requeststhatyouclickonalinkinthemessage. • Requestsforyourpersonalinformation.
Spamisannoyingandpotentiallyharmfultoyourbusiness.Buttherearesomewaysyoucandealwithit:
• Implementaspamfilterthatwillblockmostspamandonlyallowlegitimateand acceptableemailstogettoyou.Ifyourbusinessisusingemailhostedbyanother company,askthemaboutwhatspamfilteringservicestheyoffer.Ifitisnotworkingwell, askforabetterspamfilterorchangeemailserviceproviders. • Keepyouremployeeemaillistconfidential.Ifyouneedtoshareanemailaddresswith someoneoutsideofyourbusiness,useagenericemail,[email protected]. • Developabasicsetofemailguidelinesforyouremployeesandmakesureallemployees readandapplythem.Theseshouldincludethefollowing: • Neverclickonthelinksthatareincludedinspam—eveniftheyareofferingto removeyoufromtheirdistributionlist.Thisisacommontricktheyusetogetpeople tovisitdangerouswebsites. • Neveropenattachmentsinspamorsuspectedspammessages. • Donotwritetothespammerforanyreason,evenifitistocomplain.Doingsowill onlyconfirmthatyouremailaddressisvalidandwillactuallyresultinmorespam. • Deletespamifyouarecertainitisnotlegitimate.Ifyouareuncertainaboutwhatto do,askasupervisorortechnicalsupportpersonforhelp.Generally,ifyourbusiness doesnothaveatechnicalsupportpersonavailable,itisbesttocontacttheemail serviceprovider.Intheworstcases,ifyoususpectthereisasignificantrisktoyour business,youshouldcontacttheauthoritiesaslistedinAppendixC.
Email Security
22
6.2 Phishing
Phishingisaspecifickindofspamthattargetsyoubysimulatingalegitimatemessagefromabank,governmentdepartmentorsomeotherorganization,inanattempttogetyoutogiveupconfidentialinformationthatcanbeusedforcriminalpurposes.
Oftenthesemessagesarewrittentoseemhelpfulorwilloffer“goodnews”(Figure5)sothatyouwillbemorelikelytotrustthesenderandfollowinstructionsintheemail.Inothercasestheytrytoincitefearandgetyoutosendareactionaryreply(e.g.,“...yourbankaccountisbeingclosed.Clickheretotakeurgentaction.”)
Becausethesemessagesoftenappeartobefromrealorganizations—possiblyusingreallogosandfamiliarcolours,layoutandfonts—itcanbehardforyoutorecognizeitasillegitimate.Inalmosteverycase,themessagewillincludeawebsiteURL(link)thattheywantyoutoclickandarequest or demand for confidential information.
What to do with potentially criminal emailIfyoureceiveoffensive,abusiveorpotentiallycriminalemail(whetherornotitseemstobespam)—orifyouthinkyouarebeingaskedforconfidentialinformationbycriminals—youshouldsavethemessage(donotemailittoothers)andcontactyoursupervisororITsupportpersonnel.Youmaybeaskedtoprovideacopyofthemessagetohelptheauthoritieswithanysubsequentinvestigation,whichiswhyyoushouldnotdeleteitunlesstoldtodoso.SeeAppendixCformoreinformationonwhotocontact.
Email Security
Figure 5 1
1http://www.cra-arc.gc.ca/ntcs/nln-rfnd-eng.html
23GetCyberSafe Guide for Small and medium buSineSSeS
Strategiesfordealingwithphishingshouldalignwithyourbusiness’sapproachtospamandshouldbeginwithspamfiltering.AllofyouremployeesshouldbealertedtothisissueandunderstandthatanyapparentphishingemailscontainingpersonalinformationonemployeesmightneedtobereportedtotheCanadianAnti-FraudCentre.
Someadditionaltipstogiveemployeesonphishing:
• Donotanswersuspiciousemailsorprovideanyconfidentialinformationrequestedin emailseveniftheyappearlegitimate.Ifuncertain,speaktoasupervisor. • Donotclickonanylinksinsuspiciousemails. • Donotforwardtheemailtoothers.Ifyouneedtoshowittoasupervisor,askthemto comeandseeitonyourscreenorprintitout. • Ifasuspiciousemailappearstobefromarecognizedorganizationorclient,contactthe legitimateclientororganizationthroughanothermeansofcommunication(e.g.,by phone)andaskiftheysentsuchanemail.
6.3 Sending Email Securely
Phishingandspamaretwoissuesassociatedwithyourincomingmail,butwhataboutthesecurity of your outgoing email?
Asemailoftencontainssensitiveandconfidentialinformation,andisrelativelyeasy tocompromise,youneedtoimplementappropriatesecuritymeasuresto:
• Makesurethatonlyauthorizedemployeescansendemailsfromyourbusiness. • Maintaintheconfidentialityofyourmessagesoremailattachmentsuntildelivered totheintendedrecipient. • Archiveyoursentemailforfuturereference(e.g.,incaseofaninvestigationorfor financialorlegalreasons).
Oncecriminalshaveaccesstoalegitimateaccountinyourbusiness,theycanuseittogetthecontactinformationassociatedwiththataccount,sendoutspam,launchphishingattacksandmore. Enable the security protocol HTTPS for all communication between business computers and webmail servers. This will help to maintain email confidentiality.
Yourbusinessshouldchooseasingleemailserviceforyourbusinesstohelpyousimplifysecuritymeasures.Securityshouldbeoneofthekeycriteriainselectinganemailservice.Ifyouuseawebmailservice,enablethesecurityprotocolHTTPS(Figure6)forallcommunicationbetweenbusinesscomputersandthewebmailservers.HTTPSwillencryptallemailsyousendandreceive,whichwillhelptomaintainmessageconfidentiality.
Email Security
24
Developemailguidelinesforemployeesthatincludethefollowing:
• Alwaysfollowthecompany’spasswordstandard,includingtheuseofastrongpassword foremailwhethertheaccountisinsidethebusinessorhostedaswebmail.Thisis importantwithwebmailservices,astheyaremoreaccessibleforcybercriminalswhowill usecompromisedaccountsforothercriminalactivities(suchasemailingspam). • UsetherecommendedsecurityandprivacysettingsintheWebbrowseroremailclient softwareunlessthepersonresponsibleforcybersecurityinthecompanytellsyouto changethem.Thesecurityfeaturesbuiltintothoseapplicationsaretheretoprotectthe business.(Inyourbusiness,itispossiblethatyouremployeessetuptheirownemail software.Ifthat’sthecase,itisbestthattheyfollowthesecurityrecommendationsof thebrowseroremailclientdeveloper). • Beforesendingemailsorattachmentsthatcontainsensitiveinformation,alwaysask yourself:“Couldtheunauthorizeddisclosureofthisinformationcauseseriousharmtome ormybusiness?”Iftheansweris“Yes,”thenuseanothermoresecuremethod. • Ifthereisaneedforyoutosendpotentiallysensitiveinformationoutsideofthebusiness, asktherecipienttoverifythattheyreceivedit.Also,encryptattachments(e.g.,Word documents)beforesendingthemovertheInternet.SeeFigure7.
Writeandfollowanemailretentionstandardappropriateforyourbusinessandanyprovincialorfederallegislation.Forexample,ifyourbusinessisrequiredtokeepclientrecordsforsevenyears—andyoucommunicatewithclientsbyemail—thenyouneedtomaintainemailarchivesforatleastsevenyears.Thiscanbedonebybackingupyouremailtoaninternalstoragesystemorbyarrangingscheduledbackupswithyouremailserviceprovider.Ifyouarenotsurehowlongyouneedtokeepemails,checkwithyourlawyer,accountantoranotherresponsiblepartytoconfirmanyrequirements.Onceemailarchivingissetupyouwillbereadyifcalledupontoprovideolderemails.
Email Security
Figure 7: Encrypting an Attachment
Figure 6: HTTPS is enabled
25GetCyberSafe Guide for Small and medium buSineSSeS
Quick tips from this section:• Frequentlybackupyourdatatoanexternalharddrive,serverand/oronlineservice— havingmultiplebackupsofyourdataiskeyincaseofthefailureofoneofthem. • Downloadorpurchaseautomaticbackupsoftwaretoensuretimedbackupsof yoursystem(s). • Storeyourphysicalbackups(e.g.,externalharddrive)offsiteinasafeplace. • HaveemergencysystembootDVDsorUSBstickspreparedincaseofasystemcrash. • Properlylabelanysensitiveinformationyouhavetoensuresecurehandling. • Whendisposingofyourdata,thoroughlydestroyit—shredallpaperandCDs—sothat noinformationcouldpotentiallybegatheredandusedtoharmyou.
7.1 Backup and Recovery Options
Abackupplanisessentialforyourbusiness.Withoutone,yourbusinesswillrisklosingcriticalinformation(suchasclientrecords)andservices(suchaspaymentprocessing).Suchlossescanhurtyouroperations,damageyourreputation,resultinlegalactionorevencausethefailureofyourbusiness.
Backupsareusedtorestorelostordamagedfiles.Backingupdatawillhelpensurethatyourbusinessisabletorecoverquicklyandcompletelywhenasystemcrash,datacorruptionorothersetbackoccurs.
Thereareseveraloptionsyoucanuseforbackupandrecoveryincludingthefollowing:
1. Portable or desktop USB hard drive: Thisisagoodplacetostartifyourbusinessonlyhas afewcomputers.Youcanprovideonedriveforeachcomputerorshareoneforupto threesystems.Backupsoftwarewillallowyoutoautomatethisprocessandtrackchanges toyourdatabetweenbackups.Thesamesoftwarewillallowyoutorestoreanythingfrom asinglefiletotheentiresystem. 2. Server: IfyourbusinesshasaLocalAreaNetwork(LAN),datashouldbestoredonyour serverandbackedupfromthere.Serverbackupscanbecompletelyautomatedandrun asoftenasneeded. 3. Online:AnotheroptioninvolvesbackingupyourdatatotheInternet.Backupand restorationserviceproviderswillmaintaincopiesofyourbusinessdata.Onlinebackups mightnotbesuitablefor:
• Yourhighlyvaluableorsensitivedata. • StorageofprivatedataonbehalfofCanadianclientsorpatients—especiallysince manyonlinebackupserviceprovidersoperateoutsideofCanada. • Restoringyourdataquicklyaslocalbackupsaretypicallyfaster. • Guaranteedon-demanddatarestoration,sincetheInternetcangodown. • Continuousorveryfrequentbackups,whichcanoverwhelmyourInternet connectionandpreventotherwork.
Data Security
26
Bestpracticeswhenbackinguporrestoringinformation:
• Haveaplanandbeginyourbackupsassoonaspossible.Startbybackingupallfiles andfoldersthatmaybeofvalue.Thisisoftenreferredtoasa“full”backupanditsetsa foundationforfuturebackups.Afterthis,youwillonlyneedtobackupnewormodified filesandfolders. • Backupyourdataregularly,whetheritisdaily,hourlyorasappropriateforyourbusiness. • Chooseabackupapplicationwithautomaticandcontinuousbackuptomakesurethat yourbackupsarecompleted. • Keepcopiesofyourbackupsinasecurelocationoff-site.Theideaistoprotectthe backupsfromtheftoradisaster(suchasfire).Ifanoff-sitelocationsuchasabanksafety depositboxisimpractical,considergettingasmallfire-resistantsafe.Ensureoff-site backupsarekeptuptodate. • Alwaysincludesystemandsoftwaresettingsaspartofyourbackups. • HaveemergencybootdiscsorUSBsticksreadyincaseofasystemcrashandkeepatleast onecopyoff-sitewithotherimportantbackups. • Testyourbackupsperiodicallybyrecoveringanimportantfile,folderorevenawhole drive.Whenthereistime,atleastonceayear,alsodoacompletesystemrestorationto a“test”computer(e.g.,notacomputerthatisinusebyyourbusiness)tomakecertain thatyourbusinesscanusethebackupsonhandtoperformacompletesystemrecovery intheeventofadisaster.
Things to think about when developing your backup plan:
• Whatdoyouneedtobackup?Buildalistofyourcriticalfilesandwheretheyarelocated andyouwillknowwhatyouneedtobackup. • Howoftendoyouneedtobackup?Somedatamaychangeinfrequentlywhileotherfiles changeallthetime.Iftheinformationisimportant,backitupasoftenasyouneed,which maybeonceaday,hourlyorevenmorefrequently. • Howlongshouldyoukeepbackups?Youmayonlyneedtokeepthemostrecentbackups, oryoumayhavelegalorcontractualobligationstokeepsomedataforspecificperiods— possiblyyears.Checkwithyourlawyer,accountantoranotherresponsiblepartyto confirmtherequirements.
Data Security
27GetCyberSafe Guide for Small and medium buSineSSeS
7.2 Cloud Security
CloudcomputingisusingresourcesandprogramsthatareavailableontheWeb,outsideofyourbusiness.Youmaybefamiliarwithcloudserviceslikedatastorage,butcloudcomputingalsoincludesbillingandpaymentservices,documentandaccountmanagement,andmarketingandproductivitytools.
Therearemanyreasonsforasmall-ormedium-sizedbusinesstoconsiderusingcloudcomputing.Cloudservicesofferpowerfulsoftware,similartowhatisusedinmuchlargercompanies,atcompetitiveprices.What’smore,someservicesallowforcustomizationtofityourbusiness’sneeds,andcanoffertheflexibilitytoaccesscloudservicesfromnearlyanydevicethatconnectstotheWeb.Finally,agoodcloudservicesproviderwillsupporttheirproductstoimprovetheirsecurityandstability.
Asattractiveascloudcomputingis,cloudservicesmeanthatyouwillbeplacingdatainthehandsofsomeoneoutsideofyourbusiness,soyouneedtobeabletotrusthowtheywillhandlethatinformation.Yourbusinessneedstoconsiderseveralsecurityissuesindecidingwhetheracloudserviceisrightforyou.
1. Readreviewsandgetrecommendationsonpotentialcloudserviceproviders.Research thesecuritycapabilitiesofpotentialcloud-computingserviceproviders,including thefollowing: • Anti-malwareprotection. • Softwarepatchingandmaintenance. • Strongencryptionduringthemovementofdataandwhileinformationisstored. • Redundantpowerincaseofapowerfailure. 2. Beyondsecurity,askaboutacloudserviceprovider’sreliability,servicelevelsandpast performance.Forexample,youcanaskhowtheybackuptheirdataandwhathappensif theservicegoesdown. 3. Manageaccesstoyourcloudservices.Youshoulddecidewhoinyourbusinesscanaccess aservice,andwhataccountprivilegestheywillhave.Decidewhetheremployeescan accessbusinessdataonpersonaldevicesandtheproceduretofollowifadeviceislostor stolen.Ifanemployeeleaves,besuretoremovetheiraccesstoyourservices. 4. Exerciseyourduediligence.Talktoyourlegalcounseltounderstandwhatliabilitiesyou mayfaceifclientinformationwerelostorstolenwhilehostedinthecloud,andlook closelyatagreementswithcloudserviceprovidersonwhoownsproductsandbears responsibilityforthedata. 5. Understandanyfederalorprovinciallegalrequirementsrelatedtostoringdifferentkinds ofinformation.InformationuploadedfromCanadamaybestoredonaserverinanother country.Dependingonyourlineofbusiness,governmentregulationsmaystipulatehow yourdataishandled,includingwhereitisstored,forhowlongandthelevelofsecurity required.Thisisespeciallytruewithrespecttomedicalorfinancialrecordsthatyour businessmayhold.
Data Security
28
Using a Secure Cloud-Based File-Sharing Service
Oneaspectofcloudcomputingthatyourbusinessmayfindusefulisfile-sharingandsynchronizationservices.Theseallowyoutouploadfilestothecloudforclients,consultantsorotherpersonneltoview,downloadandmodify.Ifchangesaremadebyanyoftheusers,filesaresynchronizedsothateveryonehasaccesstothemostcurrentversion.
Yourbusinesscanlimitassociatedsecurityrisksbydoingthefollowing: • Consideringwhichtypesofinformationcanbesafelysharedthisway. • Choosingaservicethatrequiresuserstologin,ideallywithtwo-factorauthentication, soonlypeopleyouauthorizecanaccessthesharedfiles. • Limitingthenumberofpeoplewithaccesstothosewhoneedit. • Usingaservicethatcansendyounotificationswhenafileisreceivedorchanged. • Encryptingsensitiveinformationbeforeyouuploadorshareit.
7.3 Classifying and Labelling Sensitive Information
Classifyingandlabellingsensitiveinformationiscriticaltoitssecurehandlinginyourbusiness.Manyclassificationsystemscanbeemployedtohelpdeterminehowsensitiveinformationisandthentolabelit(e.g.,asdocuments,files,records,etc.).
Thekeyistohaveasysteminplacethatallofyouremployeesunderstandandfollow. Yourbusinesswillneedtodevelopamethodforclassifyinginformationandguidelines forlabellingandhandlingthatinformation.
How to determine which information is sensitive:
1. Identifyyourinformationandwhereitislocated(e.g.,onaserver,inthecloud,etc.). 2. Askyourselfwhatharmwouldresultfromthelossortheftofeachgroupofinformation yourbusinessholds.Ratethelossfrom1–5where1is“insignificant”and5is “catastrophic.”Sorttheresults. 3. Informationthatisratedhigherismore“sensitive”andshouldbelabelledandhandled withpropercareforitssecurity(e.g.,controlofaccess,backup,etc.).
Asimpleclassificationmodeliseasiertorememberandfollow.Forexample:
1. Publicinformationisavailabletoeveryoneandanyone,insideoroutsideofyourbusiness, andrequiresnoprotectionorspecialmarkingorhandling.Newspostedtoyourbusiness’s websiteisanexampleofpublicinformation.
Data Security
29GetCyberSafe Guide for Small and medium buSineSSeS
2. Restrictedinformationneedstobeprotectedinsomemannerandisusuallylimitedtoa selectgroupofpeopleincludingemployeesandcertainclients,serviceprovidersor others.Thisinformationwouldbecontrolledthroughvarioussecuritysafeguardsyou haveputinplaceandshouldbelabelled“Restricted.”Anexampleofrestricted informationispayrollinformation. 3. Confidential informationislimitedtoaccessbyselectindividualsinyourbusiness.Its lossorexposurecoulddamageyourbusiness.Confidentialinformationmustbelabelled, carefullyhandledandshouldnotbeallowedtoleavebusinesspremisesorsystems. Anexampleofconfidentialinformationisintellectualpropertyownedbythebusinessor sensitiveclientdata.
Youshoulddocumentandexplaintoemployeesoraffiliates(e.g.,forbanking)therulesonhowinformationshouldbelabelled,handledorshared,includingthefollowing: • Alwayscheckingtheclassificationofinformationtodeterminehowitshouldbehandled. • Whenusingorsharingclassifiedinformation,limitingaccesstothosewhoareauthorized.
7.4 Handling Sensitive Information
Someofyourbusinessinformationwillbeparticularlysensitive(e.g.,financialorcustomerrecords),meaningthattheunauthorizedaccessto,loss,misuseormodificationofthatinformationcouldcauseseriousharmtoyourbusinessorclients.
Tipsforhandlingsensitiveinformation:
• Lockupandrestrictaccesstosensitiveinformationwhenitisnotbeingused.With digitaldocumentsthiswillinvolveacombinationofelectronicandphysicalsafeguards tolimitaccessonlytoauthorizedemployeesorclients.Forpaperdocumentsitmay involvelockedfilingcabinetsorasafe. • Alwayslabelsensitiveinformationandtrainemployeestofollowguidanceonthe handlingoflabelledinformation.Ifinformationisnotlabelled,employeesshouldaskfor assistanceorclarificationtomakesuretheyarehandlingitcorrectly.Digitalinformation canbegroupedbysensitivityonacommonserver,inaspecificdatabaseorindividually labelled. • Ifyouhavetodestroyanysensitiveinformation,theelectronicdestructionmethods mustalsobethorough.Usuallyifyou“delete”afileonyourcomputer,thefileisnot actuallyremoveduntilthespaceisoverwrittenbysomethingelse.Commercial“secure erase”ordeletiontoolscancompletelydestroyyoursensitiveinformation,muchlike puttingapaperdocumentthroughashredder. • Whenyoudisposeofstoragemedia,itisbesttodestroyitphysically.Forexample,CDs andDVDscanbeputthroughsomepapershredders. • Whendestroyingpaperrecords,ahigh-qualityshredderthatcrosscutsthepaperinto smallpiecesshouldbeused,orconsiderpayingaprofessionaldocumentandmedia destructioncompany.
Data Security
30
Quick tips from this section:• ConductyourremotecomputingthroughaVirtualPrivateNetwork(VPN). • Limitaccesstoyournetworktoauthorizedpersonnelwithaclearbusinessneed. • Whenworkingfromhome,properlysecureyourWi-FibeforeusingyourVPN. • DonotuseunknownorunfamiliarWi-Ficonnectionswhentravelling.
Providingremoteaccesstoyourbusinessnetworkandinformationallowsyouandyouremployeestoworkfromhomeorwhileontheroad,savingtimeandmoney,andincreasingproductivity.Butallowingremoteaccesscanexposeyourbusinesstocyberthreats.Manyofthesethreatscanbeaddressedthroughgoodsecurityhabitsonthepartofemployeesalongwithstrongtechnicalsafeguardsyoucanputinplace.
8.1 Remote Computing Security Basics
Ifemployeesareprovidedwithremoteaccesstoyourbusiness’scomputers,itwillnormallybeovertheInternetandshouldinvolvetheuseofasecureVirtual Private Network(VPN).
AVPNisanextensionofyourbusiness’sinternalnetwork(orfromonecomputertoanother)overtheInternet.TheInternetisnotconsideredsecurefortheexchangeofconfidentialinformationonitsown,soalltrafficinaVPNisencrypted,renderingitunusabletoanyoneexceptthelegitimatesenderandreceiver.AVPNisaprovensolutionthatisrelativelysimpleforyoutosetupwithcommercialorfreesoftwareorasaservice.Somehardware,suchasarouterandfirewall,isalsorequired.
Onceinplace,aVPNcanallowyouruserstoaccessandsharebusinessfilesorapplicationsfromtheirremotelocation,andtocommunicatewithfellowemployeesusingemail,asiftheywereintheoffice.
AVPNshouldalwaysbeusedwithothersecuritysafeguards(asdescribedinthisguide)includingup-to-dateanti-malwaresoftwareandtwo-factorauthentication.
Belowaresomebasicstepsyoucantaketoprotectyourbusinesswithrespectto remotecomputing:
• Limitremoteaccesstoauthorizedemployeeswithaclearbusinessneed.Access shouldonlyextendtotheapplications,informationandservicesthatarerequired forworktobeperformed. • Allemployeesauthorizedtohaveremoteaccessprivilegesshouldberequiredtosign asimpleRemoteAccessAgreementtoindicatethattheyunderstandtheassociated rulesandresponsibilities.
RemoteAccessSecurity
31GetCyberSafe Guide for Small and medium buSineSSeS
• Youshouldadjustremoteaccessprivilegesasresponsibilitieschange.Forexample,an employeemovingfromAccountingtoSalesmaynolongerneedaccesstocertain accountingresourcessotheiraccessshouldbechanged.Remembertorevokeall remoteaccessprivilegeswhenanindividualleavesyourbusiness. • Whenpossible,provideemployeeswithbusinesscomputers,configuredwith appropriateapplicationsoftware,remoteaccesstoolsandsecuritysafeguards,instead ofusingtheirhomecomputers. • Recordserialnumbersforallpersonalcomputingdevicesusedforremoteaccessor workoutsideoftheoffice—includinglaptops,smartphonesandtablets—tohelp tracktheirconfigurations(includingsecuritysoftware)andtohelpwithrecoveryif theyarelostorstolen.Thisinformationwillalsohelpwithpolicereportsandinsurance inthecaseoftheftorloss. • Labelallyourbusinesscomputersthatareusedoutsideoftheofficewithyour businessname,contactinformationandanassetnumber.
8.2 Working From Home
Loggingintoworkfromhomeisconvenientforyouandyouremployees.Butworkingfromhomeonapersonalcomputerintroducessomeadditionalrisksthatneedtobeaddressed:
• Aspartofthewirelesssystem,asmalldevicecalledacableorDigitalSubscriberLine (DSL)modemconnectshomenetworksandcomputerstotheInternet.Usually,arouter isalsorequiredforcommunicationsinsidethehome.Youremployeesshouldconnectthe computerdirectlytotherouterusingastandardEthernetcable.Similarly,therouter shouldbeconnected,viaanEthernetcable,tothemodem.Ifthesestepsaretaken,there isnowirelesscommunicationthatcanbelistenedtobyoutsideparties. • WhenusingWi-Fi,youmustsecureitsothatpotentialattackerscannotmonitorthehome networkandstealyourbusiness’ssensitiveinformation.Toguaranteeasecureconnection, allemployeesshouldberequiredtodothefollowing: • ChangethedefaultWi-Finetworknameandtherouteraccesspasswordonthe networkrouter.ThenameiscalledtheServiceSetIdentifier(SSID)andchangescan usuallybemadequiteeasilyonline,followingthemanufacturer’sinstructionsforuse. • Turnonnetworkencryptiontomakesurethatanyinterceptedcommunications cannotbeusedbycybercriminalsagainstemployeesoryourbusiness. • Thehomeworkenvironmentisonlyassecureastheworkspace.Employeesshould beadvisedtolimitaccesstothecomputertheywilluseforwork.Forexample, childrenshouldhaveaseparatecomputerfortheirownusetopreventaccidental compromiseofthecomputerusedforbusinessaccess.
RemoteAccessSecurity
32
8.3 Working While Travelling
Yourbusiness’sportablecomputingdevicesandtheinformationonthemareparticularlyvulnerablewhenworkingawayfromtheofficeorhome.Manyhotels,coffeeshops,conferencecentresandotherpublicplacesofferWi-Fi,oftenforfree.Thisisconvenient, but rarely secure.
Herearesometipsforyouandyouremployeeswhileontheroad:
• Avoidunknown,unfamiliarandfreeWi-Ficonnectionsunlesstheyaresecuredwith apasswordandencryption.Eventhen,usecautionwhensendingyoursensitive information.IfanunencryptedWi-Ficonnectionmustbeused,businessdocuments andemailsshouldnotbetransmittedunlessabusinessVPNisused.TheVPNwill encryptthetransmittedinformation. • Don’tleaveyourlaptoporrelatedmaterialsunattendedinapublicworkspace,evenfora moment.Theftoflaptops,smartphonesandtabletsiscommonandontherise.Ifpossible, securelaptopswithacablelock—evenwhenattendedandinsight.Loseabusiness laptoporotherelectronicdeviceandyoulosealltheinformation. • Makesurethatyouguardconfidentialinformationonyourscreenfromcuriousonlookers. Ifyou’reonaflight,anyonewithlineofsighttothelaptopcanseewhatisonthescreen. Waittoreviewanysensitiveinformationinamoreprivateandsecurelocation.Ifthisis notpossible,dimthescreenandchangethelaptop’spositiontolimitwhocanseeit.
RemoteAccessSecurity
33GetCyberSafe Guide for Small and medium buSineSSeS
Quick tips from this section:• Ensurethatallofyourmobilebusinessdevices(phones,tablets)havesystemaccess passwordsandarelockedwhennotinuse. • Properlysafeguarddataonmobiledevices.Mostmobiledeviceshavesecurityfeatures andmanysmartphonesandtabletscanevenrunanti-malwaresoftware. • Encryptallofyoursensitivedataonportablestoragedevices.
Yourbusinesslikelyusesmobiledevicesandportabledatastorage(suchasUSBsticks) inyoureverydayoperations.Theyincreaseproductivity,makecommunicationeasier andallowyoutoeasilycarryimportantdata.
Usingmobiledevicestosendandreceiveyourbusiness’sinformationcanexposeyourbusinesstotheriskofsensitiveinformationbeingviewedorusedbypeopleyouhavenotauthorizedtodoso.Allowingemployeestousetheirbusiness-ownedmobiledeviceforpersonaluse,suchastheinstallationofnon-businessapps,cansometimesexposeyourbusinesstothelossofsensitiveinformation,malwareandotherthreats.
Toaddressmobiledevicesecurityinyourbusiness,itisimportantforyouto
1. Examinetheprosandconsofmobiledeviceuseinyourbusiness. 2. Determinewhichtypesofdevicesyouwillallowinthebusiness. 3. Decidewhetherpersonallyownedmobiledevicescanbeusedby employeesforbusinesspurposes. 4. Developstandalonerulesofuseorintegraterulesintoyourbusiness’s cybersecuritypolicy. 5. Developaplanforthemanagementofyourmobiledevices(whichmayincludeaneed toaccessandcontrolthemremotelyortoblockcertainfunctions)andbuytoolsto supportthatplan.Youcanbeginbyspeakingtoyourmobileserviceproviderandvisiting thewebsiteofthephoneortabletmanufacturerforadvice. 6. Logtheserialnumbersofallmobiledevicesusedinyourbusinessincaseoflossortheft.
Mobile Device Security
34
9.1 Tablets and Smartphones
Tabletsandsmartphonesofferincrediblefunctionality,includingtheabilitytocreate, store,sendandmodifydatawithease.Butthesefeaturescanleadtoaccidentalmisuse byemployeesormanipulationbycybercriminalsifthedeviceishackedorstolen.
Becausethesedevicesaresmallandvaluable,theyarecommontargetsfortheft.Whethercompromisedthroughmalware,misuse,lossortheft,theimpactonyourbusinessmaybesignificant,especiallyifthedevicecontainssensitiveinformationorcommunicationstoolsforconnectiontoyourbusinessnetwork.
Tipstohelpaddressthethreatstoyourmobiledevices:
• Treatsmartphonesandtabletswiththesamesecurityprecautionsandcareasdesktop computersandlaptops,asallofthemcanbecompromisedorstolen. • Setupasystemaccesspasswordandensurethatthesmartphoneortabletisalways lockedwhennotinuse.Yoursensitivepersonalorbusinessinformationcontainedin thedevicewillbemuchhardertoaccessifthedeviceislostorstolen. • Properlysafeguardsensitiveinformationonthesedevices,includingany sensitiveemailstransmittedorreceivedwhiletravelling. • Backupyourdevicecontentsonaregularbasis. • Installandrunappropriatesecurityapps,whichcanincludeencryption,locatorsforalost deviceandanti-malware. • Adviseemployeestopromptlyreportthelossofabusinesstabletorsmartphone assoonasitisnoticedsothateffortscanbemadetoalertthepolice,recoverthedevice or(iftheappropriatesoftwarehasbeensetup)remotelywipedevicecontents.
9.2 Portable Data Storage
Portabledatastoragecanholdmassiveamountsofinformationinaverysmalldevice.Yourbusinessmayevenbeabletostoreallofitselectronicfilesonaportablestoragedevice.
OlderstoragemediasuchasCDorDVDdiscsarebeingreplacedbyportableharddrivesandUSBflashmemorysticks(sometimescalledthumbdrives).Yourbusinessmayalreadyuseoneormoreofthesemethodstostoreimportantinformation.
Althoughconvenientandlowcost,theuseofportabledatastoragedevicesexposesyourbusinesstocybersecuritythreatsincludingthefollowing:
• Infectionbymalware(aproblemmostcommonwithUSBflashdrives). • Thelossofyourdeviceandalloftheinformationonit.Thisproblemis widespreadandagainmostofteninvolvesUSBdrives,butalsoCDsandDVDs. • Informationonthedevicecanbeeasilycopiedbypotentialcriminals (asmostsuchdevicesdonotincludeanysecuritysafeguards).
Mobile Device Security
35GetCyberSafe Guide for Small and medium buSineSSeS
Toreducethesethreats,hereareafewstepsyoucantake:
• Identifytherulesforuseofsuchdevicesandthehandlingofinformationinyour businesspolicies(asexplainedinothersectionsofthisguide);forexample,makeit clearwhatinformationcanbestoredonmobiledevices,andwhatspecificsafeguards andprotectionsneedtobeinplaceforparticularkindsofinformation—suchas encryptionofclientinformation. • Usethesafeguardsavailableforyourdevice.Mostmobileperipheralshavesecurity featuresandevenmanysmartphonesandtabletscanrunanti-malwaresoftware. • Labelallofyourportablestoragedeviceswithyourbusinessnameandacontact number in case it is lost. • Encryptsensitivefilesonportablestoragesothattheycannotbecopiedorusedby someoneincaseofloss,theftorillicituse.Itmaybemoreeffectiveforyoutoencrypt theentirestoragedevice(e.g.,USBflashdrive)sothatalloftheinformationplaced onitisprotected. • Trainyouremployeesinthesecurehandlingofportablestoragedevicestohelplimit theftorlossand,aswithothermobiledevices,adviseemployeestoreportlossofany devicepromptly.
Mobile Device Security
36
Quick tips from this section:• Onlygiveyouremployeesaccesstowhattheyneed access to. • Haveyouremployeeslocktheircomputersandputawaysensitivedocuments whennotattheirdesk. • Createandenforceanemployeesecuritypolicy.
Allofyourbusiness’scybersecuritysafeguardscouldbeoflimitedeffectifyoudonotuseappropriatephysicalsecurity.Ifadisgruntledemployeeoravisitorgainedaccesstooneofyourcomputers,theycouldquicklyandeasilydownloadsensitivedataontoamemorystick.Cybersecuritysafeguardslikeauthenticationandencryptionneedtobecomplementedbyothersecuritymeasures,likelocksondoorsandsign-inproceduresforvisitors.
Physicalsecurityisatopiconitsown.Thissectionprovidessomekeytipsforyouand youremployees:
• Onlyallowemployeesaccesstoareasofthebusinessthattheyhavealegitimateneedto bein.Forexample,salespeopleusuallydon’tneedtoaccessandmodifyservers.Lockup theserversandonlyprovideaccesstothosewhoneedit. • Haveemployeesfollowbestpracticesfortheirworkstations,knownasthe“cleandesktop” principle.Employeesshouldputawaysensitiveitemswhennotattheirworkarea.These canincludethefollowing: • Documentsthatcontainsensitiveorconfidentialinformationaboutyourbusiness. • Personalinformation,especiallyifitpertainstoclients. • PortableelectronicmediaincludingCDs,USBmemorysticksorotheritemsthat canbeeasilyremoved. • Alwayshaveemployeeslocktheirbusinesscomputerwhentheyleavetheirwork area.Theydon’tneedtoshutdownthecomputertodothis—mostoperating systemsallowuserstoenteracombinationofkeystodisableaccessuntilthey re-entertheirpassword.
PhysicalSecurity
37GetCyberSafe Guide for Small and medium buSineSSeS
10.1 Employee Security
Employeesecurityincludesprocessesandpracticestoestablishthesuitabilityandtrust-worthinessofemployeesinordertoprotectthebusinesspriortohiring,aswellasongoingvigilancearoundemployeepractices.
Somespecificrecommendationsforyouwithrespecttoemployeesecurityincludethefollowing:
• Publishandenforceanemployeesecuritypolicythatdefineswhatrulesapplyto employeesandwhatdiscipline(includingtermination)isapplicableintheeventofa securityincidentwhereanemployeeisatfault. • Alwaysperformbackgroundchecksforallnewemployees.Referencesalonearenot alwayssufficientgiventhepotentialforfraudthroughsocialengineering. • Beclearabouthownon-competition,non-disclosure,intellectualpropertyrulesand contractualobligationsapplyinthecontextofyourbusiness’scybersecurity.Forexample, youshouldtellnewemployeesthatemailstocompetitorsarenotallowedwithout priorapproval. • Clearlycommunicatesecurityresponsibilitiestonewhiresandcontractorsaspartoftheir orientation,andhavethemformallyacknowledgethattheyhavereadandunderstood thematerialincludingallcybersecurity-relatedpolicies. • Clearlystateandenforcetheconsequencesofsecuritylapsesespeciallywhereemployees mayhaveignoredorbrokenrulesorcausedharmtoyourbusiness.
Finally,theemployeeterminationprocessisrelevanttoyourbusiness’ssecurity.Therehavebeenmanycasesofformeremployeesaccessinginternalnetworksandstealingdataorplantingmalware.Whenanemployeeorcontractoristerminatedorindicatesthattheyareleaving,accesstoyourbusiness’scomputersandinformationmustbeterminated,andbusinesspropertysuchaslaptops,keysandaccessbadgesreturned—assoonaspossibleaftertermination.
PhysicalSecurity
38
11.1 When to Ask for Help
Ifyourunasmallormediumbusiness,youmightnothavetheexpertiseonhandtomanageallaspectsofcybersecurity.Youmayneedsomeassistanceinchoosingandimplementingsomesecuritysolutions.
Ifyoudon’tthinkyoucanhandleyoursecurityneedsonyourown,werecommendyourbusinessseekoutsidehelpfromindividualsorcompaniesthatspecializeincybersecurity.Lookforcompanieswithgoodreputations,knowledgeandexpertiseintheareaswhereyouneedhelp.
Somecybersecuritysolutions,suchasonlinebackupofallyourdata,mightbeimpracticaltomanageonyourown.Cybersecuritycompaniescanhelpprovidethiskindoflong-termservice,includingcustomersupport,moreeffectivelythanyoucouldin-house.
Finally,incasesofseriouscyberattacks,itmaybenecessarytocontacttheappropriateauthorities.Ifyourbusinessoranyofitsemployeesarethreatenedorharmedthroughacybersecurityincident,contactthepolice.AppendixCprovidesalistofothercontactsyoumightfindusefulwhendealingwithacyberattack.
11.2 Where to Get Security Safeguards
Tofindsuchsecuritytoolsyouwilloftenneedtoconsultwithoutsideexpertsandvendorstodeterminewhatisneededandtounderstandtheoptions.Somefreeoptionsexist,butmostcostmoneyinitiallyandovertime.
AlotofsecuritysoftwareisavailableontheInternetforfree.Alwayscheckforusercommentsonlinetoseewhatothershaveexperienced,talktoothersmallbusinessowners,andresearchthesource,historyandvalidityoffreesoftwarebeforeusingit.Makecertainthatitiswidelyacceptedaslegitimateandisnotaformofmalware.Payingforsecuritysoftwareusuallyincludesvendorsupport,includingawarranty,technicalsupportforset-up,aswellasupdates.Thecostcanvarywidelyandcanextendacrossseveralyearsaslicensesforsoftwareormaintenancearerenewed,oftenannually.
GettingHelp
39GetCyberSafe Guide for Small and medium buSineSSeS
12.1 Appendix A: Cyber Security Status Self-Assessment
Thesequestionswillhelpdetermineyourbusiness’sbasicstatuswithrespecttocybersecurity.Answeringthesequestionsbeforereadingtheguidewillhelpyoudeterminewhichsectionstofocusyourattentionon.
Thesequestionsarebasedontheassumptionthatyourbusiness(irrespectiveofitssize)
1. Usescomputersforbusinesspurposes. 2. Usesmobilecomputingorcommunicationsdevicesforbusinesspurposes. 3. ConnectssomeorallofthosedevicestotheInternetforbusinesspurposes. 4. Mayalsohaveaninternalnetwork,usedtoshareapplicationssoftware,peripheral devices(suchasprinters)andinformationwithinyourbusiness.
Foreachquestion,pleasecircleoneanswer.Ifyoudon’tknowtheanswerorareunabletounderstandthequestion,thenselect“Notsure.”
Totalupyourscorebyaddingtogetherthenumberstotheleftofyouranswers.Forexample,ifyouanswered“Notsure,”thenthatanswerwillhaveavalueofzero(0),orifyouanswered“Yes,”thenthevaluewouldbetwo(2).
Business Questions
1. Is cyber security a priority for your business? 0. Notsure 1. No 2. Yes
2. Has someone in your business been given responsibility for cyber security? 0. Notsure 1. No 2. Yes 3. Ifyes,isthisanongoingrole,supportedbymanagement(circleifyes)?
3. Has your business completed a cyber security threat and risk analysis (of any kind)? 0. Notsure 1. No 2. Yes 3. Ifyes,arerisksprioritizedandtrackedwithregardtoreducingthem (circleifyes)?
Appendices
40
4. Does your business have a Cyber Security Plan? 0. Notsure 1. No 2. Yes 3. Ifyes,isitbeingfollowed(circleifyes)?
5. Does your business have a Cyber Security Policy? 0. Notsure 1. No 2. Yes 3. Ifyes,isitsupportedthroughsecurityawarenesstrainingfor employees(circleifyes)?
6. Does your business have a Disaster Recovery Plan? 0. Notsure 1. No 2. Yes 3. Ifyes,isitkeptuptodateandhasitbeentested(circleifyes)?
7. Does your organization provide employees with guidance on the handling and labelling of sensitive information? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbypolicyorastandard(circleifyes)?
8. Does your organization provide employees with guidance on the secure use of mobile devices? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbyaguidelineandanymobiledevicemanagement tools(circleifyes)?
Appendices
41GetCyberSafe Guide for Small and medium buSineSSeS
Technical Questions
9. Is there a firewall installed between your business computers, including point-of-sale (POS) systems, and the Internet? 0. Notsure 1. No 2. Yes 3. Ifyes,isitregularlymaintainedandcheckedbysomeonewiththe appropriatetrainingandexperience(circleifyes)?
10. Does your business use an encryption tool (usually software) to secure sensitive information before sharing it outside of the business environment (such as with the transmission of email attachments)? 0. Notsure 1. No 2. Yes 3. Ifyes,doallpersonnelknowhowtousethetoolandisusagemonitored andenforced(circleifyes)?
11. Does your business have a spam filtering or blocking solution in place? 0. Notsure 1. No 2. Yes 3. Ifyes,doallpersonnelknowhowtoreportspamthatisthreateningor seemstobepartofanattempttosolicitpersonalorsensitivebusiness information(circleifyes)?
12. Does your business use an anti-malware solution? 0. Notsure 1. No 2. Yes 3. Ifyes,isitinstalledonallofthebusiness’scomputersandisitregularly (usuallyhourlyordaily)updated(circleifyes)?
13. Does your business follow best practices for strong passwords and password protection? 0. Notsure 1. No 2. Yes 3. Ifyes,arestrongpasswordrulesenforced(circleifyes)?
Appendices
42
14. Does your business back up data and applications on a regular basis (usually daily or more frequently)? 0. Notsure 1. No 2. Yes 3. Ifyes,arebackupstestedonaregularbasisandaresomebackups keptoffsiteincaseofdisaster(circleifyes)?
15. Does your organization provide personnel with guidance on working in a secure manner when travelling or otherwise outside of the business environment? 0. Notsure 1. No 2. Yes 3. Ifyes,isthissupportedbyuseofavirtualprivatenetwork(VPN) (circleifyes)?
You have finished the self-assessment questionnaire.
If your score was 0-to-15thenyoushouldconsiderreadingthiswholeguide,assoonas youcan.Then,consultwithothersinthebusinesstobeginplanningandimplementing cyber security in your business.
If your score was 16-to-30thenit’ssafetosaythatyourbusinesshasdonesomeworkwithrespecttocybersecurity.However,youlikelyneedtodomoreandshouldreadtheguidewithparticularfocusonthoseareaswhereyouscoredlow.
If your score was 31-to-45thenyourbusinesshasmadegoodprogressinseveralareasofcybersecurity.However,newthreatsareconstantlydevelopinganditwillbeimportanttostillconsiderthetopicsinthisguideanddiscussnextsteps(asappropriate).
Appendices
43GetCyberSafe Guide for Small and medium buSineSSeS
12.2 Appendix B: Glossary
Assets:Anyitemsbelongingtoorheldbythebusiness,withsomevalue(includinginformation,inallformsandcomputersystems).
Attack:Anattempttogainunauthorizedaccesstobusinessorpersonalinformation,computersystemsornetworksfor(normally)criminalpurposes.Asuccessfulattackmayresult in a security breachoritmaybegenericallyclassifiedasan“incident.”
Authentication:Asecuritypracticeimplemented(usuallythroughsoftwarecontrols)toconfirmtheidentityofanindividualbeforegrantingthemaccesstobusinessservices,computersorinformation.
Backup:Theprocessofcopyingfilestoasecondarystoragesolution,sothatthosecopieswillbeavailableifneededforalaterrestoration(e.g.,followingacomputercrash).
Breach: Asecuritybreachisagapinsecuritythatarisesthroughnegligenceordeliberateattack.Itmaybecountertopolicyorthelaw,anditisoftenexploitedtofosterfurtherharmfulorcriminalaction.
Cyber:Relatingtocomputers,software,communicationssystemsandservicesusedtoaccessandinteractwiththeInternet.
Encryption:Convertinginformationintoacodethatcanonlybereadbyauthorizedpersonswhohavebeenprovidedwiththenecessary(andusuallyunique)“key”andspecialsoftwaresothattheycanreversetheprocess(e.g.,decryption)andusetheinformation.
Firewall:Afirewallisatypeofsecuritybarrierplacedbetweennetworkenvironments.Itmaybeadedicateddeviceoracompositeofseveralcomponentsandtechniques.Onlyauthorizedtraffic,asdefinedbythelocalsecuritypolicy,isallowedtopass.
HTTPS:HypertextTransferProtocolSecure.
Identity Theft:Copyinganotherperson’spersonallyidentifyinginformation(suchastheirnameandSocialInsuranceNumber)andthenimpersonatingthatpersontoperpetratefraudorothercriminalactivity.
Malware:Malicioussoftwarecreatedanddistributedtocauseharm.Themostcommoninstanceofmalwareisa“virus.”
Patch: Anupdatetoorrepairforanyformofsoftwarethatisappliedwithoutreplacingtheentireoriginalprogram.Manypatchesareprovidedbysoftwaredeveloperstoaddressidentifiedsecurityvulnerabilities.
Appendices
44
OS:OperatingSystem.
OTP:One-TimePassword.
Password:Asecretwordorcombinationofcharactersthatisusedforauthenticationofthepersonthatholdsit.
Phishing:Aspecifickindofspamtargetingoneormorespecificpeoplewhilepretendingtobealegitimatemessage,withtheintentofdefraudingtherecipient(s).
POS:PointofSale.
Risk:Exposuretoanegativeoutcomeifathreatisrealized.
Safeguard:Asecurityprocess,physicalmechanismortechnicaltoolintendedtocounterspecificthreats.Sometimesalsoreferredtoasacontrol.
Server:Acomputeronanetworkthatactsasasharedresourceforothernetwork-attachedprocessors(storingand“serving”dataandapplications).
SMB: SmallandMediumBusiness.
Spam:Emailthathasbeensentwithoutthepermissionorrequestofyouortheemployeeithasbeensentto.
Threat: Anypotentialeventoraction(deliberateoraccidental)thatrepresentsadangertothesecurityofthebusiness.
URL:UniformResourceLocator.
Vulnerability:Aweaknessinsoftware,hardware,physicalsecurityorhumanpracticesthatcanbeexploitedtofurtherasecurityattack.
VPN:VirtualPrivateNetwork.
Wi-Fi:Alocalareanetwork(LAN)thatusesradiosignalstotransmitandreceivedataoverdistancesofafewhundredfeet.
Appendices
45GetCyberSafe Guide for Small and medium buSineSSeS
12.3 Appendix C: Canadian Cyber Security Sites and Contacts
12.3.1 Canadian Government Security Sites
1. Get Cyber Safeprovidesnews,tipsandguidanceoncybersecurityforindividualsand businessesinCanada • www.GetCyberSafe.gc.ca
2. The Canadian Anti-Fraud Centreforfraudpreventionandreporting (includingcybercrime) • TollFree:1-888-495-8501 • TollFreeFax:1-888-654-9426 • Email:[email protected] • http://www.antifraudcentre-centreantifraude.ca/english/home.html
3. The Canadian Radio-television and Telecommunications Commission Canada siteforreportingscamsbyphone • http://www.crtc.gc.ca/eng/INFO_SHT/G9.htm
4. Office of the Privacy Commissioner of Canada: • SecuringPersonalInformationSelf-AssessmentTool: http://www.priv.gc.ca/resource/tool-outil/security-securite/english/AssessRisks.asp?x=1 • GettingAccountabilityRightwithaPrivacyManagementProgram: http://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.asp
5. Canada’s Anti-Spam Legislation • http://fightspam.gc.ca/eic/site/030.nsf/eng/home • Worriedit’sSpam?5ThingstoLookFor: http://fightspam.gc.ca/eic/site/030.nsf/eng/h_00241.html
Appendices
46
12.3.2 Cyber Security Member Associations in Canada
Cybersecurityindustryassociationsareagoodsourceformorein-depthinformationandadviceoncybersecurityforsmallandmediumbusinesses.Theycanalsoproviderecommendationsonavailableserviceprovidersinyourareaifyouneedoutsidehelp.
1. American Society for Industrial Security(ASIS) • http://www.asis-canada.org/
2. High Technology Crime Investigation Association(HTCIA) • http://www.htcia.org/
3. Information Systems Audit and Control Association(ISACA) • http://www.isaca.org/Membership/Local-Chapter-Information/Browse-by-List/Pages/ North-America-Chapters.aspx
4. Information Systems Security Certification Consortium, Inc.(ISC2) • https://www.isc2.org/chapters/Default.aspx
5. Information Systems Security Association(ISSA) • https://www.issa.org/?page=ChaptersContact
Appendices