Cyber Security Awareness Month

• By: admin
• On: 10/24/2024 13:11:06
• In: October 2024

1. Cyber and Information Security Tip: CAN/DGSI 104 (formerly CAN/CIOSC 104) framework, published by the Digital Governance Council of Canada, is a great way to be recognized by customers for your security investments. It's a compliance standard intended for small businesses; however, it's a great starting point for any size business, especially if you have a larger goal. For example, complying with a framework such as NIST 800-53, CMMC, CP CSC, or ISO 270001. With a successful audit, your business earns the right to display a recognized Canadian security certification mark for your website and marketing material. Courtesy of Birmingham Consulting.

2. Cyber and Information Security Tip: Suppliers need to comply with your security requirements, including applicable policies and procedures to protect your organization's information. Here's how you can assess all suppliers on if they're putting your company at risk:
Step 1 – List all suppliers and vendors,
Step 2 – Classify them on how much data and information they have access to,
Step 3 – Ask the tough questions about what they are doing with your data (ex. How are they storing it?),
Step 4 – Qualify or disqualify vendors based on the risks they post to your company and the answers to step #3. Courtesy of Birmingham Consulting.

3. Cyber and Information Security Tip: A law firm recently benefited from this tip during a cyber incident. Thanks to their cyber warranty, they had money the very first day of their incident, in hand, and were able to cover immediate costs and protect their cash flow. Your cyber insurance should cover the large recovery costs (if you have the right sized policy to cover your potential liability). But cyber warranties provide you with money immediately to help with things like buying new equipment to keep your operations going, start pricy forensic analysis, and then recovery costs. And they cover your deductible. Courtesy of Birmingham Consulting.

4. Cyber and Information Security Tip: “QR Codes Kill Kittens” – is a book by Scott Stratten. He was teaching marketers how NOT to use QR codes. But Information security uses this phrase for QR codes seen “in the wild”. Because, while they're not inherently bad, QR codes can be hijacked without you realizing it. This is commonly called “quishing”, where bad guys use QR codes to infect your device or redirect payments. Treat a public QR code like a wild animal you want to photograph, do not approach it – and certainly don't scan it. Courtesy of Birmingham Consulting.

5. Cyber and Information Security Tip: One of the most common risks security companies encounter is employees using their personal accounts like Dropbox or OneDrive to send files to suppliers or clients. When neither the sending or receiving company has control of the account used for the transfer, the information is now leaked. Neither organization has any way of knowing who else gets access to the information in that personal account. As well, user agreements for free file-sharing accounts generally allow the service provider and sometimes 3rd-parties to access the information. The best way to evaluate if this is a current risk to your business is by having a security risk assessment done. Courtesy of Birmingham Consulting.

6. Cyber and Information Security Tip: Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024: Does it apply to you? Based on our understanding, unless you're a provincial entity: no, it probably doesn't. An excerpt from Bill 194, Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024: “The Act addresses cyber security and artificial intelligence systems at public sector entities. Public sector entities are institutions within the meaning of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, children's aid societies and school boards.” Learn more at this link. Courtesy of Birmingham Consulting.

7. Cyber and Information Security Tip: Criminals are persistent – there's one thing that they count on when they send a phishing email to your business. They're hoping that when you review their email, you are far too busy to check for "red flags" (ex. typos, any sense of urgency, odd email addresses, etc) and inadvertently click through their email before realizing its fraudulent. Remember to take your time and slow down when you are reviewing your emails, so that you don't miss any clues that it could be a phishing email. And if you think you've done one "click" too many, close everything down and call your security team for them to investigate. Courtesy of Birmingham Consulting.

8. Cyber and Information Security Tip: AI and work operations: what questions should executives be making sure are included in your AI policy, particularly in the vetting process of vendors or suppliers that use AI? These are areas you should ask about:
- Do they use AI when handling data? If so you could be subject to compliance and privacy regulations depending on how AI is collecting, processing or using that data
- How much human oversight is included in their processes?
- How are they ensuring that AI is being used ethically? Are they auditing it, or testing for bias at all?
It's key to evaluate whether a tool or service, that includes AI technology, is going to help your business OR increase your liability. Courtesy of Birmingham Consulting.

9. Cyber and Information Security Tip: In an emergency, "you won't be as smart as you are right now". That's why first responders practice different scenarios, and why fire drills exist. For the same reasons, you should practice different cyber "emergency" scenarios for your business. A tabletop exercise simulates a cyber incident so that your team knows how to follow your incident response plan (IRP). As well, training your team on what they would need to do during an incident is key so that they don't have "a case of the dumb" whe something happens. Tabletops are best if conducted annually to maintain the effectiveness of your IRP. Courtesy of Birmingham Consulting.

10. Cyber and Information Security Tip: An unnecessarily complicated term used in information security is “non-repudiation”- which means accountability. Non-repudiation is when a person, program or entity performs an action can't deny that they did so. It comes down to being able to hold your business, yourself and members of your team, accountable if anything bad happens. For example: Let's say 2 or more people share an account, like a new employee training account. If one of those people unintentionally clicked a bad link that led to a cyber incident – how do you know who did it? And hold the right person accountable? That's where we'd use the term non-repudiation as a built-in principle to information security processes and procedures. Courtesy of Birmingham Consulting.