Category: Articles

Five Tips for Better Small-Business Cyber Security

Two people looking at computer screen.

We live our lives increasingly online, and businesses are reaping the benefits—some even say that data is more valuable than oil. Technology’s rise has unfortunately also exposed businesses to more cyber threats, and while big, well-known corporations seem like the primary targets, smaller ones are possibly more vulnerable.

Nobody knows this better than Sophia Kudlyk, PRL’s Cyber Practice Leader who has been with the firm since 2015. She was one of five Canadians selected for the Carnegie Mellon University Cyber COPE Insurance Certification in 2018, and has helped countless organizations across Canada navigate complex risks in the digital age.

“There’s a misconception that small organizations aren’t on the radar, but perpetrators are increasingly shifting focus to small and mid-size companies who don’t have the multi-million-dollar IT security budgets of larger organizations,” she says. “This allows opportunistic threat actors to allocate resources more effectively by deploying numerous attacks exploiting common system vulnerabilities, where the likelihood of impact is increased, rather than focusing all efforts on one major company hack.”

Small-business owners may feel overwhelmed by the work it takes to stay ahead of cyber threats, but it’s better to start small and build up your defences incrementally rather than wait for disaster. Sophia recommends these five first steps to getting on track:

1. Identify Your Assets

Take an inventory of all hardware and software in your network, prioritize their importance and necessary protection. “Organizations can’t defend what they don’t know they have,” says Sophia. “If you know every device and application that’s connected, you’ll see the big picture of what needs to be protected. This will help you identify any deviations or irregular activity, increasing your chances of detecting the intruder quicker.”

2. Pinpoint Your Vulnerabilities

Hackers look for known, fixable issues – say, when a commonly used software announces a patch – and target users least likely to respond promptly. “Small organizations don’t necessarily have dedicated resources to monitor these updates, and attackers know this,” says Sophia. If you can’t afford a dedicated on-site security staff, don’t fret: automated alerts and third-party outsourcing will help you stay protected.

3. Limit Administrative Privileges

Which employees are currently system administrators – and do they really need to be? “Perpetrators are looking for that one user who has access to the plethora of data,” she warns. “If you can restrict access only to people who absolutely require it, threat actors have to work that much harder to ‘hit the data jackpot’ and are either more likely to be detected or move on to an easier target.” Strong password management is essential, but implementing logging and multi-factor authentication for enhanced user privileges cannot be overlooked.

4. Get Everyone Involved

“Cyber Security often emphasizes the technical details, but effective security relies upon people and processes just as much as it does on technology. The interaction between technology and users can completely change the effectiveness of a company’s security strategy. The human context and its potential for exploitation is a necessary consideration for better cyber resiliency.” High-level managers can foster a culture of cyber safety throughout the whole organization, advocating for staff training on security awareness, threats (e.g. phishing, ransomware) and disaster recovery plans. “It’s a team effort, but it starts with the tone at the top,” Sophia says.

5. Seek the Right Insurance Policy

Proper coverage protects your business both financially and legally. “If a breach occurs, your policy can recover data loss and immediate costs, but it also protects against third-party liability in the event that remediation did not minimize damages caused,” Sophia says. “Organizations should ask themselves: In the event of a cyber incident, can we sustain the costs, both from a resource and financial perspective? Depending on the answer, they may need to make more robust management decisions to transfer this risk.”

Digital threats are constantly evolving, but businesses that consistently prioritize, plan and practice their cyber security strategy stand the best chance of resiliency, regardless of size. Your company’s insurance broker is an excellent resource who can help your organization uncover where you’re likely to be exposed and build a customized, adaptable, end-to-end insurance and risk management strategy for your unique business needs.

“Cyber threats are here to stay, with a lot more government regulation in the future,” Sophia cautions. “At the end of the day, doing nothing is no longer an option.” 

To learn more about cyber coverage contact:

Sean Gibson, JD
Cyber & Transactional Risks Practice Leader, 647.695.3386,