Cyber security for business: baseline controls
By ATB Financial 2 November 2021 4 min read
There’s no doubt that the pandemic has dramatically changed the way we work. With the influx of work from home culture causing more information and communication to go digital, businesses have had to invest in cyber security like never before to protect their digital, information, financial and payment assets.
The hardest part that many businesses will face is knowing how to create baseline cyber security controls to make sure that they’re getting the best value for their investment. Let’s take a look at some baseline controls businesses should consider when looking at cybersecurity, based on advice from the Canadian Centre for Cyber Security.
An incident response plan
Every business should establish a plan for detecting, monitoring and responding to different kinds of cyber threats. While smaller organizations may not have the resources to cover everything, all organizations should have a plan that includes who responds to an incident and their responsibilities.
Companies that need external support should include in detail who to engage with for what services, including the purchase of cyber security insurance for incident response, recovery activities and any necessary liability coverage.
A systems configuration management plan
When it comes to cyber security tech, all systems will (or at least should) receive software and firmware updates to address defects and security vulnerabilities. Anti-malware and network firewalls support the integrity of these systems.
A good systems configuration management plan will explain the best approach to these concerns and include their proper configuration, making sure that default settings on all devices are securely updated and maintained.
An access management plan
To increase security, businesses should allow users access only to the functions they need to do their work and nothing else. Admin accounts should have even more restrictions to make sure there’s accountability and safe separation of duties.
Strong user authentication
All organizations should have strong user authentication procedures in place. Whenever it’s possible, multi-factor authentication should be used. Multi-factor authentication adds additional layers of security to conventional authentication. These layers can be broken down into different categories.
- Something you know: the most common use of this layer is a username and password.
- Something you are: a biometric, like a fingerprint or retinal scan.
- Something you have: includes other devices (like a phone) that can receive an SMS or email message to confirm the login.
When you have more than one of these layers in place, you have multi-factor authentication. While not all multi-factor authentication protocols are created equal, something is better than nothing.
Employee awareness and preparedness
While human error is often a contributing factor to many cyber security breaches, a well informed and practiced team can be a business’s strongest defense. That’s why training your employees (and creating a program to do so) is key to creating a baseline control for any effective cyber security program.
Investing in training across a range of topics—from appropriate use of company systems, to social media use, to ongoing simulation exercises mimicking varied phishing attempts—makes your employees (and business) resilient to cyber security attacks.
Secure information assets
Information is the backbone of most, if not, all businesses. Whatever industry your business operates in, having your information jeopardized can mean disaster.
There are a few factors that play into information security:
- Continued access to information: have backup information assets and store both working copies and backups to use in case of loss.
- Classify information: know when information should be released to those authorized to receive it.
- Using a cloud or outsourced IT services: these service providers will have policies and procedures that will need to align with the regulatory and privacy guidelines of the organization.
- Use of portable storage devices: consider their size and portability, if they’re prone to loss or theft, which can potentially result in a data breach.
In today’s digital workspaces, whether working from home on a laptop or checking emails on a smartphone, businesses need to outline how employees use mobile devices for work. Whether the device is owned by an employee or the company, organizations should think about how personal and work data can be separated.
If businesses have the resources, enterprise mobility management solutions exist to help manage these concerns.
At the end of the day, educating employees is going to make the biggest difference in creating a secure digital work environment.
A basic perimeter defence
All organizations should put a dedicated security firewall at boundaries between corporate networks and the internet. Whatever the industry, organizations should:
- attempt to prevent connections being made to known malicious domains.
- require secure connection to corporate IT services.
- follow industry standards.
- make sure emails are filtered for spam or malicious attachments.
It’s hard for businesses to know how to set up a baseline of cyber security controls that gives them the best value for their investment. These baseline controls we went over give the fundamental building blocks a business can benefit from as it creates and evolves its own cyber security program.
You might be interested in
While we want this information to be useful for you, we make no promise, representation or warranty about its accuracy or completeness. We don’t accept any liability or responsibility whatsoever for any loss arising from any use of this document or its contents. This information is not kept up-to-date. Without our prior consent, this document may not be reproduced in whole or in part, or referred to in any manner, including any information, opinions and conclusions it contains. This document is provided for information purposes only and is not intended to replace or substitute for professional advice.