Alternate format: Top measures to enhance cyber security for small and medium organizations (ITSAP.10.035) (PDF, 316 KB)
Looking for steps you can take to protect your organization’s networks and information from cyber threats? To get you started, we have summarized the 13 security control categories that are identified in our Baseline Cyber Security Controls for Small and Medium Organizations and form the foundation for the CyberSecure Canada Certification program. By implementing these controls, you can reduce your risks and improve your ability to respond to security incidents. While it isn’t always necessary to implement all of the controls, we encourage you to adopt as many as possible to enhance your cyber security.
Develop an incident response plan

If you have a plan, you can quickly respond to incidents, restore critical systems and data, and keep service interruptions and data loss to a minimum. Your plan should include strategies for backing up data.
Use strong user authentication

Implement user authentication policies that balance security and usability. Ensure your devices authenticate users before they can gain access to your systems. Wherever possible, use two-factor authentication (2FA) or multi-factor authentication (MFA).
- Secure Your Accounts and Devices With Multi-Factor Authentication (ITSAP.30.030)
- Best Practices for Passphrases and Passwords (ITSAP.30.032)
- Rethink Your Password Habits to Protect Your Accounts from Hackers (ITSAP.30.036)
Enable security software

Activate firewalls and install anti-virus and anti-malware software on your devices to thwart malicious attacks and protect against malware. Ensure you download this software from a reputable provider. Install Domain Name System (DNS) filtering on your mobile devices to block out malicious websites and filter harmful content.
Patch operating systems and applications

When software issues or vulnerabilities are identified, vendors release patches to fix bugs, address known vulnerabilities, and improve usability or performance. Where possible, enable automatic patches and updates for all software and hardware to prevent threat actors from exploiting these issues or security vulnerabilities.
Back up and encrypt data

Copy your information and critical applications to one or more secure locations, such as the cloud or an external hard drive. If a cyber incident or natural disaster happens, these copies can help you continue business activities and prevent data loss. Backups can be done online or offline and can also be done in three different iterations: full, differential or incremental. Test your backups regularly to ensure you can restore your data.
Train your employees

Tailor your training programs to address your organization’s cyber security protocols, policies, and procedures. Having an informed workforce can reduce the likelihood of cyber incidents.
How to use these controls
These controls are not a one-size-fits-all approach to cyber security. They are guiding principles that you can use to create your organization’s own cyber security framework.
You should scope and tailor these controls based on your organization’s needs and requirements. Implement as many of these controls as possible to enhance your cyber security posture and help minimize the risk of cyber attacks. Starting with the following four controls will strengthen your organization’s security:
- Develop an Incident Response Plan
- Patch Operating Systems and Applications
- Use Strong User Authentication
- Backup and Encrypt Data
Before implementing the controls, keep the following tips in mind:
- Identify the critical information assets and systems to which you will apply these controls.
- Understand the main threats to your organization.
- Identify your valuable information and systems and apply risk management plans to enhance your security posture.
- Implement some or all of these controls and you will see a significant impact on improving your organization’s resilience and protection against cyber threats.
Secure cloud and outsourced services

Get to know a service provider before you contract them. Make sure the service provider has measures in place to meet your security requirements and needs.
Know where a service provider’s data centres are located. Different countries have different privacy laws and data protection requirements.
- Benefits and Risks of Adopting Cloud-Based Services in Your Organization (ITSE.50.060)
- Models of Cloud Computing (ITSAP.50.111)
- Cyber Security Considerations for Consumers of Managed Services (ITSM.50.030)
Secure mobile devices

Choose a device deployment model. Will your organization provide employees with corporately owned devices or will you allow employees to use personal devices for work?
Ensure employees can only use approved applications and can only download applications from trusted sources.
Establish basic perimeter defences

Defend your networks from cyber threats. For example, use a firewall to defend against outside intrusions by monitoring incoming and outgoing traffic and filtering out malicious sources.
Use a virtual private network (VPN) when employees are working remotely to secure the connection and protect sensitive information.
Secure portable media

Storing and transferring data using a portable media device, like a USB key, is convenient and cost-effective, but they can be prone to loss or theft. Maintain an inventory of all assets.
Use encrypted portable storage devices, if possible, and sanitize devices properly before reusing or disposing of them.
Secure websites

Protect your website and the sensitive information it collects. Encrypt sensitive data, ensure your certificates are up to date, use strong passwords or passphrases on the backend of the site, and use HTTPS for your site.
If you have outsourced your website, ensure your site’s host has security measures in place.
Access control and authorization

Apply the principle of least privilege to prevent unauthorized access and data breaches. Employees should only have access to the information that they need to do their jobs. Each user should have their own set of log-in credentials, and administrators should have separate administrative accounts and general user accounts.
Configure devices securely

Take the time to review your device’s default settings and make modifications as required. At a minimum, we recommend changing default passwords (especially administrative passwords), turning off location services, and disabling unnecessary features.
Learn more
We’ve included a selection of our publications, but you can browse our entire catalogue at cyber.gc.ca.
These baseline cyber security controls are also the foundation of the CyberSecure Canada Certification. The certification program helps small and medium-sized organizations improve and demonstrate their cyber security. Implementing the certification requirements can help you protect your organization, clients, and partners from cyber attacks.
Why Get Certified?
- Improve your competitive advantage by reassuring your customers, partners, investors and suppliers that the valuable information they provide you will be secure.
- Limit the direct and indirect impacts on your business from cyber attacks: financial loss, damage to your reputation and critical infrastructure, litigation, job losses and increased consumer prices.
- Ensure your organization is eligible to compete for business opportunities that require cybersecurity certification.