Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?
To answer, the government hopes, is in a new guide issued by the Canadian Centre for Cyber Security, the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments.
Called the Baseline Cyber Security Controls for Small and Medium Businesses, it offers SMBs advice on getting the biggest bang for their bucks.
“We understand that not every organization can implement every control,” says the guide. “If the majority of Canadian organizations implement these controls, however, Canada will be more resilient and cyber-secure.”
Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organizations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software.
However, the guide says most SMBs should consider accepting the risks of patching by default.
There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.
“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”
The guide differs from the centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.
The 18-page document offers a bit of guidance to each step without being too methodical.
Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber attack, nor those whose data or systems could compromise public or national security. Those organizations, the document says, should have comprehensive protection.
Organization and baseline controls
It splits recommendations into two parts: Organizational controls and baseline controls. Belcourt says SMBs should look at them in that order.
Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.
“You can have a fairly small organization that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organization controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”
Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.
Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents.”Start by thinking something is going to eventually go wrong,” Belcourt said. Consider questions like, who will be in charge of the response? Who will contact employees, customers, shareholders, regulators?
In fact, not having a response plan is one of the worst decisions SMBs can make, he said.
Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”