If you’re responsible for cybersecurity at a small or midsized organization, and are unsure about what to include in your must-have list, this article is for you.
The task of keeping your organization secure against cyber threats can seem overwhelming because of the innumerable components of security that you think you don’t understand. However, you don’t need to understand every single security control and attack vector to attain a reasonably secure state. The vast majority of cyber attacks target organizations with the weakest or most vulnerable IT environments. Cybercriminals are always on the lookout for low-hanging fruit.
Fortunately for you, there are several simple security frameworks designed to help smaller organizations build a basic security program that will keep them from being easy targets. A cybersecurity program focused on essential controls will protect you against the majority of attacks, and won’t need dozens of advanced security tools to implement.
Two cybersecurity frameworks focused on essential security measures are the UK NCSC’s Cyber Essentials and Australia’s Essential Eight. You also have the Center of Internet Security’s (CIS’) 18 Critical Security Controls that are immensely popular with both SMB and enterprise security teams worldwide.
Factors to Keep in Mind When Choosing a Framework
If you’re just getting started, look at the simplest frameworks first and decide on which ones to adopt based on your organization’s needs.
- To zero in on your specific needs, you first need to know what sensitive data you store, generate and handle.
- We recommend an inside-out approach to security, where you start with sensitive data discovery. (You can then map this data to the devices and apps that store it, and make sure that both the data and the assets that store the data are protected.)
- This will help you establish your protect surface, or the part of your IT environment (both on-prem and cloud) that should be prioritized for protection.
- Additionally, consider the compliance requirements that apply to your industry or country, and check which frameworks will help you tick these boxes.
With the context established, you can choose a framework that will be appropriate for your needs. If necessary, you can also customize the framework by adding, removing or modifying specific controls.
Five Essential Cybersecurity Controls
In our own evaluation of different frameworks, the UK’s Cyber Essentials stood out as the simplest. There are only five basic controls included in the Essentials, and the NCSC’s documentation explains each of these in simple language and with examples that anyone can understand.
Download the Cyber Essentials Requirements for IT Infrastructure here.
The essential control categories cover network security (firewalls), secure configuration, regular updates and patch management, access control, and malware protection.
Use firewalls to protect networks and devices from external threats
These firewalls must be rigorously configured, employing strong, unique passwords and limiting access to their administrative interface. Any rules permitting inbound traffic must be authorized, documented, and regularly reviewed. Use boundary firewalls, software firewalls or both based on where users and employees are connecting to organizational assets from.
Boundary Firewalls: A boundary firewall is a network device that filters inbound and outbound traffic to and from a network. It acts as a security barrier, enforcing rules to allow or deny specific types of traffic based on factors like source IP address, destination IP address, port number, and protocol.
Software Firewalls: A software firewall is a security application installed on a device, such as a computer or mobile phone. It operates at the device level, filtering network traffic and protecting the individual device from attacks.
Strengthen configuration settings on devices and applications
To minimize attack entry points, organizations must ensure that computers, network devices and applications are configured securely. Common misconfigurations include default passwords, unnecessary user accounts, admin-level access where it’s not necessary, and unneeded software.
Key Controls to Implement:
- Account Management: Remove unnecessary user accounts, change default passwords to strong, unique ones, implement multi-factor authentication for privileged accounts.
- Software Management: Remove or disable unnecessary software.
- System Settings: Disable auto-run features to prevent malicious file execution, configure strong access controls, including password policies and biometric authentication, implement device locking mechanisms.
- Network Security: Configure firewalls to restrict network traffic, regularly review and update network security policies.
Install security updates regularly, patch high-risk vulnerabilities on priority
Apply security patches and updates released by vendors regularly to reduce exposure.
Key Controls:
- Vulnerability Management: Identify and prioritize vulnerabilities in your systems.
- Patch Management: Implement a process to download, test, and deploy security patches promptly.
- Automatic Updates: Enable automatic updates whenever possible to streamline the process.
- Critical and High-Risk Updates: Prioritize the installation of critical and high-risk updates within 14 days of release.
- Vendor Support: Ensure that all software is licensed and supported by the vendor.
- End-of-Life Software: Remove or isolate unsupported software to mitigate risks.
Create and implement strong access control and password policies
To minimize the risk of unauthorized access, organizations must implement strong user account management practices. Key principles include:
- Account Provisioning and Deactivation: Create accounts only for authorized individuals based on the principle of least privilege access. Promptly deactivate accounts when users leave the organization or change roles.
- Strong Authentication: Enforce strong, unique passwords; implement MFA for privileged accounts and remote access; regularly review and update password policies.
- Privileged Account Management: Limit the number of privileged accounts, implement strict access controls for privileged accounts; limit the use of administrative accounts for necessary tasks only.
- User Awareness and Training: Educate users about security best practices, including password hygiene and phishing prevention
Password policy
- Enforce strong, unique passwords with a minimum length of 8 or 12 characters, consider using a password manager for secure storage.
- Implement account lockout and rate limiting to prevent automated / brute-force attacks.
- Use multi-factor authentication (MFA) where available, and require it for all cloud-based accounts
- Educate users about password best practices, such as avoiding password reuse.
- Avoid unnecessary password expiration and complexity requirements.
By following these guidelines, organizations can significantly reduce the risk of password-related security breaches.
Use malware protection software and create allow-lists for vetted apps
Malware, such as viruses, worms, ransomware, and spyware, can cause significant damage to systems and data. These programs are often distributed through malicious email attachments, phishing attacks, infected websites, malicious downloads or other means.
To protect against malware, organizations should implement the following measures:
- Anti-Malware Software: Use reputable anti-malware software and keep it up-to-date. Configure the software to block malware, malicious code, and harmful websites.
- Application Allow-listing: Allow only approved applications to run on devices. Use code signing to verify the authenticity of applications. Regularly review and update the list of approved applications.
By combining these strategies, organizations can significantly reduce the risk of malware infections and protect their systems.
Conclusion
By implementing these five essential cybersecurity controls and the subcontrols under them, organizations can bolster their defenses against a wide range of cyber threats. Combine these with ongoing vigilance, employee awareness training and regular backups to build resilience.
Implement Essential Security Controls using CYRISMA!
Discover sensitive data on-prem and in the cloud; find and patch vulnerabilities; strengthen system configuration; monitor Active Directory and more with CYRISMA’s All-in-One Cyber Risk Management and Compliance Platform! Build cyber resilience without having to invest in dozens of complex tools.