A Cybersecurity Guide For Small Business

Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?

To answer, the Canadian government hopes, is in a new guide issued by the Canadian Centre for Cyber Security. The Centre is the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments. 

Called the Baseline Cyber Security Controls for Small and Medium Businesses, the offers SMBs advice on getting the biggest bang for their bucks.

“We understand that not every organisation can implement every control,” says the guide. “If the majority of Canadian organisations implement these controls, however, Canada will be more resilient and cyber-secure.”

Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organisations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software. However, the guide says most SMBs should consider accepting the risks of patching by default.

There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the Centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.”

“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”

The guide differs from the Centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.
The 18-page document offers a bit of guidance to each step without being too methodical.
Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber-attack, nor those whose data or systems could compromise public or national security. Those organisations, the document says, should have comprehensive protection.

Organisation and baseline controls
It splits recommendations into two parts: Organisational controls and baseline controls. Belcourt says SMBs should look at them in that order. Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.

“You can have a fairly small organisation that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organisation controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”

Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.
Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents. “Start by thinking something is going to eventually go wrong,” Belcourt said, and what the organisation will do: Who will be in charge of the response? Who will contact employees, customers, shareholders, regulators? and so on.

In fact, not having a response plan is one of the worst decisions an SMBs can make, he said.

‘Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”

IT World Canada

You Might Also Read:

SMEs Risk Costs Of Up To $2.5m Following A Breach:

What is The Canadian Institute For Cybersecurity & Why Does It Matter?:


 

 

« America Remains Vulnerable To Cyber Attack
Distinguished AI Expert Is Concerned About ‘Killer Robots’ »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Eversheds Sutherland

Eversheds Sutherland

Eversheds Sutherland is a global multinational law practice offering a full range of commercial and IT law services including Privacy, Data Protection and Cyersecurity.

BMS Group

BMS Group

BMS is an independent, employee-owned specialist insurance broking group. Broking solutions include Cyber and Technology.

VXRL

VXRL

VXRL is a Hong Kong-based cybersecurity company. We provide consulting services, penetration testing, and corporate training.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

Cyberstarts

Cyberstarts

Cyberstarts’ vision is to become the leading platform for amazing teams of entrepreneurs to solve the next big problems of the cybersecurity world.

Cyber Polygon

Cyber Polygon

Cyber Polygon is an annual online exercise which connects various global organisations to train their competencies and exchange best practices.

Qrator Labs

Qrator Labs

Qrator Labs is a leader in DDoS attack mitigation, helping organizations protect their websites from the most harmful, sophisticated DDoS attacks.

HolistiCyber

HolistiCyber

HolistiCyber provide state-of-the art consulting, services, and solutions to help proactively and holistically defend against a new era of constantly evolving cyber threats.

11:11 Systems

11:11 Systems

11:11 Systems synchronizes every aspect of network services for your business. Build your network with the industry’s most trusted expert skills.

Canonic Security

Canonic Security

Canonic streamlines app review, continuously monitors apps, and reduces the risks involved in third-party access to your data.

Hub71

Hub71

Hub71 is a world-class tech ecosystem opening doors to global opportunities from an optimal business environment for entrepreneurial-minded innovators.

RKVST

RKVST

RKVST is a powerful tool that builds trust in multi-party processes when it’s critical to have high assurance in data for confident decisions.

Credible Digital Security Pvt. Ltd. (CDSPL)

Credible Digital Security Pvt. Ltd. (CDSPL)

CDSPL is an innovative Cyber Security Services Company in India. We are committed to offering cyber security solutions for important sectors such as energy and utilities, healthcare, and more.

ID R&D

ID R&D

ID R&D is an award-winning provider of AI-based facial liveness, document liveness, and voice biometrics.

Nortal

Nortal

Nortal is a strategic digital transformation partner for leading companies and governments around the world.