Guide to cybersecurity best practices every business should follow

While you might think that only large companies are targeted by cyber criminals, it turns out that small- and medium-sized businesses (SMB) are also at risk. This guide will show you why good cybersecurity practices are a valuable security tool for businesses of all sizes. It also identifies common cyber threats and offers 10 cybersecurity best practices for small businesses.

Why should cybersecurity be on your radar?

Implementing a cybersecurity policy doesn’t have to be difficult or expensive, and a strong cybersecurity strategy, including cyber risk insurance, can be worth its weight in gold. It can help defend your business against evolving cyber threats, enhance your regulatory compliance and even improve consumer trust.

A security breach can hit your business hard—and not just financially. The impact can have far-reaching effects:

• Money matters: Recovering from a data breach, fixing the damage and dealing with theft can get expensive fast. According to the Insurance Bureau of Canada, nearly half (46%) of small businesses that have suffered a cyber attack incurred more than $100,000 in costs to recover. 

• Reputation: If customers feel their data isn’t safe with you, they might take their business elsewhere.

• Legal ramifications: Security breaches can lead to lawsuits or fines. 

• Business interruption: You might have to put your operations on hold, which means lost time and lost revenue.

Cyber threats are attacks on digital systems designed to steal data, disrupt business or generally cause harm. As technology advances, these threats grow more frequent and complex, so it’s important to stay informed to keep your systems and data safe.

Threat actors use different types of fraud schemes to attack businesses in different ways, such as:

• Malware

• Phishing 

• Ransomware

• Impersonation scams

Learn more about common types of cyber attacks.

Some attackers focus on specific types of targets, but others are just looking for any weak spots they can find. That means that any business could be hit by a cyber incident at any time. The key is to not panic and be prepared. A little awareness and the right precautions can go a long way. Check out these cybersecurity tips to find ways to help keep your business safe. 

Security awareness training for your employees is one of the best ways to improve your company’s cyber hygiene. Ongoing training can help you stay on top of new threats, and regular phishing simulations can be a way of keeping your employees on their toes. An informed team is your first line of defence.

A good place to start is with your onboarding process. It can help new employees build good habits from day one. Different kinds of tools are available to guide you.

Keeping your business secure isn’t necessarily about having the latest software solutions. It’s just as important to make sure your antivirus software and other programs are up to date. Outdated programs can have vulnerabilities that can be exploited by hackers, so here are some steps you can take to reduce those vulnerabilities:

• Enable automatic updates for your operating systems, browsers and antivirus software, and schedule manual checks for older systems.

• Prioritize critical and security updates (don’t delay updates flagged as “urgent” or “security-related”).

• Remove outdated and unused software to reduce vulnerabilities.  

• Remind your team to install software updates when required and to report related issues and errors.

Another way to keep your business safe is to require the use of strong, unique passwords. Ideally, passwords should be at least 12 characters long and include a mix of uppercase and lowercase letters and numbers and symbols. To make things easier, you can use a password manager to store and securely manage passwords. 

It’s also important to enforce access controls. That means setting up strict control mechanisms so you can be sure that only authorized users can access systems, sensitive data and your digital resources. By defining clear access rights and reviewing them regularly, you can significantly reduce the risks associated with data breaches or human error.

Since usernames are often easy to guess and people tend to repeat passwords or choose easy-to-guess ones, multi-factor authentication (MFA) adds an extra layer of security.

With MFA, on top of a password, users need to confirm their identity with something like: 

• A code that is emailed or texted to them

• A fingerprint or face scan 

• An app-generated verification code

It’s a good idea to enable MFA for sensitive accounts such as banking, customer relationship management (CRM) systems and email. It’s one of the simplest and most effective ways to protect against unauthorized access.

The 3-2-1 backup rule is considered a best practice to help you protect your data, and you can incorporate it into your cybersecurity policy as easy as 3-2-1: 

• Keep 3 copies of your data: 1 primary and 2 backups

• Store your data in 2 different formats, such as a local disk and cloud storage

• Store 1 copy offline to protect against cyber threats like ransomware

It’s important to keep an eye on your systems to spot unusual activity and to identify risks like malware, phishing or unauthorized access. 

It’s easy for even small businesses to do this with firewalls and antivirus software. Pay attention to activity alerts (automatic warnings about strange behaviour) and review your logs regularly. These are good ways to help catch threats early.

An incident response plan is a playbook your company can follow to detect, respond to and limit the effects of a cyber attack or other disruptions. A good plan can help you limit damage, speed up recovery time and ensure business continuity.

Incident response plan templates are widely available and commonly used. They provide a general framework your teams can build on. Some of the elements to include in your plan are:

• Roles and responsibilities: Clearly define who is responsible for each part of the process to help ensure a coordinated response during a crisis and make sure there’s no confusion about who does what. 

• A communication plan: List all key contacts and escalation paths. Be sure to include after-hours contact information, as well as back-up contacts to make sure you’re prepared at any time of day or night. 

• Response tools: Equip your team with the tools they need to detect, contain and recover from incidents. This includes monitoring solutions (SIEM, antivirus software and intrusion detection systems), analysis tools (forensic and sandbox environments), secure communication platforms and reliable backup and recovery systems. Make sure the tools are accessible, properly configured and up to date to stay ready for any crisis.

To learn more about how you can develop an incident response plan, visit the Canadian Centre for Cyber Security.

Every company should run regular security audits. They’re a comprehensive assessment of your IT systems to identify risks and vulnerabilities. While the scale and complexity of the audits will be different depending on their size, regular reviews are the key to strong security. 

Depending on the size of your business, you could keep these audits in-house or deal with an external provider. Larger companies may prefer to outsource audits.

These days, more employees work remotely, and many use their own mobile devices for work. To minimize security issues, it’s important to implement best practices: 

• Virtual private network (VPN): For remote teams, VPN is a must to keep communications secure and protect sensitive data. While many solutions are low-cost or even free, some free VPNs can compromise data privacy or have security flaws. Be sure to choose a reliable provider with strong encryption and a clear privacy policy. 

• Device and data encryption: Make sure that data is encrypted on devices and during communication. Many free encryption tools are built into operating systems.

• Bring-your-own-device (BYOD) policy: Set out clearly defined rules for using personal devices at work. These can include password protection, a ban on public Wi-Fi, mandatory security settings, etc.

The fallout from a cyber incident can be expensive. It can hurt your reputation, your operations and your bottom line. Cyber risk insurance doesn’t replace strong security protocols—it complements them. It can help protect your business from financial losses if an attack happens. 

Depending on which types of coverage you have cyber risk insurance could help you:

• Recover from data loss by helping to cover the costs you incur to recover it

• Respond to ransomware attacks by helping to cover ransom payments, negotiation services and the cost to restore operations 

• Mitigate business interruption by helping to compensate for lost income and the extra expenses you incur to get back online

Broadly speaking, cyber risk insurance exists to help businesses deal with the financial fallout of an attack, with the two primary coverage types being:

• Data Compromise: Protection in the event that personal information in your business’s possession is lost, stolen or unintentionally disclosed

• Computer Attack: Protection in the event of an attack on your business that leaves you locked out of your operating systems, data and software 

Our cyber risk insurance for businesses offers you access to a suite of training and support tools that can be personalized by sector. These include online training modules, external incident management resources, risk management tools, a learning centre and a news centre. 

Learn more about our Cyber Risk Insurance for Businesses.

In today’s hyper-connected digital world, cyber threats are constantly evolving. New tactics, new targets and more sophisticated attacks are emerging all the time. To protect your business, it’s important to stay informed, keep your security practices up to date and constantly strengthen your defenses. A proactive mindset and ongoing vigilance can help you spot risks early and respond quickly if something goes wrong.

• Deepfakes are AI-generated images, videos or audio clips that show real people doing or saying things they never did. They’re typically used maliciously to spread misinformation. 

For example, a video could be created of you saying or doing offensive things. It’s hard to know if it’s real, so your reputation could take a hit.

• QR phishing, or quishing, is a type of cyber attack that involves tricking a user into scanning an innocent-looking QR code that’s actually embedded with malicious coding. 

A data breach could occur if you scan a malicious QR code thinking it’s legitimate. This could lead to a fake login page where, if you enter your credentials, attackers could access your internal systems, email or other sensitive information. 

• AI-powered attacks are cyber attacks that rely on artificial intelligence and machine learning algorithms and techniques to speed up the cycle.

These types of attacks are really good at cracking passwords. Machine learning models look at user behaviour and leaked data to predict passwords (just another reason for a strong password policy).

Scammers are refining their techniques all the time, so to keep your business as safe as possible, it’s important to be prepared. This applies to all companies, not just companies that are entirely online. If you have any sort of an online presence, or if you store client information online, you’re a potential target. Your website, a social media account or even just email can be vulnerable.

To stay on top of trends in cybercrime, you can:

• Subscribe to government alerts, from agencies like the Government of Canada’s Cyber Centre; they send out alerts and advisories on potential, imminent or actual cyber threats

• Offer ongoing employee training to ensure that security is top of mind for everyone

Help raise employee awareness of cyber threats so they feel engaged. This can help reduce human error, improve threat detection and ensure compliance with regulations.

Key takeaways

Cybersecurity isn’t a nice to have these days—it’s a must for businesses of all sizes. Attacks are becoming more sophisticated, so it’s important for you to put tools and practices into place to protect your data, your operations and even your reputation. Implementing these 10 best practices may help you reduce your risk and build a more resilient organization.

And remember, cybersecurity isn’t a one-time fix. It’s an ongoing commitment to vigilance, education and adaptation. Stay informed and stay secure.

Find out more about cybersecurity for businesses.  

Learn more: