Frequently Asked Questions
Cybersecurity is the protection of data, information, computers, devices and networks from cyber threats and attacks.
In plain English, it is all about protecting our data, devices, and networks so we can use them with no issues. It implies that only authorized users within the organization can have access to them.
To some extent. While technical solutions like antivirus and up-to-date software are needed, they are just part of the solution. More than 90% of cyberattacks are successful because of human error like, for instance, a single user clicking on a deceptive link (p.e. phishing emails, false text messages…).
Organizations need to actively prevent users from falling to social engineering threats.
For the implementation of technical solutions and systems, clearly yes. For preventing hackers from being successful, not really. Regardless of most “pure” tech solutions, most IT cyberdefenses fail if users click on deceitful links or download doubtable software.
IT experts will be certainly in charge of installing and maintaining systems, devices, and networks, but it will not be enough.
As hackers and cyber mafia constantly develop new traps, users need to get continuous updates and training. Users can stop 9 out of 10 cyber-attack if trained on potential tricks. HR department and top management need to get involved in introducing a wide cybersecurity culture in the organization.
Yes, as long as we keep our devices disconnected. Unfortunately, this is impracticable today.
Like driving cars, getting connected also has risks. Organizations need to realize it and actively act to minimize them and its potential impact.
Mostly, small and medium-sized ones. Large organizations have the necessary resources and budgets to face cybercriminals and developed cybersecurity teams long ago. Moreover, since SMEs account for 98% of Canada’s economy, there are far more chances of small organizations being compromised by hackers.
A large number of small and medium-sized organizations (more than 1.2 million SMEs) and their limited resources make them highly vulnerable. While some technical solutions are mainstream (e.g. encrypted communications) there is an enormous lack of awareness at the user level. Users, constantly accessing systems and networks from different devices and locations, are the weakest link in a cybersecurity chain.
Cybersecurity is a never-ending endeavour. It demands ongoing user training and company-wide process updates. As strategic as accounting practices, it also needs to be fully enforced by top management.
Canada has recently launched the CyberSecure Canada Certification, Canada’s cybersecurity certification program for small and medium-sized organizations (SMOs). While a great and pioneering initiative, it needs wide implementation by all organizations.
Ransomware has become the biggest concern. In this kind of attack, hackers prevent anyone in the organization from accessing systems, networks, and data unless a ransom is paid. Usually, hackers have previously found out what the attacked organization’s financial assets are so they know how much high the ransom can be. As you can guess, they will ask for all.
Lateral phishing allows hackers access to an employee’s email account. Without the employee or the organization being aware, they analyze any information stored in the hacked email account to build up an almost-genuine email to everyone in the employee’s address book. In some cases, just a couple of false emails are sent out but they can have disastrous consequences.
Malware, or malicious software, is a program or file that has been intentionally created and delivered to attack computers, networks, apps, or websites.
A network administrator should change the settings of the rest of the users to ensure there is a hierarchy of privileged access to key systems and network controls. Only authorized administrators should be able to change functions like, for instance, installing new software (p.e. games, videos) from untrusted sources.
It’s like deciding who enters your house or not. Shouldn’t it be the norm?
In the same way that your organization’s systems and software were specifically designed to serve you efficiently, cybersecurity cannot be implemented with a one-size-fits-all.
The specific structure for your organization will require a customized set of IT solutions (firewalls, email security, anti-virus, patching, VPN…), education of users, and precise cybersecurity policies and processes (p.e. an Incident Response Plan).
A cybersecurity Incident Response Plan (or IRP) is a set of instructions designed to make your organization companies prepare for, detect, respond to, and recover from cybersecurity security incidents. As with any emergency response plan, it needs to be tailor-made to meet your organization’s needs and risks.
Prevention is always better than cure. If your organization has a Incident Response Plan, it will contain what steps every member needs to take to minimize the impact and recover quickly from a cyberattack. Most likely, you’d have developed the IRP with the help of a cybersecurity expert. It will be wise to give them a call too,
If you’re unsure if your organization has any IRP, look for advice.
Depending on your organization’s needs, business practices, data, and specific risks, you may require more complex solutions and budgets. As an example, a basic cybersecurity awareness program can be as low as a few dollars per user per month.
In Canada, there are multiple grants available by federal and provincial programs to help SMEs improve their cybersecurity posture. We constantly monitor these funding opportunities and can facilitate finding the right one for your organization.
Perhaps it might help to answer this question with a reverse-thinking approach: Could you afford to run your business without access to your network, systems, or stored data?
Not a bad start, but not enough.
- Antivirus will protect our systems and devices from most malware, but it will not eliminate the risk of being hacked. Some free software contains malicious software that can bypass an antivirus.
- Encrypted communications will prevent non-authorized third-party can access our communications, but some malware can replicate our IT credentials in remote, unknown, devices.
As users, we need to be aware that, at the same time computers are making us more productive and resourceful, they are becoming highly powerful tools and, therefore, must be handled with care.
F-1 racing cars are far more powerful than compact city cars. Accordingly, F-1 pilots are many better-trained drivers than most city commuters. Aren’t they?
Cybersecurity awareness refers to the knowledge that end-users have about cyber security threats and risks they face by using connected devices and the preventive best they can introduce to minimize risks and their consequences (impact).
Anyone that has access to a connected device or a proprietary network (e.g. a company’s internal wi-fi).
Some users might wrongly think that cybersecurity is an IT or someone else’s job, not theirs. Cybersecurity is everyone’s responsibility.
95% of cyberattacks are due to human error. Simply by making everyone aware of the risks at play and by implementing some basic measures, like the ones above, your organization will reduce the chances of being compromised by 95%.
Shouldn’t you start it today?
Let’s answer with another question: have you ever received a request to install a software update? Quite often?
Most of those updates are triggered once the software company discovers that there was a hole that made your software’s old version vulnerable. The update contains a patch that fixes those holes so hackers can no longer use them as back doors.
Zero-day attacks refer to the number of days (zero) that the software firm has to fix it.
So, the next time you receive a request to install an update, do not procrastinate. Each day that you delay updating is a day that hackers can use those holes to compromise your systems.
Password managers refer to software that stores passwords when logging in to online services. They allow users to connect to several services (webmail, social media accounts, cloud services) without manually entering a password each time.
Password managers’ main advantage is that users only need to memorize a single password: the Master password. That is the one that grants access to the password manager. All the other passwords are safely (encrypted) stored in the password manager.
This advantage brings in two key benefits: users don’t need to use the same password among different online accounts and passwords can be long ones, like a random set of numbers, letters, and special characters.
2FA (two-factor authentication) refers to online services that require users to present two factors for authentication for accessing an account. For instance, a password plus a code sent by email (single-factor authentication refers to the common need of entering just a password).
MFA (multi-factor authentication) requires users to use two or more pieces of evidence, or factors, for authentication. For example, a password, a code sent by text message and answering a security question.
All 2FA is an MFA, but not all MFA is a 2FA. d2FA and MFA are far more secure than single-factor authentication, but they are not unbreakable.