It’s no secret that cyber threats have been increasing dramatically in the past years. According to our 2023 Cybersecurity Survey, 41% of organizations reported that they had experienced a cyber attack in the past 12 months. The cost of a successful cyber attack can be astronomical—IBM’s 2023 Cost of a Data Breach reports that the average cost of a data breach in Canada was an eye-watering $5.13 million USD ($6.96 million CAD, as of December 2023). While the biggest data breaches have affected the healthcare, financial, pharmaceutical, and energy sectors, SMEs are increasingly in the crosshairs of cybercriminals.
An unfortunate fact of today’s digital landscape is no organization or individual is safe from cyber attacks. Cybercriminals are increasingly looking towards small and medium-sized organizations to extort and exfiltrate data and show no signs of letting up.
So, what can a small organization with limited resources do to combat cyber threats? Fortunately, there are several cost-effective measures and best practices your organization can put in place to dramatically reduce your organization’s cyber risk profile.
1. Assess your digital landscape
The first step in understanding how to protect your organization is to understand exactly what you need to protect. Using an established cybersecurity framework such as NIST CSF 2.0, or ISO 27001, you can take inventory of all your internet-connected devices and online activities to identify potential vulnerabilities. Once you have figured out what potential vulnerabilities exist within your organization’s technology stack, you can prioritize the risks and put in place a plan to address them. Among the immediate actions to take is promptly patching your hardware and software, fortifying your systems and files against potential threats from malicious actors.
2. Awareness training
One of the most impactful measures you can put in place to reduce your organization’s cyber vulnerabilities is to put in place an effective cybersecurity awareness training program. According to Verizon’s Data breach investigations report, 82% of data breaches involved human error, most notably successful phishing attacks. By addressing the human layer of your cyber-defences, you can dramatically reduce the number of phishing incidents and data breaches by extension.
What makes a cybersecurity awareness training platform impactful? The most effective programs will deliver training at regular intervals which is relevant to your users and engages them. Phishing simulations are also an important piece of the puzzle—it is one thing to learn about phishing cues, but putting the knowledge to test and with simulations brings those lessons into the real world and helps enable your team to report real suspicious emails.
Furthermore, giving employees transparency and visibility into their progress through training can help them feel greater ownership of their cybersecurity journey. Providing them access to their own personal training dashboards and access to training libraries lets them take control of their personal cybersecurity risks and can help them stay safe at home as well as on the job.
Recognizing the importance of end-user training, CIRA offers a cybersecurity awareness training platform designed to help Canadian organizations of all sizes protect themselves against human engineering attacks. To learn more, visit our Cybersecurity Awareness Training page.
3. Secure password practices
Passwords act as a first line of defence against unauthorized access to sensitive data. A strong password policy helps you safeguard your organization’s data from being compromised. Because of the sheer number of digital accounts that we use in our daily lives both at work and at home, reusing passwords and using weak passwords can lead to a domino effect where multiple accounts get compromised. If an employee uses the same password for a streaming service and their work account, if the streaming service gets compromised, criminals will attempt to use the stolen credentials across a variety of platforms and could gain access to sensitive work accounts.
A simple and cost-effective step your organization can take towards improving their cybersecurity posture is to have a strong password policy for your organization. Here are a few tips for helping your organization keep their passwords secure:
- Create unique passwords for each website and application that you use.
- Ensure passwords are complex and include special characters, upper- and lower-case letters, and numbers. Make sure the password is not too complex—if the requirements are too stringent the odds are, employees will reuse those passwords.
- Use a password manager. Password managers are a great way to generate and store your complex and unique passwords. Password managers also often offer features such as secure password sharing and regular updating of passwords which help further increase cybersecurity.
- Use a website such as haveibeenpwned.com to monitor if your credentials have been posted on the dark web. These websites check the dark web for lists of compromised login credentials and can notify you if your accounts appear. If your password has been compromised, make sure to quickly change it.
4. DNS filtering (CIRA DNS Firewall or Canadian Shield)
DNS filtering is like having a virtual bouncer for your internet connection. It helps you block access to harmful websites such as those with malware or scams. This makes your online experience safer by preventing you and your employees from unknowingly visiting malicious websites. A DNS filter adds an extra layer of protection to your organization, reducing the odds that a cyber attack is successful.
CIRA offers two levels of DNS protection—CIRA Canadian Shield and CIRA DNS Firewall. CIRA Canadian Sheild is a 100% free public DNS Service which uses dozens of threat feeds and AI to analyze billions of DNS queries globally every day. Over 200,000 new threats are added to the list daily, helping employees and their family at home stay safe from even the most recent threats. Canadian Shield blocks malicious websites before they can connect to your network. And when we say free, we really mean it, not only do we not charge users, but we also don’t take your personal data and use it for advertising, tracking or reselling to any other party. CIRA Canadian Shield can be configured on your routers, as a browser extension, and has an android and IOS app to bring free protection to keep your office and home networks safe. For instructions on how to install CIRA Canadian shield, visit our configuration page.
For organizations looking for added control over their DNS filtering, CIRA also offers a DNS firewall service. In addition to malware and phishing protection, DNS Firewall also provides over 60 categories to filter from, an administrative panel, reports on threat activity, the ability to set custom policies, API integration for SIEM, PSA or other systems, 24×7 support, and Dynamic IP support. While DNS Firewall is a paid service, it is an affordable, easy-to-manage and effective layer of protection that currently protects over 4 million Canadian users. Learn more about CIRA DNS Firewall today.
5. Keep software updated
Regularly updating software is crucial for cybersecurity because updates often include patches that fix vulnerabilities and weaknesses in the system. Cybercriminals actively exploit these vulnerabilities to launch attacks, and outdated software becomes a prime target. Software updates not only enhance the system’s performance and add new features but, more importantly, they address security flaws that could be exploited by malware, hackers, or other malicious entities. By keeping software up to date, users and organizations strengthen their defences, reducing the risk of breaches, data theft and other cybersecurity incidents.
One of the lowest lift policies you can put in place is to allow for automatic updates of software. While manual updates require the user or administrator to visit the vendor’s website and download and install software updates and patches, automatic updates only require user or administrator consent to install the software. Once an administrator consents, the software updates are pushed to your system automatically. Ensuring that software is automatically updated and patched makes it much more difficult for malicious actors to exploit known vulnerabilities and gain unauthorized access to systems, enhancing the overall security posture of the software and the associated digital infrastructure.
6. Use two-factor authentication (2FA)
Enabling two-factor authentication, also known as 2FA or MFA (multi-factor authentication), is another effective measure that your organization can put in place to reduce the likelihood of a successful cyber attack. Two-factor authentication requires users to provide two forms of identification to access a system or account, typically something that they know (such as a password) and something they have (such as a mobile device or security token). When Google rolled out 2FA for over 150 million people, they saw a 50% decrease in account compromised among these users.
Whenever available, make sure to enable 2FA across websites and applications used by your organization. This extra step helps reduce the likelihood of accessing your organization’s sensitive data in the event of a phishing attack or password leak, as the attacker would need the second factor to gain access. There are a variety of options available for 2FA today including biometrics, SMS codes, authenticator apps, or hardware tokens. This adaptability makes it versatile and suitable for different user preferences and security requirements.
7. Back up your data
In the event of a ransomware attack, one of the first things the attackers will do is encrypt your data, preventing your organization from going about their daily business. The attackers will demand payment to have the data restored, but as the saying goes, there is no honour among thieves, and payment is in no way a guarantee that your data will be restored. Ransomware attacks can prevent your organization from fulfilling its most basic tasks, from processing payroll, accessing email accounts, or even using hardware that is vital to the day-to-day functioning of the organization. Last year, when a major grocery chain was the victim of an attack, employees were told to unplug digital scales, not use scanning equipment to track inventory, and were unable to access their computer systems, putting a hold on their activity.
Having recent data backups can allow you to restore your systems without having to pay the ransom to the attackers. You can revert your systems to a clean and uninfected state, allowing for the resumption of daily business activities. Backups are not only important to protect your organization from ransomware attacks, but they are also a vital part of any business continuity plan, protecting against accidental deletion or human error as well as system failures. Remember to keep at least one backup offsite or offline so that attackers gaining unauthorized access to your systems are not able to access them.
8. Stay informed and engage with the cybersecurity community
The cybersecurity landscape is ever-changing, and malicious actors are getting bolder and more creative with their methods. With the rapid advancement of generative AI technology in the past year, the bar has been lowered for would-be cybercriminals looking to launch more sophisticated and damaging attacks faster and with less effort. Canadian organizations are taking note, with 68% of organizations surveyed reporting being worried about potential cyber threats from this technology.
Technological advancements which malicious actors can leverage will continue to develop, and so too must our defences. The question is no longer if we will come under attack by cybercriminals, but when. And every organization, from the largest multinationals to the smallest business must be prepared for this eventuality.
Even if your organization only has a small budget to allocate towards cybersecurity, there are still many impactful steps to put in place which would be a dramatic improvement from having no protection at all. Malicious online actors are getting bolder and more creative, but to recap, some of the lowest cost and most effective measures your organization can take are:
- Assessing your digital landscape
- Establishing secure password policies
- Implementing a cybersecurity awareness training program
- Using DNS Filtering
- Keeping software and hardware updated and patched
- Enabling two-factor authentication
- Backing up your data
- Staying informed and engage with the cybersecurity community
CIRA is a not-for-profit organization dedicated to making the internet a safer and more reliable space for Canadians. To learn more about how we help Canadian organizations stay safe online, check out our cybersecurity resources or get in touch to see how our cybersecurity solutions can help protect you.
Additional cybersecurity resources:
Canadian Centre for Cyber Security (CCCS)
Canadian Cybersecurity Threat Exchange (CCTX)
Canadian Chamber of Commerce Small Business Cybersecurity Survival Guide