ARTICLE

Safeguard Your Business: Your 10-Step Starter to Cyber Security

Florin Soltan
Florin is a Cyber Security Product Manager at Acronym. He helps organizations protect against digital threats by developing and implementing robust security strategies to safeguard sensitive data and infrastructure.
Awomen Joining the Conference call

By the end of 2024, the cost of cyber attacks on the global economy is predicted to surpass a staggering $10.5 trillion. With a growing number of Canadian organizations claiming they’ve suffered a security incident in the past 12 months and the average cost of a ransomware payment rising by 15% over the past three years, it’s clear that cyber security needs to be a priority for every business—big or small. But as attacks become more frequent and sophisticated, so do cyber security defences—so where does your business begin?

In this article, we’ll explore ten practical strategies that will lay the foundation for safeguarding your business. By studying and adopting these measures, you’ll not only boost your defences—you’ll potentially save your business millions in financial, reputational, and legal repercussions that can result from a serious cyber incident. We’ll cover:

  • Implementing strong password policies
  • Keeping software and systems updated
  • Using a robust next-generation firewall
  • Encrypting sensitive data
  • Training employees on cyber security
  • Regularly backing up data
  • Implementing access controls
  • Deploying proactive anti-malware endpoint protection software
  • Securing your corporate network perimeter
  • Creating an incident response plan
Computer with security icons

10 Steps to Safeguard Your Business

1. Implement Strong Password Policies

In 2024, over 10 billion passwords were leaked in the largest data leak of all time. The stark reality? More than 80% of breaches can be attributed to stolen, weak, or reused passwords. While it may seem like an overly simplified strategy, enforcing proper password policies could prove to be your best defensive front line.

Best practices for developing your password policies include:

  • Password managers: These handy tools can help your employees generate and keep track of long, complex passwords without the need to memorize or write them down. By using a password manager, every account can have a unique and complex password, reducing the risk of breaches due to password theft or reuse.
  • Password complexity: Enforce the use of complex passwords that combine uppercase and lowercase letters, numbers, and symbols to increase the difficulty for potential hackers trying to gain access. Consider using the “12-3-2” rule, which suggests you should use at least 12 characters, including 3 numbers and 2 special characters.
  • Regular password updates: Changing passwords regularly can help mitigate the risks of long-term exposure from data breaches. We recommend enforcing a company-wide password change every 90 days, especially for accounts related to sensitive data.
  • Multi-Factor Authentication (MFA): MFA (sometimes called 2FA) requires users to provide two or more verification factors to log in—such as an email code, mobile app confirmation, or biometric data—along with their password. This added layer of security ensures that even if a password is compromised, unauthorized users won’t easily gain access. Microsoft believes that MFA reduces the risk of compromise by over 99%.

2. Keep Software and Systems Updated

On average, companies use over 200 software applications to run their business, ranging from social media platforms to accounting systems. While these tools are useful and necessary, cyber attackers frequently exploit vulnerabilities, or security holes, in the software. This is why applying regular software updates that fix vulnerabilities, otherwise known as a “patch,” is a critical cyber security defence. To give you an idea of the potential impact, a recent Ponemon Institute survey revealed that 60% of IT professionals have experienced a data breach in the past two years that could have been prevented by installing an available patch.

This is why you should follow these best practices for patch management:

  • Automatic updates: Enable settings that allow software to update itself automatically whenever a new version is available, minimizing the chance that a patch is missed.
  • Monitoring systems: For applications where automatic updates aren’t feasible, actively monitor your systems to identify updates that need to be manually applied.
  • Regular maintenance: Schedule routine maintenance checks to ensure all systems are updated and functioning properly. This could include ongoing scans for new vulnerabilities, monthly reviews of software updates and security logs, quarterly audits to track patch performance and a comprehensive annual review of security incidents and patch management practices.

3. Use a Robust Firewall

A firewall is a security device that serves as a gatekeeper for your organization’s network, controlling incoming and outgoing traffic based on security rules. It creates a distinction between your trusted internal network and untrusted external networks, like the internet, to prevent cyber security threats and unauthorized access. While firewalls aren’t a one-and-done solution for cyber security like they may have been 20 years ago, they remain an integral part of your larger line of defence.

Here are some best practices for maintaining a robust firewall:

  • Regular updates: Ensure your firewall’s software or firmware is frequently updated to protect against the latest threats and vulnerabilities. This means rolling out updates as they’re released by the manufacturer because they often contain vulnerability patches, bug fixes, or resolutions to other issues that could impact their effectiveness.
  • Use both hardware and software firewalls: Implement hardware firewalls to protect the entire network and software firewalls on individual devices for a layered approach to cyber security.
  • Configure to block unauthorized access: Carefully configure your firewall rules to allow only legitimate traffic and block attempts to access your network resources without authorization. Once you’ve defined what “safe” traffic is, you can set access rules by allowing or denying traffic from certain IP addresses, port numbers, or protocols. For example, you might only authorize access to anyone using your local office’s IP address.

4. Encrypt Sensitive Data

Between 2012 and 2022, enterprise-wide encryption rose in worldwide adoption from just 27% on average to 62%. This growth only continues as businesses recognize the significance of encryption—so what makes it so effective? Simply put, encryption is the process of converting data into a coded format that can only be read with a specific key or password. This secures your valuable company data from unauthorized access which is especially important for sensitive information—like financial data—both stored and transmitted over networks.

Here are some best practices for data encryption:

  • Encrypt data at rest and in transit: Use strong encryption protocols to secure data, whether it’s stored on your devices or being sent over the internet. Encrypting data in both states ensures it’s protected from every angle.
  • Use strong encryption standards: Implement industry-standard encryption algorithms such as AES (Advanced Encryption Standard) with a key size of at least 256 bits. This will ensure the security of your data against brute force attacks and other decryption attempts.
  • Manage encryption keys securely: Make sure to store your encryption keys separately from the encrypted data and implement strict access controls and rotation policies for these keys. Only a limited number of authorized users in the business should have access to maintain integrity and limit risk.

5. Train Employees on Cyber Security

Human error is one of the leading causes of security breaches. Verizon’s 2024 Data Breach Investigations Report states that a staggering 68% of breaches involve a human element that could have been prevented with better care. Thankfully, regular training can significantly mitigate this risk by creating a security-aware culture in your organization.

Here are best practices for training employees on cyber security:

  • Regular training sessions: Schedule monthly or quarterly cyber security training sessions that cover current cyber threats, security protocols, and safe internet practices. Use engaging content like videos and interactive quizzes to keep the training engaging and memorable.
  • Phishing simulation exercises: Regularly conduct controlled phishing attacks to test employee awareness and provide feedback on their responses. This hands-on approach helps employees recognize and avoid real-life threats.
  • Clear policies: Develop detailed policies on data security, including how to handle and share sensitive information securely. These guidelines should be easily accessible to staff, included in onboarding for new team members, and should include consequences for non-compliance. To ensure they’re adopted company-wide, conduct workshops to walk employees through scenarios where they might need to apply these policies.

6. Regularly Backup Data

Backups are vital for restoring business operations after losing data to a cyber-attack, system failure, or natural disaster. A 2022 IDC survey revealed that 35% of businesses that experienced data loss due to a cyber-attack could not recover it. Imagine the impact it would have on your business if its valuable documentation suddenly ceased to exist. It could lead to devastating financial losses, operational disruptions, and loss of trust from customers. This is why it’s so important to maintain a backup of your critical information. In the event that your data is taken hostage by a hacker, you have a safe and secure backup waiting in the wings.

Here are some best practices for managing your data backups:

  • Automate your backup processes: Set up automated backups to occur at regular intervals (daily or weekly) to ensure your data is consistently backed up without manual intervention. This lessens the risk of forgetting to perform backups and reduces downtime in the event you need to perform a data recovery.
  • Maintain offsite storage: Store backup copies in a location separate from your primary data centre to protect against localized threats like theft, fires, or floods. Using cloud services to store your backups can be an efficient way to manage them.
  • Regular testing for integrity: Periodically test your backups to ensure they are complete, and the data can be restored accurately. This testing helps identify any issues in the backup process early, ensuring that data recovery is possible when needed.
Infrastructure Services

7. Implement Access Controls

Not everyone in your organization needs access to all systems and data. Sensitive information like employee records, financial data, and legal files are examples of things that may only need to be accessible by select leaders in your business. Implementing access controls using the principle of least privilege ensures that employees have access only to the resources necessary for their job roles. This minimizes the security risk of data ending up in the wrong hands.

Here are the best practices for getting started with access controls:

  • Least privilege principle: By assigning employees the minimum level of access necessary for their roles, you can limit potential damage if an account is compromised. Regularly review access levels to ensure they are still appropriate as roles change.
  • Role-based access controls: The best way to determine who needs access to what information is by defining roles and assigning access permissions based on these roles. For example, you might have hierarchical access control groups for executive leadership, middle management, and junior employees. You may also layer on departmental control groups, such as Finance, Marketing, Human Resources, and so on. An employee in the executive leadership control group will have much broader access to network files compared to a junior employee in marketing.
  • Regular audits of access rights: Conduct periodic audits to review who has access to what. Identify and revoke unnecessary access permissions and ensure compliance with your company’s access control policies. This will help to quickly address any unauthorized access or potential security gaps. During these audits, pay special attention to new hires and employees who have changed roles or been promoted.
  • Termination protocols and offboarding procedures: It’s crucial to have a well-defined process for revoking access when employees leave the company, whether through termination or voluntary resignation. Immediately disabling their access to company systems, applications, and sensitive data prevents any potential misuse of company resources. Ensure that all credentials are deactivated, including access to third-party services, email accounts, and any physical access controls. This proactive step helps to maintain data security and reduces the risk of unauthorized access after an employee’s departure. Regularly reviewing and updating offboarding procedures ensures they remain effective and aligned with current security practices.

8. Deploy Proactive Anti-Malware and Antivirus Software

Malware, short for malicious software, is just as dark as it sounds. It’s intentionally designed to cause damage to your computer systems or network with motives ranging from making money, to sabotaging a business. Proactive anti-malware solutions can detect and block threats before they infiltrate your system. This includes viruses, ransomware, spyware, and other malicious software that can compromise your data and operations.

Here are best practices for anti-malware and antivirus software:

  • Use reputable software: Choose well-known and trusted antivirus and anti-malware solutions to ensure comprehensive protection.
  • Keep definitions updated: Cyber threats evolve rapidly, with new viruses and malware being developed constantly. By keeping your software’s definitions up to date, you equip it with the latest information about these new threats, enhancing its ability to detect and neutralize them. Many antivirus programs offer automatic updates, simplifying the process and ensuring continuous protection without requiring manual intervention.
  • Run regular scans: Schedule frequent scans of your entire system to detect and remove any malware or viruses. Regular scans help in identifying threats that might have been missed during real-time protection.

9. Secure Your Network

Your IT network perimeter is like the front door to your home. If you live in a risky neighbourhood, you want it to be impenetrable and regularly monitored—but at the same time, you need to make it pleasant for trusted people to come and go. In 2023 alone, there were 7.6 trillion network intrusion attempts globally. If there’s a weak point, hackers will eventually find it. This is why securing your network is a key step to making your business hacker-proof.

Here are our best practices for network security:

  • Use secure Wi-Fi protocols: If a hacker gains access to your Wi-Fi network, they could intercept sensitive data, deploy malware, or gain further access to other parts of your network, leading to a significant data breach. To avoid this, ensure your wireless networks use strong encryption protocols like WPA3 to prevent unauthorized access and secure your Wi-Fi  from potential intruders.
  • Implement VPNs for remote access: Virtual Private Networks (VPNs) encrypt internet connections for remote workers, allowing your staff to securely connect to your corporate network over any stable Wi-Fi connection. This protects sensitive data from being intercepted during transmission, which is important as remote work continues to rise.
  • Segment networks: Divide your network into smaller segments, or subnets, to limit the spread of potential breaches. Network segmentation helps contain threats, protecting critical areas of your infrastructure by isolating them from other network sections, which lessens the damage an intruder can cause if they do penetrate your network.

10. Develop an Incident Response Plan

Even if you take a proactive and robust approach to cyber security, breaches can occur. Having an incident response plan in place prepares your business to respond swiftly and effectively when that happens. Remarkably, only 35% of companies have an incident response plan in place, despite its importance in mitigating the damage of cyber incidents.

Here are some best practices for creating your incident response plan:

  • Define clear steps: Begin by outlining a step-by-step process for identifying, containing, eradicating, and recovering from cyber incidents. Clearly define roles and responsibilities to ensure quick and coordinated action during an incident. This structure will help reduce confusion and delays in the event of a cyber attack so you can respond more effectively.
  • Regularly update and test: Keep the incident response plan up-to-date with the latest threat intelligence and any changes to your business. It’s a good idea to regularly conduct drills and simulations to test the plan’s effectiveness so you can make necessary adjustments and ensure the plan remains relevant in real-world scenarios.
  • Communicate the plan: Provide comprehensive training to all employees on your incident response plan and their specific roles within it. This ensures everyone knows what to do in the event of an attack, facilitating a quick and efficient incident response. Training also helps build a culture of preparedness and ensures that every team member can contribute effectively during a crisis.

Partnering with an ICT Solutions Provider

Cyber security programs can be a substantial undertaking—especially when navigating budget constraints, talent shortages, and the rapid pace of change that we see in IT. That’s why many businesses opt to partner with Information and Communications Technology (ICT) providers to build and maintain a cyber security program.

Some benefits of working with an ICT solutions provider for cyber security include:

  1. Continuous Threat Monitoring
    An ICT solutions provider offers round-the-clock monitoring of your IT systems through fully managed services like Acronym’s Secure IT. This helps in the early detection and mitigation of potential security threats before they can cause significant harm, ensuring your systems are always protected—even outside of regular business hours.
  2. Expert Management of Security Measures
    Professional ICT providers employ cyber security experts who are well-versed in the latest threats and security practices. They can manage and implement advanced security tailored to your business and its privacy needs. This expert management includes setting up firewalls, secure Wi-Fi connections, endpoint security, and performing regular penetration tests to maintain a strong security posture.
  3. Access to the Latest Technology and Best Practices
    Keeping up with the latest technology and cyber security best practices can be challenging. Working with a partner like Acronym gives your business access to leading technology and ensures that you are always in tune with the most current and effective security strategies.

Is It Time to Fortify Your Cyber Security?

While cyber security programs can be a substantial undertaking, the benefits far outweigh the costs. Now that you’ve taken the time to get educated on these foundational cyber security strategies, it’s time to put them into practice and partner with a professional ICT solutions provider to help you stay ahead. Explore Acronym’s Cyber Security Solutions to learn more.

Learn more about our featured solutions

Someone working to Secure corporate folders
Product Summary

Secure IT

Fully managed security solution designed to guard your network and entire IT infrastructure – including cloud resources and remote devices – from threats and attacks.

A women Monitoring Virtual data centre
Product Summary

Secure IT Firewall

A real-time monitoring and management service that includes next-generation firewall(s) to protect your network’s infrastructure.

About Acronym

Acronym Solutions Inc. is a full-service information and communications technology (ICT) company that provides a range of scalable and secure Network, Voice & Collaboration, Security, Cloud and Managed IT Solutions. We support Canadian businesses, large enterprises, service providers, healthcare providers, public-sector organizations and utilities. We leverage our extensive network expertise to design and build customized, fully scalable solutions to help our customers grow their businesses and realize their full potential. With more than 20 years’ experience managing the communications system that enables Ontario’s electrical grid, Acronym is uniquely positioned to understand the mission-critical needs of any business to deliver the innovative and reliable services that respond to the changing demands of businesses, and support rapid growth and digital transformation initiatives.

Get our latest industry insights right in your inbox