Skip to main content

Big brother watching over an employee with a magnifying glass

Imagezoo/Getty Images/Imagezoo

A quick Google search for security threats that plague small businesses turns up a vast amount of results ranging from such banalities as hackers to the most outlandish of exaggerations about brand monitoring and diverted funds. To be sure, small businesses are prone to the same weaknesses and vulnerabilities as larger enterprises, but their smaller size, scope and focus are as much of an advantage as a problem.

Here we look at the 10 most serious, current and underreported security breaches that affect the small business sector in Canada:

1. Malware infections that lead to data and productivity losses. Weaknesses caused by poorly configured systems and unpatched applications account for most software infections. Automatic software updates – such as anti-virus files and operating system patches – are often all that's required to keep up to date with the latest system vulnerabilities. This extends to everything, from the proper installation of voice mail systems to the setup of company e-mail.

Story continues below advertisement

2. Malicious breaches that go on indefinitely. Many security vulnerabilities exist for years before being detected, if ever. By adequately monitoring attacks, error logs and changes on the network, small business owners can make informed decisions about investing in security. And when it comes to monitoring, outsourcing to one of hundreds of managed IT service providers makes good business sense.

3. Hijacked domain names. Imagine losing the keys to your house, and powerlessly watching criminals as they make themselves at home in your house. Loss of control over internet properties is a serious business interruption as perpetrators often redirect websites to illicit destinations, and intercept the conversations of unsuspecting interlocutors. Ensuring that Internet domains and hosting accounts are locked down will go a long way towards protecting against this type of (usually ransom-related) crime.

4. Loss of accountability over employee accounts. Shared passwords and accounts are a common occurrence in small businesses. Whether people go on maternity leave or step away for a vacation, the unfortunate practice of sharing access credentials still takes place because it's convenient. The drawback is that without unique passwords that are only known by their rightful owner, accountability for any actions conducted using the account in question cannot be established. To avoid having someone else make mistakes or cause intentional damage using accounts that aren't theirs, small businesses must instill a culture of accountability that begins with properly defined and enforced security policies.

5. Insider threats and disgruntled employees. Employees must knowingly be subject(ed) to acceptable use policies, confidentiality agreements and strict security policies to ensure. To prevent against damage perpetrated by employees with too much access, small businesses must ensure that employees are aware of their responsibilities and system privileges by ensuring that everyone is trained on security awareness on an annual basis, and that they all sign documents indicating that they understand the training, policies and agreements.

6. Breaches caused by connecting (from) infected devices. Whether employees connect to work to read their e-mail or plug in an iPod, there is a potential for infection from devices that are or have been outside the relatively safe network perimeter. Any connection to work systems should be done from a dedicated work computer and not one shared by the entire family. Similarly, personal USB devices should be banned in favour of company-supplied ones that come with data encryption built in by default.

7. Any data breach, interception or access causes confidentiality breaches. The problem with lost data is that it cannot verifiably be recovered with the damage undone. Once copied or transferred, those actions can't be undone. The only effective way to prevent unauthorized disclosure, or breaches of confidentiality, is to encrypt data. Businesses often don't adequately protect their back-ups, their sensitive and confidential data or their Internet communications. By ensuring that proper encryption takes place at all steps of the information lifecycle, businesses ensure that data is protected and everyone is accountable for their actions.

8. Business interruptions due to backup data issues. Backup and restore processes are often improperly tested and result in data and productivity losses. Many businesses are then forced to suspend operations for weeks, and may never recover as a consequence. By ensuring that proper backup encryption is in place and that recurring restoration testing is performed, the risk of losing data can be controlled.

Story continues below advertisement

9. Physical breaches and theft. With such a focus on hacking and cybercrime, it's understandable that less glamorous types of security are taking a back seat to a movement towards better IT security. Unfortunately, this happens as physical theft is booming and ranges from entering the office unchallenged to breaking in on the week-end. This shift back to low-tech crime is due in part to stronger network security as well as to the ease with which it can be pulled off. But it works, and laptop theft alone accounts for billions of dollars losses. Whether it takes place at the employees' homes or at work, physical security measures such as bike locks and fully encrypted hard drives should be used as preventative controls against this type of crime.

10. Trust abuses. As humans, we are naturally trusting, so when presented with apparently legitimate individuals in a position of authority, we play along, often to the detriment of the company and its information assets. Social engineering is the practice of abusing people's trust to compromise – or steal – company property (or personal details). Whether it's called pretexting, spear phishing or simply a con job, it's effective and the only antidote is employee vigilance. Ensuring that employees know how to react when receiving that phone call or e-mail will go a long way towards creating a culture of awareness and accountability that will inevitably lead to better protection for the business and its data.

As chief security officer of Informatica Corporation, Claudiu Popa helps Canadian small businesses protect information assets against current security threats including viruses, hackers, thieves and blackouts. He is the author of the Canadian Privacy and Data Security Toolkit for Small and Mid-Size Business, published by the CICA. Follow him on twitter.com/datarisk

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter