A Cybersecurity Guide For Small Business

Uploaded on 2019-04-16 in NEWS-Cybersecurity News, FREE TO VIEW

Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?

To answer, the Canadian government hopes, is in a new guide issued by the Canadian Centre for Cyber Security. The Centre is the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments. 

Called the Baseline Cyber Security Controls for Small and Medium Businesses, the offers SMBs advice on getting the biggest bang for their bucks.

“We understand that not every organisation can implement every control,” says the guide. “If the majority of Canadian organisations implement these controls, however, Canada will be more resilient and cyber-secure.”

Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organisations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software. However, the guide says most SMBs should consider accepting the risks of patching by default.

There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the Centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.”

“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”

The guide differs from the Centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.
The 18-page document offers a bit of guidance to each step without being too methodical.
Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber-attack, nor those whose data or systems could compromise public or national security. Those organisations, the document says, should have comprehensive protection.

Organisation and baseline controls
It splits recommendations into two parts: Organisational controls and baseline controls. Belcourt says SMBs should look at them in that order. Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.

“You can have a fairly small organisation that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organisation controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”

Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.
Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents. “Start by thinking something is going to eventually go wrong,” Belcourt said, and what the organisation will do: Who will be in charge of the response? Who will contact employees, customers, shareholders, regulators? and so on.

In fact, not having a response plan is one of the worst decisions an SMBs can make, he said.

‘Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”

IT World Canada

You Might Also Read:

SMEs Risk Costs Of Up To $2.5m Following A Breach:

What is The Canadian Institute For Cybersecurity & Why Does It Matter?:


 

 

« America Remains Vulnerable To Cyber Attack
Distinguished AI Expert Is Concerned About ‘Killer Robots’ »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Security Stronghold

Security Stronghold

Security Stronghold is focused on protecting computers from malicious programs like viruses, Trojans, spyware, adware, trackware, keyloggers and other kinds of online threats.

NextLabs

NextLabs

NextLabs provides data-centric security software to protect business-critical data and applications.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Cigniti Technologies

Cigniti Technologies

Cigniti Technologies provides Independent Software Testing (IST) Services including software security testing.

NetFort

NetFort

NetFort provides software products to monitor activity on virtual and physical networks.

Cyber Affairs

Cyber Affairs

Cyber Affairs is the first Italian press agency entirely dedicated to cyber security.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Cyber Police of Ukraine

Cyber Police of Ukraine

Cyber Police of Ukraine is a law enforcement agency within the the Ministry of Internal Affairs of Ukraine dedicated to combating cyber crime.

Jobsite

Jobsite

Jobsite is an award winning job board in the UK providing job listings in the key sectors of IT, Engineering and Finance.

IPification

IPification

IPification is a highly secure, credential-less, network-based authentication solution for frictionless user experience on mobile and IoT devices.

Hold Security

Hold Security

Hold Security works with companies of all sizes to provide unparalleled Threat Intelligence services that actually make a difference.

Amnesty Tech

Amnesty Tech

Amnesty Tech's Security Lab leads technical investigations into cyber-attacks against civil society and provides critical support when individuals face such attacks.

Appsian Security

Appsian Security

Appsian provides powerful solutions that help organizations take control of their business critical data and financial transactions.

Clarabot Nano

Clarabot Nano

Nano is the secure file sharing tool to improve content search, data access and collaboration between multiple parties.

Future Crime Research Foundation (FCRF)

Future Crime Research Foundation (FCRF)

FCRF is a Non-Profit NGO specializing in Research in Cyber Security, Digital Crime, Fraud Risk Management, Cyber Laws and Cyber Forensics.

CyberHeed

CyberHeed

CyberHeed is the first compliance automation platform purpose-built around Agentic AI - transforming cybersecurity compliance with automation and intelligence.