A Cybersecurity Guide For Small Business

Uploaded on 2019-04-16 in NEWS-Cybersecurity News, FREE TO VIEW

Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?

To answer, the Canadian government hopes, is in a new guide issued by the Canadian Centre for Cyber Security. The Centre is the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments. 

Called the Baseline Cyber Security Controls for Small and Medium Businesses, the offers SMBs advice on getting the biggest bang for their bucks.

“We understand that not every organisation can implement every control,” says the guide. “If the majority of Canadian organisations implement these controls, however, Canada will be more resilient and cyber-secure.”

Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organisations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software. However, the guide says most SMBs should consider accepting the risks of patching by default.

There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the Centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.”

“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”

The guide differs from the Centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.
The 18-page document offers a bit of guidance to each step without being too methodical.
Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber-attack, nor those whose data or systems could compromise public or national security. Those organisations, the document says, should have comprehensive protection.

Organisation and baseline controls
It splits recommendations into two parts: Organisational controls and baseline controls. Belcourt says SMBs should look at them in that order. Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.

“You can have a fairly small organisation that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organisation controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”

Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.
Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents. “Start by thinking something is going to eventually go wrong,” Belcourt said, and what the organisation will do: Who will be in charge of the response? Who will contact employees, customers, shareholders, regulators? and so on.

In fact, not having a response plan is one of the worst decisions an SMBs can make, he said.

‘Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”

IT World Canada

You Might Also Read:

SMEs Risk Costs Of Up To $2.5m Following A Breach:

What is The Canadian Institute For Cybersecurity & Why Does It Matter?:


 

 

« America Remains Vulnerable To Cyber Attack
Distinguished AI Expert Is Concerned About ‘Killer Robots’ »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

IT Security Association Germany (TeleTrusT)

IT Security Association Germany (TeleTrusT)

TeleTrusT is an IT Security association and network for IT security comprising members from industry, administration, consultancy and research.

Seceon

Seceon

Seceon OTM, is a cyber security advanced threat management platform that visualizes, detects, and eliminates threats in real time.

Vuntie

Vuntie

Vuntie blend European craftsmanship, performance and open-source technology to deliver cybersecurity services including penetration testing, incident response, training and consultancy.

BlueKrypt

BlueKrypt

BlueKrypt is a consulting firm for the security of IT systems and their management.

Joint Accreditation System of Australia and New Zealand (JASANZ)

Joint Accreditation System of Australia and New Zealand (JASANZ)

JASANZ is the joint national accreditation body for Australia and New Zealand. The directory of members provides details of organisations offering certification services for ISO 27001.

Network Center Inc (NCI)

Network Center Inc (NCI)

NCI is one of the largest IT solution providers in the Midwest. We specialize in industry specific technology solutions, service, support, and expertise for small to enterprise businesses.

GuardSight

GuardSight

GuardSight is a provider of specialized cybersecurity services to safeguard businesses, government, and remote workers against sophisticated cyber threats.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

Protected Media

Protected Media

Protected Media’s advanced cybersecurity ad fraud solution guards you against current and emerging threats across Connected TV, Display and Video advertising.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

BalkanID

BalkanID

BalkanID is an Identity governance solution that leverages data science to provide visibility into your SaaS & public cloud entitlement sprawl.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

FearsOff

FearsOff

FearsOff is a global information security company serving clients worldwide. White hat operators with a black hat mindset to emulate real world attacks and everchanging threat vectors.

SecuCenter

SecuCenter

Secucenter is a trusted partner for SOC services, offering security expertise in a cost-effective way.

Repello AI

Repello AI

Repello - making AI safe to trust. We help you continuously red-team your GenAI applications against ever-evolving AI threat landscape.