Did someone at your office open the a file containing a virus and corrupt years of useful files? Did a computer break, the one containing all of your important client records, with no backup to recover from? Did your liability insurance provider add a notice requiring your staff to get cyber security training? What topics should that even cover?
Here’s a list of elementary topics to help satisfy the basics of keeping your data, privacy and reputation safe, preserve your client’s privacy and be compliant with Canadian privacy law (PIPEDA). For more detail, see the resources at the end.
1. Password Hygeine
Passwords have changed from the time you could have a short password with the name of your dog plus an exclamation mark. Hackers use powerful systems to crack short, insecure passwords. You will need to choose a policy for how long a password needs to be. Hint: It’s a lot longer than you think, but doesn’t have to be hard to remember. When are biometrics and authenticator apps preferred? Is 2 factor authentication required where available (yes!). Whose cell phone is used if phone authentication is required?
Passwords should be stored securely as well, such as in a password manager. They should not be stored in the browser when your browser asks if you’d like to save it for later. Why? Because anyone who can open your browser has access to your passwords. A password manager program/service can give similar convenience more securely.
2. Backups
Making a copy of all important data on a regular basis is important. Backup copies are ideally automated, encrypted, and stored in a separate place (physically) than the main data. If your main device breaks, is infected with a virus or ransomware, or is stolen, you want your backup copies somewhere else, and disconnected from any infection.
3. Encryption
Encryption is a way of scrambling the data on your device so that only authorized users can read it. If your device is stolen, or hackers attempt to access the information on it in other ways, it will be unreadable to them. There are some effective ways to accomplish this that don’t make things harder for you, just for them.
4. Software Updates
How often should software updates be run? How should that be done? What is the impact of not running upgrades? Did you know that hackers often time their attacks for just after a new software update is released, because they mine it for clues about security vulnerabilities in previous versons? These attacks target those slow to run updates, so how frequently is wise?
5. Secure Storage of Devices
The physical protection of devices is often overlooked. Policies and discussion of who has access to company devices and how the should be physically secured is important. Are laptops stored in a locked cabinet when not in use? How about phones? Who has physical access to servers? Offices? Backups? Records?
6. Selection of Cloud-Based Suppliers
It is not always obvious what country information you enter into your device or service is stored in. Customer data legally must be stored in servers that adhere to Canadian privacy standards and legislation. US-stored data is particularly problematic right now, as US privacy law doesn’t protect non-US customers, and may compell suppliers to disclose your data without your knowledge or consent. Finding Canadian suppliers has its own complexities too, particularly with ever changing legislation.
7. Safe, Appropriate and Ethical Use of AI
What is safe to put in consumer AI engines and other large language models to preserve your intellectual property and your customer’s privacy?
8. Service Agreements and Policy
What should your suppliers agree to around security, privacy and data storage? What kinds of workplace policies should be in place to ensure sensible data protection practices are known about and followed?
9. PIPEDA Compliance
In rough terms, PIPEDA compliance requires you do the current best practices for keeping your data and information safe. Do you know what those are?
10. How to avoid phishing, ransomware and attacks delivered by email or phone
What is safe to click on? How do I protect my devices in case I get scammed? New AI driven scams can be very convincing, chances are someone will click on the wrong thing eventually. How do you keep your data secure? What do you do in case of a breach?
Getting Competent Help and Training
I have been advising Canadian businesses on their information technology and web systems since 2000. I am known for explaining technical topics well in plain language to folks at many levels of knowledge. I always keep in mind that you know your own business best. I offer both live training (on site or over video conferencing) and also an affordable online course with a certificate of completion for your records. There are specialized versions for counsellors in private practice, non-profit organizations, or Canadian small business with content and examples unique to those industries. For more information on those offerings you can visit the cyber security training page on this site. Do you have a quick question about cyber security? Feel free to ask.
Lets Talk About Cyber Security
