Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035)

Alternate format: Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) (PDF, 420 KB)

Looking for steps you can take to protect your organization’s networks and information from cyber threats? To get you started, we have summarized the 13 security control Security controlA management, operational, or technical high-level security requirement needed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls can be applied by using a variety of security solutions that can include security products, security policies, security practices, and security procedures. categories that are identified in our Baseline Cyber Security Controls for Small and Medium Organizations. By implementing these controls, you can reduce your risks and improve your ability to respond to security incidents. We encourage you to adopt as many as possible to enhance your cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. .

On this page

 

How to use these controls

These controls are not a one-size-fits-all approach to cyber security. They are guiding principles that you can use to create your organization’s own cyber security framework.

You should scope and tailor these controls based on your organization’s needs and requirements. Implement as many of these controls as possible to enhance your cyber security posture and help minimize the risk of cyber attacks. Start with the following 4 controls to strengthen your organization’s security:

  • develop an incident response plan
  • patch operating systems and applications
  • enforce strong user authentication
  • backup and encrypt data

Before implementing the controls, keep the following tips in mind:

  • identify the critical information assets and systems to which you will apply these controls
  • understand the main threats to your organization
  • identify your valuable information and systems and apply risk management plans to enhance your security posture
  • implement some or all of these controls and you will see a significant impact on improving your organization’s resilience and protection against cyber threats

Develop an incident response plan

If you have a plan, you can quickly respond to incidents, restore critical systems and data, and keep service interruptions and data loss to a minimum. In a small organization, for example, this could include having a list of people to call when an incident occurs. Your plan should include strategies for backing up data.

Patch operating systems and applications

When software issues or vulnerabilities are identified, vendors release patches to fix bugs, address known vulnerabilities and improve usability or performance. Where possible, activate automatic patches and updates for all software and hardware to prevent threat actors from exploiting these issues or security vulnerabilities.

How updates secure your devices (ITSAP.10.096)

Enforce strong user authentication

Implement user authentication AuthenticationA process or measure used to verify a users identity. policies that balance security and usability. Ensure your devices authenticate users before they can gain access to your systems. Wherever possible, use two-factor authentication Two-factor authenticationA type of multi-factor authentication used to confirm the identity of a user. Authentication is validated by using a combination of two different factors including: something you know (e.g. a password), something you have (e.g. a physical token), or something you are (a biometric). (2FA) or multi-factor authentication Multi-factor authenticationA tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication. (MFA).

Backup and encrypt data

Copy your information and critical applications to 1 or more secure locations, such as the cloud or an external hard drive. If a cyber incident Cyber incidentAny unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource. or natural disaster happens, these copies can help you continue business activities and prevent data loss. Backups can be done online or offline and can also be done in 3 different iterations: full, differential or incremental. Test your backups regularly to ensure you can restore your data.

Activate security software

Activate firewalls and install anti-virus VirusA computer program that can spread by making copies of itself. Computer viruses spread from one computer to another, usually without the knowledge of the user. Viruses can have harmful effects, ranging from displaying irritating messages to stealing data or giving other users control over the infected computer. and anti-malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. software on your devices to thwart malicious attacks and protect against malware. Ensure you download this software over a secure network and from a reputable provider. Install Domain Name System (DNS) filtering on your mobile devices to block out malicious websites and filter harmful content.

Train your employees

Tailor your training programs to address your organization’s cyber security protocols, policies and procedures. Depending on the size of your organization, training could be developed in-house or purchased through a reputable vendor. Having an informed workforce can reduce the likelihood of cyber incidents.

Offer tailored cyber security training to your employees (ITSAP.10.093)

Secure cloud and outsourced services

Get to know a service provider before you contract them. Make sure the service provider has measures in place to meet your security requirements and needs. Know where a service provider’s data centres are located. Different countries have different privacy laws and data protection requirements.

Secure portable media

Storing and transferring data using a portable media device, like a USB key, is convenient and cost-effective. However, it can be prone to loss or theft. Maintain an inventory of all assets. Use encrypted portable storage devices, if possible, and sanitize SanitizeSanitization is a process through which data is irreversibly removed from media. The storage media is left in a re-usable condition in accordance with IT security policy, but the data that was previously on it cannot be recovered or accessed. devices properly before reusing or disposing of them.

Configure devices securely

Take the time to review your device’s default settings and make modifications as required. At a minimum, we recommend changing default passwords (especially administrative passwords), turning off location services and disabling unnecessary features.

Cyber security at home and in the office: Secure your devices, computers and networks (ITSAP.00.007)

Secure mobile devices

Choose a device deployment model. Will your organization provide employees with corporately owned devices, or will you allow employees to use personal devices for work? Ensure employees can only use approved applications and can only download applications from trusted sources.

Security considerations for mobile device deployments (ITSAP.70.002)

Access control and authorization

Apply the principle of least privilege Least privilegeThe principle of giving an individual only the set of privileges that are essential to performing authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system. to prevent unauthorized access and data breaches. Employees should only have access to the information that they need to do their jobs. Each user should have their own set of login credentials and administrators should have separate administrative accounts and general user accounts.

Managing and controlling administrative privileges (ITSAP.10.094)

Secure websites

Protect your website and the sensitive information it collects. Encrypt sensitive data, ensure your certificates are up to date, use strong passwords or passphrases on the back-end of the site, and use HTTPS for your site. If you have outsourced your website, ensure your site’s host has security measures in place.

Website defacement (ITSAP.00.060)

Establish basic perimeter defences

Defend your networks from cyber threats. For example, use a firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. to defend against outside intrusions by monitoring incoming and outgoing traffic and filtering out malicious sources. Use a virtual private network Virtual private networkA private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN. (VPN VPNSee virtual private network. ) when employees are working remotely to secure the connection and protect sensitive information.

Date modified: