Baseline Cybersecurity Controls for Small and Medium Organizations
The Government of Canada has created a cybersecurity baseline for small and medium businesses to help these organizations with their resiliency through investment in cybersecurity. This is fantastic as it helps small businesses (SBs) understand what should be considered when it comes to security and we all know that the adversary looks at SBs as sitting ducks. The goal with these baselines is to achieve the 80/20 rule: 80% of the benefit from 20% of the effort. I certainly agree that if all businesses considered this that Canada would be more secure and the more of these baselines you deploy the better security effectiveness you will achieve. Now, if this was my business, I would take a stronger approach when it comes to security since many businesses fail to survive after a cybersecurity breach and security can be a business differentiator.
In this blog, we will look at these baselines and I will provide some insight into how Cisco can help meet these objectives. Again, baselines are just that and as a security-minded individual, I do believe that baselines are the minimums required and all organizations should consider going above those baselines.
Recently I was at a fast-food restaurant and I ordered a wrap (trying to be somewhat healthy) and as they were preparing it, I noticed they had no gloves on and one of the employees was eating at the station where food was being made. I discussed with the fast-food company, and they mentioned within Canada the health guidelines do not require gloves to be worn and they follow these guidelines as imposed. They did mention they follow proper hygiene (handwashing, etc.) outlined within the guidelines. I then went to another fast food restaurant (no, I do not frequent fast-food restaurants often) and noticed that they were wearing gloves and hairnets and so I asked them why. They said they follow the guidelines and proper hygiene is followed but they go above the standard to ensure multiple layers are in place to make certain the customer gets the best experience possible.
Security should be the same way. Going above and beyond further ensures that customers have a great experience.
The document is broken into two main parts:
- Organizational controls
- Baseline controls
I will summarize these within the blog and provide my nickel’s worth (worth more than in the past since the penny was removed from Canadian currency).
The organization controls section aims to provide guidance around whether your business is appropriate for this level of baseline control. This section calls out the intended size of the company which is typically less than 499 employees. I have always said that a company that falls under SB may have more risk than a company with 1000’s of employees.
As an example: a 100-user company is building a new widget that will change the delivery service industry, and to entice talent they have a bring your own device and flexible internet usage policy. Risk: assets get popped (compromised) off-premise and the adversary steals the code for the proprietary application that will change the game vs. a company with 1000 plus users with strong controls in place and users who follow a strict internet usage policy and only use sanctioned devices. So, with that example it depends, and size may not dictate the controls required.
Next, the document requires you to determine the technologies in scope and then the value of information systems and assets. The latter helps address what I mentioned above regarding size. It does not matter – it depends on what is being protected and classifying this as best you can. Please note: if you are not sure then I would add all the layers possible while ensuring usability – everyone knows the term “it is better to be safe than sorry”.
The document does call out that the baseline is at or below the medium level (serious injury expected (e.g. reduced competitiveness, loss of reputation) and if you fall outside of these then additional measures should be considered. Now we move onto understanding the threat level for the business you are in and depending on where you land you may want to consider additional security measures that provide some guidance regarding where you can get help determining where you fall. Again, better to be safe than sorry even though I understand that everyone has a budget.
Finally, it calls out what security investment levels and percentages that should be considered and having someone lead IT security (larger companies that would be a CISO) for the organization. Great, enough of that let’s get to the baseline controls.
The baseline controls are meant to help businesses reduce the overall risk of cybersecurity incidents and data breaches. As the old saying goes – it is not if but when, and a breach will happen at some point and the victim will need to detect, respond, and recover. In this section, I will provide some insight into both the control and how Cisco can help where applicable. Please note that this will not be a full capability mapping of every item, but I will share a list of capabilities that Cisco can provide.
- Developing an incident response (IR) plan. This should include people, process and technology. Cisco provides rich IR services which can include an IR retainer. Cisco also has the breadth of security products that can assist during incident response. Cisco can help obtain cyber insurance, including broader coverage and lower deductibles.
- Automatically patch operating systems and applications. System hygiene is a major issue and it only takes one system to be compromised and the game is over. Many systems will not automatically patch that fall outside of traditional systems (Windows, MAC, Browser Software, etc.) such as networking gear, phones, UPS, and so on. A variety of Cisco technologies can be cloud-based which elevates some of the challenges with maintaining the software stack. Also, Cisco has technologies that can validate the asset meets a certain patch level denying access to the network until resolved or may alert you when a vulnerable piece of software exists. Simple and integrated is key.
- Enable security software focused on anti-malware. Cisco can provide full capabilities here through a simple cloud-based solution (in-premise is also available). This not only includes multiple detection engines but also includes insight into vulnerable software, application blacklisting, sandboxing, and endpoint detection and response.
- Changing default passwords. I certainly agree with this, but this should include adding simple cloud-based two-factor authentication (2FA) with push technology and endpoint health check made easy. This is called out in the next item, but I wanted to ensure it gets called out here as default password change alone is not enough.
- Use strong user authentication. Two-factor authenications is a must today as 81% of breaches involve weak or stolen passwords (Verizon Data Research). The platform providing 2FA should be easy to use and cloud-based. Again, complexity is the enemy of security – simplify where you can.
- Provide employee awareness training. Users can be the weakest link and adversaries know how to leverage a major human weakness, emotion. As an example, a user gets an email stating they MUST use their remaining personal time off before the end of the quarter. This email includes a link to the policy or does it <evil laugh>. In this case, what do you do? Perhaps you spot it and just delete it, or it is early in the morning and you get frustrated and forward it to your manager (not clicking on the link). Now, your manager may review the email and may even click the link. Well, that is exactly what happened to me – security-minded but emotion got to me. I did NOT click the link, but I did forward it to my manager. I will give him the benefit of the doubt and assume he did not click the link. Also, Cisco’s 2FA platform provides the ability to create phishing campaigns that help test and educate your users
- Backup and encrypt data. This is key and although I don’t have a product that solves this for customers our products provide the ability to backup and restore whether on-premise or in the cloud. Now I will call this out, backing systems is key but also include your domain controllers (directory services) even if you have more than one system and believe it is resilient – remember NotPetya.
- Secure mobility. This includes BYoD and mobile devices such as cellular. Cisco offers a cloud-based endpoint mobility management platform and can ensure proper BYoD access to the network is taking place reducing risk. This includes a centralized configuration of the supplicant on the endpoint and for open networks, you can enforce always-on VPN ensuring communications are secured. Having multiple options to solve a problem gives greater flexibility to our customers.
- Establish basic perimeter defenses. Perimeter defense is important and when building this out you may want to consider looking at technologies that can follow the mobile user. I am a big believer that if you require ‘x’ security posture when on premise for your user then that security posture should follow them off the network as this is where they are most likely to get compromised. Once compromised they walk right past your perimeter defensive and the start of a bad day begins. Cisco can help here a lot from firewalls with the ability to add advanced inspection both on-premise to cloud and flexible management options. Cisco can also provide follow the user-based firewall controls from the cloud. This helps remove the complexity of trying to manage the endpoint directly. Cisco has a feature-rich DNS cloud-based platform that can block malicious domains and restrict access, but I do believe the baseline control is not enough as you need to extend this beyond the corporate network and follow the user no matter where they connect. Cisco can provide a robust VPN solution with two-factor-authentication ensuring secure communication is taking place when connected to the network as well as limiting the risk of exposed credentials. Cisco provides a robust wireless offering and controlled guest access. Cisco can help organizations meet PCI compliance and world-class email security platform both cloud and on-premise options are available.
- Secure cloud and outsourced IT services. This certainly should be considered, and Cisco’s cloud-based offerings will be inline with this baseline control. As mentioned above Cisco can address the two-factor authentication requirement.
- Secure web sites. Cisco can help protect these platforms through a variety of options including next-generation firewall and intrusion prevention systems, web application firewalls, and endpoint protection.
- Implement access control and authorization. Cisco can help with some of this and can extend this to least privilege when connecting to the network which starts before IT resources can be accessed. Cisco can also be that network traffic cop limiting access to the network including wired, wireless, and VPN access but also ensuring devices that support command authorization are restricted based on policy. Cisco’s products support role-based access control aligning with this baseline control.
- Secure portable media. This is key but I do believe it goes beyond portable media. Cisco can asset with restricting USB access but the concern with USBs beyond what is called out in the control is that you lose control of the data itself. Perhaps a more convenient option is cloud-based file repository that meets control 3.10 but also considers that the cloud application is sanctioned for use for the organization. Proper controls must be in place both within the SaaS-based application but extend the security ability to include a cloud access security broker. Reach out we can help here.
I do believe this is a great initiative of our government to help small to midsized businesses with a more prescriptive approach to cybersecurity. Threats are only increasing and becoming more automated allowing adversaries to extend their reach which includes the small business market. Reach out to your local Cisco account team and ask them how Cisco can help when it comes to cybersecurity. Cisco has some strong bundles simplifying consumption that meets or extends a lot of the capabilities recommended by the Government of Canada.