2019 Baseline Cyber Security Controls for Small and Medium Organizations
Posted on Thursday, May 30, 2019 and filed under Tech Advisories
This document is for small and medium organizations seeking to improve their resiliency through investment in cybersecurity. This is part of the response to the need expressed in the National Cyber Security Strategy  for the Government of Canada to support small and medium organizations by making cyber security more accessible.
As stated in the National Cyber Threat Assessment , small and medium organizations are most likely to face cyber threat activity in the form of cybercrime that often has immediate financial or privacy implications. Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cybersecurity incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.
We recommend Annex 4A – Profile 1 of Information Technology (IT) Security Risk Management (ITSG-33)  to organizations seeking to reduce their risk to cybersecurity incidents. This profile is the Canadian specification of controls equivalent to that of the NIST Cyber Security Framework  or ISO/IEC 27001:2013 . The reality, however, is that this profile is expensive to implement, beyond the financial and/or human resources means of most small and medium organizations in Canada.
We believe that organizations can mitigate most cyber threats through awareness and best practices in cybersecurity and business continuity. As such, we think we can successfully apply the 80/20 rule (achieve 80% of the benefit from 20% of the effort) in the domain of cybersecurity and make concrete gains for the cybersecurity of Canadians. This document presents a condensed set of advice, guidance, and security controls on how organizations can get the most out of their cyber security investments. We call these baseline cybersecurity controls (hereafter baseline controls).
We encourage organizations to implement as many of these baseline controls as possible, and we understand that not every organization can implement every control. If the majority of Canadian organizations implement these controls, however, Canada will be more resilient and cyber-secure. For additional advice, please visit cyber.gc.ca.