Government issues cyber security guide for SMBs

Small and mid-sized companies face a dilemma when it comes to cyber security: If they can’t afford full-time infosec experts to effectively defend themselves, what and how much can they afford to do?

To answer, the government hopes, is in a new guide issued by the Canadian Centre for Cyber Security. The Centre is the recently-established federal advisory agency on security. It’s a unit of the Communications Security Establishment, responsible for securing federal departments.

Called the Baseline Cyber Security Controls for Small and Medium Businesses, the offers SMBs advice on getting the biggest bang for their bucks.

“We understand that not every organization can implement every control,” says the guide. “If the majority of Canadian organizations implement these controls, however, Canada will be more resilient and cyber-secure.”

Suggestions are tailored for SMBs. For example, it says they should think about automating the installation of software updates as a time-saver instead of testing each patch before installation. Admittedly that’s risky. Large organizations should have full vulnerability and patch management assessment programs, the guide notes, to avoid problems with patches that clash with existing software.

However, the guide says most SMBs should consider accepting the risks of patching by default.

There’s a lot of public information available to help organizations create a cyber security program, Colin Belcourt, the Centre’s director of standards, architecture and risk mitigation, noted in an interview. “We felt there was a gap in the information available for small and medium organizations.”

“The baseline security controls we published are meant to be a break-down of a potentially daunting task … They’re meant to be measures that have a high return on investment, and should be easily consumable.”

The guide differs from the Centre’s Top 10 IT Security Actions organizations can take, which, as its name suggests, is a list.

The 18-page document offers a bit of guidance to each step without being too methodical.

Note, however, that the guide is not for SMBs whose ongoing viability would be endangered by a successful cyber attack, nor those whose data or systems could compromise public or national security. Those organizations, the document says, should have comprehensive protection.

Organization and baseline controls

It splits recommendations into two parts: Organizational controls and baseline controls. Belcourt says SMBs should look at them in that order.

Briefly, organizational controls involve making an inventory, ranking the value of data and IT systems, and appointing someone in leadership to be responsible for IT security.

“You can have a fairly small organization that has very sensitive data that could be an attractive target for cyber threat actors,” Belcourt pointed out. “So the organization controls really help you assess the scope and do an analysis of risk to ensure the baseline controls that follow are in the right context.”

Baseline controls are the expected things like patching policy, anti-malware, secure configuration, use of strong user authentication for logins, employee awareness training, backing up and encrypting data and securing mobile devices.

Interestingly, the baseline controls section suggests first creating a written plan for responding to and recovering from cyber incidents.”Start by thinking something is going to eventually go wrong,” Belcourt said, and what the organization will do: Who will be in charge of the response? Who will contact employees, customers, shareholders, regulators? and so on.

In fact not having a response plan is one of the worst decisions an SMBs can make, he said.
‘Hopefully, Belcourt said, SMBs using the guide won’t see cyber security as an overly daunting task “and therefore do nothing.”

Click here to download a copy of the guide.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now