A Cybersecurity Guide For Small Business

Uploaded on 2019-04-16 in NEWS-Cybersecurity News, FREE TO VIEW

Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?

To answer, the Canadian government hopes, is in a new guide issued by the Canadian Centre for Cyber Security. The Centre is the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments. 

Called the Baseline Cyber Security Controls for Small and Medium Businesses, the offers SMBs advice on getting the biggest bang for their bucks.

“We understand that not every organisation can implement every control,” says the guide. “If the majority of Canadian organisations implement these controls, however, Canada will be more resilient and cyber-secure.”

Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organisations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software. However, the guide says most SMBs should consider accepting the risks of patching by default.

There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the Centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.”

“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”

The guide differs from the Centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.
The 18-page document offers a bit of guidance to each step without being too methodical.
Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber-attack, nor those whose data or systems could compromise public or national security. Those organisations, the document says, should have comprehensive protection.

Organisation and baseline controls
It splits recommendations into two parts: Organisational controls and baseline controls. Belcourt says SMBs should look at them in that order. Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.

“You can have a fairly small organisation that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organisation controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”

Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.
Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents. “Start by thinking something is going to eventually go wrong,” Belcourt said, and what the organisation will do: Who will be in charge of the response? Who will contact employees, customers, shareholders, regulators? and so on.

In fact, not having a response plan is one of the worst decisions an SMBs can make, he said.

‘Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”

IT World Canada

You Might Also Read:

SMEs Risk Costs Of Up To $2.5m Following A Breach:

What is The Canadian Institute For Cybersecurity & Why Does It Matter?:


 

 

« America Remains Vulnerable To Cyber Attack
Distinguished AI Expert Is Concerned About ‘Killer Robots’ »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

SCADAhacker

SCADAhacker

SCADAhacker provides mission critical information relating to industrial security of SCADA, DCS and other Industrial Control Systems.

GovCERT.HK

GovCERT.HK

GovCERT.HK is the Government Computer Emergency Response Team for Hong Kong.

Applause

Applause

Applause provides real-world software testing for functionality, usability, accessibility, load, localization and security.

SharkGate

SharkGate

SharGate provide a cloud-based website security solution to protect websites from being hacked.

Fidelis Security

Fidelis Security

Fidelis Security is a leading provider of extended threat detection and response (XDR) solutions for your security operations.

Cyber8Lab

Cyber8Lab

Cyber8Lab provides cybersecurity training programmes simulating real world cybersecurity incidents such as web defacement, malware, phishing, digital forensics analysis and wireless intrusion.

URS Certification

URS Certification

United Registrar of Systems (URS Certification) is an independent certification body operating in more than 30 countries within the multinational URS Holdings.

CyberSecurityTrainingCourses.com

CyberSecurityTrainingCourses.com

Cyber Security Training Courses is a portal to help candidates find the best courses to progress their career within the IT security industry.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

Hudson Cybertec

Hudson Cybertec

Hudson Cybertec are an internationally recognized Subject Matter Expert for cyber security in the Industrial Automation & Control Systems (IACS) domain.

Palmchip

Palmchip

Palmchip is a Cyber Security, SOC and Software consulting company. We design and develop high performance and secure applications.

The PenTesting Company

The PenTesting Company

The PenTesting Company is owned and operated by offensive security professionals. Penetration Testing is essentially all we do.

Options Technology

Options Technology

Options is a global leader in financial technology, specialising in Capital Markets technology and enterprise-grade solutions.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.

CyberForce Global

CyberForce Global

CyberForce Global are at the forefront of start-up technology recruitment in areas including cybersecurity, IT infrastructure, software, fintech, blockchain and more.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.