Canada: Combatting Cyber Threats: CSE Releases New Baseline Cybersecurity Controls

Last Updated: June 28 2019
Article by Lisa R. Lifshitz

On April 5, 2019, the Canadian Centre for Cyber Security released the Baseline Cyber Security Controls for Small and Medium Organizations intended to assist small and medium organizations in Canada that want recommendations to improve their cyber security resiliency.

The centre, part of the Communications Security Establishment (equivalent to the U.S. National Security Agency), was founded last October to work collaboratively with Canada’s critical infrastructure, academia, private industry and all levels of government to combat cyber threats, manage government cybersecurity incidents and provide other cyber-related services, education, Guidelines and training.

The guidelines are intended to fill a critical gap for smaller enterprises that have been slow to adopt adequate cybersecurity protective measures. Reporting on the results of its analysis of the Canadian Survey of Cyber Security and Cybercrime, Statistics Canada found that Canadian businesses spent $14 billion to prevent, detect and recover from cyber security incidents in 2017, which represented less than one per cent of their total revenues.

However, annual average corporate expenditures on cyber security differed greatly based on size of business in 2017. While large businesses (250 employees or more) spent $948,000, medium-sized businesses (50 to 249 employees) spent $113,000 and small businesses (10 to 49 employees) spent $46,000.

Accordingly, the guidelines are based on the so-called 80-20 rule where organizations can supposedly achieve 80 per cent of the benefit from 20 per cent of the effort to cybersecurity practices to achieve concrete gains and enhance cybersecurity efforts. 

The guidelines observe that small and medium-sized businesses face their own form of cyber threats from cybercriminals targeting their customer, partner and supplier data in addition to financial information/payment systems more generally and, of course, proprietary information. Small and medium-sized businesses that suffer cybersecurity incidents typically suffer costly reputational damage, productivity losses, intellectual property theft, operational disruptions, not to mention costly recovery expenses. 

The Guidelines therefore focus on providing a condensed set of advice and guidelines that the centre labeled “baseline cyber security controls” or “baseline control” – the most critical controls that smaller organizations (less than 499 employees) that wish to protect sensitive data should deploy to improve their cyber resiliency. Larger organizations are encouraged to invest in more comprehensive security coverage.

After determining whether the guidelines should apply to a particular organization based on size, companies should then determine what elements of their information systems and assets should be subject to the controls (ideally, all information systems and assets, whether owned, contracted or otherwise used). 

Organizations should also determine and rank the value of their information systems and assets – more sensitive customer information should require additional protection, as would valuable proprietary intellectual property – and assess the potential injury to the confidentiality, integrity and availability to their information systems and assets. 

Critically, businesses should also identify an individual in a leadership role that is specifically responsible for their IT security and larger organizations should consider hiring a chief information security officer. It also helps to identify financial spending levels for IT and IT security and identify internal staff levels to determine whether such spending is proportionate.

The baseline controls themselves are straight forward and commonsensical, focusing on how to reduce risk as well as preparing to respond to cyber incidents.

I fully support the recommendation that organizations “adopt the thinking” that they will inevitably suffer a data breach at some point and therefore must be able to quickly detect, respond and recover from the incident.   

Key recommendations include:

Developing an incident response plan

Companies should assume the worst and create a written incident plan on how to respond and recover from cyber security incidents. The plan should be part of the entity’s plans for disaster recovery and business continuity and if required, should include who is responsible for handling incidents (including relevant contact information), for communicating to third parties, stakeholders and regulators as well as contract information for third-party external assistance providers (who and for what services). Organizations should also consider acquiring a cyber security insurance policy that includes coverage for incident response and recovery activities in addition to liability coverage.

Automatically patch operating systems and applications

This suggestion is more controversial, but the guidelines suggest that as smaller entities may find keeping track of vulnerabilities for various products across networks onerous and time consuming, small and medium-sized businesses should enable automatic updates for all software and hardware if this option is available (or replacing products with those that provide the option). Moreover, software and hardware than are no longer eligible to receive updates because the vendor has officially ended its support (for being past end of life, etc.) should be replaced (which should help ensure various standalone devices, applications, operating systems, etc. will be up-to-date and free of known vulnerabilities).  Not surprisingly, this recommendation is severely caveated and the guidelines take pains to distinguish what would be appropriate for large enterprises with greater IT staff (where there should be full vulnerabilty and patch management practices) rather than “auto-patching” to avoid ‘unexpected side effects’.

Enable security software

Not unexpectedly, the guidelines strongly recommend securely configuring and enabling anti-virus and anti-malware software as feasible on all connected devices so they update and scan automatically for malware.

Securely configure devices

Reiterating a basic principle that default administrative passwords and insecure default settings on devices often pose significant problems in enterprise networks, the guidelines recommend that all enterprises change administrative passwords on devices, review device settings to disable unnecessary functionality and enable security features.

Use strong user authentication

Organizations should have user authentication policies that balance security with usability. Two-factor authentication should be mandatory and used wherever possible, especially for critical accounts (such as financial accounts, system administrators, privileged users and senior executives). Entities should also have clear policies on password length and the use of password managers.

Provide employee awareness training

As a first line of defence, organizations should implement cyber security awareness and training for their employees that covers basic security practices, focusing on practical and easily implementable measure such as use of effective password policies, identification of malicious email/links, appropriate use of the Internet and safe use of social media.

Back up and encrypt data

The guidelines recommend that organizations should back up all essential business information regularly to an external secure location to ensure recovery from ransomware as well as equipment failures and natural disasters. The systems to be backed up and the frequency of the backups should be decided on a case-by-case basis (since different systems will have different back-up and recovery requirements).

Companies should also securely store backups in encrypted states and be only assessable to those employees who require access on a need-to-know basis for testing and/or use of restoration activities.

Secure mobility

While acknowledging the importance of cell phones to most organizations, many entities now allow employees to bring their own devices to work and this complicates how companies can secure sensitive company information and corporate IT infrastructure access across employee devices.

Even on devices owned by employees, word data and personal data should be separated and all mobile devices should store sensitive information in a secure, encrypted state. Employees should be required to download apps from trusted sources and authorized stores. Organizations should also educate (or enforce) users to disable automatic connections to open networks; avoid connecting to unknown Wi-Fi networks; limit the use of Bluetooth or other near-field communications for the exchange of sensitive information, and use the most secure connectivity option available, namely corporate WI-FI or cellular data networks rather than public, insecure coffee shop WIFI. Lastly, companies should be able to remotely wipe employee devices to delete corporate data.

Establish basic perimeter defences

Plainly put, the use of a dedicated firewall as a buffer between the organization’s own network and the wider Internet is a must and organizations should implement a Domain Name System firewall to prevent connections to known malicious web domains (and for outbound DNS requests to the Internet more generally).

The guidelines recommend using the WPA2 wireless security protocol or better for internal Wi-Fi networks and where possible, the strongest variant (e.g. WPA2-Enterprise) should be used. Public Wi-Fi networks should never be connected to corporate networks and if applicable, organizations should follow the Payment Card Industry Data Standard for all point-of-sale terminals and financial systems, isolating these systems from the Internet. Lastly, organizational email should be scanned and filtered for malicious attachments and links using domain-based message authentication, reporting and conformance.

Secure cloud and outsourced IT services

The guidelines have some pretty strong advice regarding the use of outsourced IT service providers. Cloud service providers should be obligated to make available an SSAE 16 SOC 3 report that states that they achieved Trust Services Principles Compliance (and if a provider cannot provide this certification, the guidelines suggest that the entity should look to other providers). 

All sensitive information of the organization stored at a third-party service provider should be encrypted and access to data stored in the cloud should be made using secure web browser configurations. Companies should also conduct adequate due diligence to ensure that their cloud providers handle and access sensitive information (including personal information) and evaluate their comfort level with the legal jurisdictions where the service providers store or use their sensitive information. The following should be considered when evaluating cloud and outsourced IT providers: privacy and data-handling policies; notification processes when data is accessed without prior authorization; destructive processes for data at the end of the agreement; the physical location and security of the outsourced data centres and the physical location of the outsourced administrators. Lastly, entities should ensure that administrative accounts for cloud services should use two-factor authentication and be different from internal administrator accounts.

Secure websites

Companies can overlook the importance of hardening their own websites from security threats. All corporate websites should meet the Open Web Application Security Project Application Security Verification Standard (and this requirement should be included in contracts with website developers).

Implement access control and authorization

Many organizations over-share access to sensitive information internally and the guidelines recommend that organizations should follow the principle of “least privilege” where users only have the minimal functionality required to perform their jobs. Administrator privileges should be restricted to an “as-required” basis. Users should be given unique individual accounts rather than using shared or shared-use accounts to ensure clear accountability and organizations should have all the necessary processes in place to revoke accounts when employees leave the organization or they are no longer required. The guidelines recommend that larger organizations deploy a centralized authorization control system (such as Lightweight Directory Access Protocol or Active Directory).

Secure portable media

While it is arguably convenient to transfer data files between devices, portable media (including secure digital cards, USB flash drives and portable hard drives) can be a security headache since they are so easily lost or stolen (hello data breach!). The Guidelines recommend limiting the use of portable media to commercial encrypted drives provided by the organization and maintaining strong asset control for all storage devices (including proper disposal). Organizations should also ensure that they can comprehensively wipe/sanitize such devises prior to their disposal, or retain a service provider to securely destroy them.

The guidelines explicitly state that the foregoing base controls are intentionally aimed at small and medium-sized businesses to maximize the effectiveness of their limited cyber security spend and organizations looking to go beyond these controls should consider more comprehensive/robust cyber security measures such as the NIST Cyber Security Framework, the Center for Internet Security Controls, ISO/IEC 27001: 2013 or the CCCS IT Security Risk Management: A Lifecycle Approach.

However there is little doubt that many small and medium-sized businesses will find the Guidelines to be a useful, if somewhat limited, starting point for good cybersecurity practices. Even if a small number of organizations adopt these recommendations then the net impact on Canadian cyber resiliency will likely be positive.

Originally Publish in Canadian Lawyer Online

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions