When you are starting a small business, there is plenty to worry about. How do you make your product amazing? How are you going to make sure your potential customers know about what you have to offer? How do you hire the right people? With so much going on, it is easy to see why protecting your data and securing your network can get pushed down the to-do list.
There are many things that can be done to ensure people outside and inside your organization can’t cause you data issues. These steps are usually referred to as Critical Security Controls. They are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
In this week’s episode of CYBER24, we sit down with Anders Erickson, director of cybersecurity services at Eide Bailly and Matt Sorensen, chief Information security officer at Secuvant to break down just how essential it is for a business to prioritize data protection and we walk through the most important things any business owner should do first to put protections in place.
Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Critical Control 4: Continuous Vulnerability Assessment and Remediation
Critical Control 5: Controlled Use of Administrative Privileges
Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Control 7: Email and Web Browser Protections
Critical Control 8: Malware Defenses
Critical Control 9: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 10: Data Recovery Capability (validated manually)
Critical Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Critical Control 12: Boundary Defense
Critical Control 13: Data Protection
Critical Control 14: Controlled Access Based On Need to Know
Critical Control 15: Wireless Device Control
Critical Control 16: Account Monitoring and Control
Critical Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
Critical Control 18: Application Software Security
Critical Control 19: Incident Response and Management (validated manually)
Critical Control 20: Penetration Tests and Red Team Exercises (validated manually)