Are you familiar with the CAN/CIOSC 104 cybersecurity standards for small- to medium-sized businesses? If you do business on the internet, maintain point-of-sale terminals that collect customer data, or simply use a computer at your organization, you have to keep your data safe. Here’s how:
We have already talked about the ways a cybersecurity breach can affect your business, and we’ve looked at the ways it can damage your reputation and your bottom line. Now let’s see what you can do to protect yourself.
The first thing to do is familiarize yourself with the CIO Strategy Council’s national baseline cybersecurity standards for small- and medium-sized organizations, known as CAN/CIOSC 104. These standards contain 55 cybersecurity controls that make up the minimal requirements needed to mitigate cyber risk.
CAN/CIOSC 104 breaks these 55 controls into two groups: Level 1, which has 22 basic controls that relate to low risk SMOs with little or no digital presence; and Level 2, which adds another 33 controls for everyone else. Together, these standards establish CAN/CIOSC 104 as a world leader in cybersecurity best practices.
The CAN/CIOSC 104 controls are actually straightforward, though they increase in technical complexity as you work through the list. Here are some examples:
- Organizational controls: cyber security training, covering:
- Level 1
- basic security practices
- malicious email and link identification
- proper use of approved software
- internet use best practices
- safe use of social media
- Level 2
- regular and thorough employee training programs
- Level 1
- Patch operating systems and applications automatically
- Level 1
- make sure your software and hardware have all the required security patches
- set up automatic patching
- where systems aren’t able to update automatically, do a risk assessment and decide if they need to be replaced
- Level 1
- Operating environment: secure websites
- Level 2
- ensure websites all address the OWASP top 10 vulnerabilities list
- Level 2
Put in simpler terms, the standards require you to 1) teach your employees how to use technology safely, 2) keep your software and systems secure and up-to-date, and 3) make sure your website (and any other systems you have running) have been checked and secured against potential threats.
Familiarizing yourself with the full list is your first step toward reducing cyber risk, because a strong defense is critical for the health and safety of your customers, employees and business. When it comes to implementation, the good news is that affordable, automated solutions now exist that can do the work for you, no matter how technically savvy you may be.
TGT has a team of Information Security Officers who can help you understand and assess your organization’s cyber risk, and we can help you establish the worry-free systems you need to protect your data.
Call us today.