The government of Canada recently announced its endorsement of the Group of Seven’s (G7) Fundamental Elements of Cybersecurity for the Financial Sector guidelines. These guidelines are designed to assist organizations, particularly in the financial sector, in designing and implementing a cyber security framework.

The non-binding guidelines identify eight basic building blocks for establishing a strong focus on cyber security:

1. Implement a cyber security strategy
2. Governance
3. Risk assessments
4. Monitoring
5. Response
6. Recovery
7. Information sharing
8. Continuous learning

While the G7 guidelines are aimed at business that operate in the financial sector, they are useful in summarizing basic cyber risk management practices. To learn more about these guidelines, click here.

© Zywave, Inc. All rights reserved.

A recent study conducted by Cisco, a multinational technology firm, found that small businesses were particularly vulnerable to cyber attacks—with 60 per cent of the surveyed Canadian companies stating that they did not have cyber security strategies in place. This fact becomes increasingly alarming when you consider that, according to some experts, cyber criminals actively target small- to medium-sized businesses.

With this in mind, it’s particularly important for small businesses to plan their cyber security budgets accordingly if they want to mitigate their risk. As a good rule of thumb, approximately 15 per cent of IT budgets should go towards cyber security.

Budgets should be made following an in-depth risk assessment and typically include the following considerations:

Preparation: When planning a cyber-security budget, consider including items for training, technology upgrades and vulnerability assessments. Having policies and procedures in place related to cyber attacks could also help you respond quickly in the event that a hacker accesses any sensitive information. In addition, implementing a security-awareness program is a good option for most employers, and consulting firms can provide assistance for those having difficulty setting up preventative measures.

Detection: Having the proper detection tools in place could make all the difference, should a cyber attack occur. In your budget, ensure that funds have been allocated for penetration testing, which will verify that any protective software you have in place is effective.

Response: Following a cyber attack, there are a number of response items to consider. In response to a cyber attack, businesses will often need to cover the cost of public relations assistance, attorney fees and forensic specialist services. When properly implemented and planned for, these items can help businesses salvage their reputations and prepare for future attacks.

In addition to budget planning, there are a number of other steps businesses can take to limit the impact of cyber attacks. For example, identifying any trends in terms of what other companies are spending on cyber security will at least provide you with a good budget standard that you can compare your own pricing to. In many cases, cyber liability insurance can protect businesses from some of the above costs, in addition to any losses sustained as a result of a cyber attack. The amount of coverage you need is usually dependent on your overall risk.

© Zywave, Inc. All rights reserved.

Because of their convenience, smartphones and tablet devices have become a universal presence in the modern business world. As usage soars, it becomes increasingly important to take steps to protect your company from mobile threats, both new and old.

The need for proper phone security is no different from the need for a well-protected computer network. According to the computer security software company McAfee, cyber attacks on mobile devices increased by almost 600 per cent from 2011 to 2012—and experts expect that number to continue to increase.

Gone are the days when the most sensitive information on an employee’s phone was contact names and phone numbers. Now a smartphone or tablet can be used to gain access to anything from emails to stored passwords to proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a traditional computer system.

Lost or Stolen Devices

Because of their size and the nature of their use, mobile devices are particularly susceptible to being lost or stolen. According to a 2012 study by the Ponemon Institute, nearly 40 per cent of organizations experienced a data breach as a result of a lost or stolen mobile device. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, gaining physical possession of the device is one of the easiest ways for unauthorized users to access private information.

To prevent someone from accessing information on a lost or stolen device, the phone or tablet should be locked with a password or PIN. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in. Depending on your mobile provider, there are also services that allow you to remotely erase or lock down a device if it is lost or stolen. Similarly, it is possible to program a mobile device to erase all of its stored data after a certain number of login failures.

Malicious Attacks

Mobile devices are just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. Less than 20 per cent of mobile devices have anti-virus software installed, which is practically an invitation to thieves or hackers to pillage whatever information they want from an unprotected device. Furthermore, it doesn’t matter what operating system the devices have, whether it be Android, Apple’s iOS, Blackberry or Windows Mobile—all are vulnerable to attacks.

As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications (apps) are especially threatening as a way for malware to install itself onto a device. These apps can purchase and install additional apps onto the phone without the user’s permission. Employees should never install unauthorized apps to their company devices. Apps should only be installed directly from trusted sources.

Hackers can use “ransomware” to restrict a user’s access to their device’s data, contacts, etc., and then demand a ransom to get it back. Even if the user pays the ransom, there is no guarantee that he or she will get the data back. Employees should know to never pay the ransom if this type of software finds its way onto a company device.

A big difference between mobile devices and laptops and other computers is the ability to accept open Wi-Fi and Bluetooth signals without the user knowing. Hackers can take advantage of this by luring devices to accept connections to a nearby malicious device. Once the device is connected, the hacker can steal information at will. To prevent this, make sure all mobile devices are set to reject open connections without user permission.

Preventive Measures

While the current mobile device security landscape may seem lacking, there are plenty of ways to be proactive about keeping company devices safe from threats.

Establish a Mobile Device Policy

• Before issuing mobile phones or tablets to your employees, establish a device usage policy. Provide clear rules about what constitutes acceptable use as well as what actions will be taken if employees violate the policy. It is important that employees understand the security risks inherent to mobile device use and how they can mitigate those risks. Well informed, responsible users are your first line of defence against cyber attacks.

Establish a Bring Your Own Device (BYOD) Policy

If you allow employees to use their personal devices for company business, make sure you have a formal BYOD policy in place. Your BYOD security plan should also include the following:

• Installing remote wiping software on any personal device used to store or access company data.
• Educating and training employees on how to safeguard company data when they access it from their own devices.
• Informing employees about the exact protocol they must follow if their device is lost or stolen.

Keep the devices updated with the most current software and anti-virus programs.

Software updates to mobile devices often include patches for various security holes, so it’s best practice to install the updates as soon as they’re available.

There are many options to choose from when it comes to anti-virus software for mobile devices, so it comes down to preference. Some are free to use, while others charge a monthly or annual fee and often come with better support. In addition to anti-virus support, many of these programs will monitor SMS, MMS and call logs for suspicious activity and use blacklists to prevent users from installing known malware to the device.

Back up device content regularly.

Just like your computer data should be backed up regularly, so should the data on your company’s mobile devices. If a device is lost or stolen, you’ll have peace of mind knowing your valuable data is safe.

Choose passwords carefully.

The average Internet user has about 25 accounts to maintain and an average of six-and-a-half different passwords to protect them, according to a recent Microsoft study. This lack of security awareness is what hackers count on to steal data. Use the following tips to ensure your mobile device passwords are easy to remember and hard to guess:

• Require employees to change the device’s login password every 90 days.
• Passwords should be at least eight characters long and include uppercase letters and special characters, such as asterisks, ampersands and pound signs.
• Don’t use names of spouses, children or pets in the password. A hacker can spend just a couple minutes on a social media site to figure out this information.

© Zywave, Inc. All rights reserved.