Small to medium-sized businesses (SMBs) face a growing barrage of cyber threats, but many struggle...
Cybercriminals aren't just targeting big corporations anymore - small and mid-sized businesses are now in their crosshairs too. Many smaller organisations lack the resources to defend themselves properly, leaving them open to expensive hacks and data theft. CERT NZ's 10 Critical Controls offer a simple yet powerful way for businesses to beef up their security and lock down their operations. This guide will show you how to shield your business from online threats, whether you're new to cybersecurity or want to toughen up your current defences.
What are CERT NZ’s 10 Critical Controls?
CERT NZ's 10 Critical Controls are a set of cybersecurity measures that help businesses ward off common online threats. They're designed to be straightforward and doable, even for businesses with limited cybersecurity expertise and resources. By putting these controls in place, small and medium businesses can slash their risk of falling victim to cyberattacks and better protect their sensitive data and assets.
Taking a structured approach to cybersecurity, like the one these controls offer, beats implementing ad-hoc security measures as it ensures you're covering all your bases systematically. This not only helps prevent cyber incidents but also puts your business in a better position to bounce back if an incident does occur.
Breaking Down the 10 Critical Controls
Control 1: Implement Application Controls
Explanation of Application Whitelisting:
Application controls, such as whitelisting, allow businesses to specify which applications are permitted to run on their systems. By implementing application whitelisting, businesses can prevent unauthorised and potentially harmful software from executing, reducing the risk of malware infections and other malicious activities.
Control 2: Patch Operating Systems & Applications
Importance of Regular Updates & Patch Management:
Patching is the process of applying updates to software and operating systems to fix security vulnerabilities. Cybercriminals often exploit these vulnerabilities to gain unauthorised access to systems. Regular patch management ensures that security gaps are closed, reducing the risk of exploitation. Businesses should automate patching processes to keep systems up-to-date without disrupting operations.
Control 3: Restrict Administrative Privileges
Risks of Excessive Administrative Access:
Administrative privileges allow users to make significant changes to systems and access sensitive data. If these privileges fall into the wrong hands, they can be used to cause substantial damage. By restricting administrative privileges to only those who need them, businesses can limit the potential impact of a compromised account and reduce the risk of insider threats.
Control 4: Improve Password Policies
Importance of Strong, Unique Passwords:
Weak and reused passwords are a common vulnerability exploited by attackers. Implementing strong password policies that require complex, unique passwords helps protect accounts from unauthorised access. Encouraging the use of password managers can help users maintain secure passwords without the burden of remembering them all.
Control 5: Use Multi-Factor Authentication (MFA)
Additional Layer of Security MFA Provides:
Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors, such as a password and a code sent to their mobile device. Even if an attacker gains access to a user’s password, MFA acts as a barrier that makes it significantly harder to access sensitive information.
Control 6: Asset Lifecycle Management
Importance of Managing Assets Through Their Entire Lifecycle:
Asset lifecycle management involves tracking and managing all IT assets—from procurement through disposal. This includes knowing what assets are in use, where they are located, and their security status. Proper asset management helps ensure that all devices and software are accounted for, up-to-date, and securely configured, reducing the risk of unauthorised access or data breaches.
Control 7: Backup Data Regularly
The Necessity of Regular Backups:
Data backups are a critical component of any cybersecurity strategy. Regular backups ensure that data can be restored in the event of a cyber incident, such as ransomware, that results in data loss or corruption. Businesses should implement automated backup solutions and regularly test backups to ensure data can be recovered quickly and effectively.
Control 8: Establish Security Awareness Training
Importance of Staff Training in Cybersecurity:
Human error is one of the leading causes of data breaches. By providing regular security awareness training, businesses can educate employees on recognizing phishing attempts, avoiding unsafe downloads, and following security best practices. A well-informed workforce is a critical line of defence against cyber threats.
Control 9: Implement Network Segmentation
Mitigations Provided by Segmenting Networks:
Network segmentation involves dividing a network into smaller, isolated segments. This limits the ability of attackers to move laterally across a network if they gain access. By implementing network segmentation, businesses can contain the impact of a breach and protect critical systems and data from being accessed.
Control 10: Centralised Logging & Alerting
Importance of Setting Up Logging & Alerting of Security Events:
Centralised logging and alerting involve collecting and analysing logs from various systems and applications to detect suspicious activities. Setting up automated alerts helps businesses quickly identify and respond to potential security incidents, reducing the time it takes to detect and mitigate threats.
Click here for more information on CERT NZ's 10 Critical Controls.
Implementing Controls
While implementing all 10 Critical Controls is ideal, SMBs should prioritise based on their specific needs and risks. Start with controls that address the most critical vulnerabilities and are easiest to implement. For example, enabling MFA and improving password policies are high-impact measures that can be implemented quickly. As resources allow, expand to other controls to build a comprehensive cybersecurity strategy.
Read our dedicated blog for more information on how to implement CERT NZ’s 10 Critical Controls.
Conclusion
Cybersecurity is not a one-time effort but an ongoing process of improvement and adaptation. By implementing CERT NZ’s 10 Critical Controls, small to medium businesses can establish a strong foundation for protecting their digital assets and reducing the risk of cyber threats. Taking proactive steps to enhance cybersecurity not only safeguards your business but also builds trust with customers and partners. Start today by assessing your current security posture, identifying gaps, and prioritising the implementation of these critical controls. Together, we can build a more secure digital future for all businesses.
The Role of The Instillery in Supporting SMBs
We understand the unique challenges that SMBs face in the ever-evolving cybersecurity landscape. Our Security Intelligence division specialises in providing tailored cybersecurity solutions that empower businesses to protect themselves against threats. From implementing CERT NZ’s 10 Critical Controls to offering ongoing monitoring and incident response services, our team of experts is here to help you navigate the complexities of cybersecurity with confidence. Contact us today to learn more about how we can support your business’s cybersecurity journey.
