Critical security controls: First steps for business cybersecurity

When you are starting a small business, there is plenty to worry about. How do you make your product amazing? How are you going to make sure your potential customers know about what you have to offer? How do you hire the right people? With so much going on, it is easy to see why protecting your data and securing your network can get pushed down the to-do list.

There are many things that can be done to ensure people outside and inside your organization can’t cause you data issues. These steps are usually referred to as Critical Security Controls. They are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

In this week’s episode of CYBER24, we sit down with Anders Erickson, director of cybersecurity services at Eide Bailly and Matt Sorensen, chief Information security officer at Secuvant to break down just how essential it is for a business to prioritize data protection and we walk through the most important things any business owner should do first to put protections in place.

  • Critical Control 1: Inventory of Authorized and Unauthorized Devices
  • Critical Control 2: Inventory of Authorized and Unauthorized Software
  • Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
  • Critical Control 4: Continuous Vulnerability Assessment and Remediation
  • Critical Control 5: Controlled Use of Administrative Privileges
  • Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • Critical Control 7: Email and Web Browser Protections
  • Critical Control 8: Malware Defenses
  • Critical Control 9: Limitation and Control of Network Ports, Protocols, and Services
  • Critical Control 10: Data Recovery Capability (validated manually)
  • Critical Control 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Critical Control 12: Boundary Defense
  • Critical Control 13: Data Protection
  • Critical Control 14: Controlled Access Based On Need to Know
  • Critical Control 15: Wireless Device Control
  • Critical Control 16: Account Monitoring and Control
  • Critical Control 17: Security Skills Assessment and Appropriate Training to Fill Gaps (validated manually)
  • Critical Control 18: Application Software Security
  • Critical Control 19: Incident Response and Management (validated manually)
  • Critical Control 20: Penetration Tests and Red Team Exercises (validated manually)