FOREWORD
The Baseline Cyber Security Controls for Small and Medium Organizations is an UNCLASSIFIED publication intended for small and medium organizations in Canada that want recommendations to improve their resiliency via cyber security investments. This document is for the public and, as such, has the Traffic Light Protocol (TLP) marking [1]1 of TLP:WHITE.

OVERVIEW
This document presents the Canadian Centre for Cyber Security baseline cyber security controls wherein we attempt to apply the 80/20 rule (achieve 80% of the benefit from 20% of the effort) to the cyber security practices of small and medium organizations in Canada.

1 INTRODUCTION
This document is for small and medium organizations seeking to improve their resiliency through investment in cyber security. This is part of the response to the need, expressed in the National Cyber Security Strategy [2], for the Government of Canada to support small and medium organizations by making cyber security more accessible.
As stated in the National Cyber Threat Assessment 2018 [3], small and medium organizations are most likely to face cyber threat activity in the form of cybercrime that often has immediate financial or privacy implications. Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.
We recommend Annex 4A – Profile 1 of ITSG-33 Information Technology (IT) Security Risk Management: A Lifecycle Approach [4] to organizations seeking to reduce their risk to cyber security incidents. This profile is the Canadian specification of controls equivalent to that of the NIST Cyber Security Framework [5] or ISO/IEC 27001:2013 [6]. The reality, however, is that this profile is expensive to implement and beyond the financial and/or human resources means of most small and medium organizations in Canada.
We believe that organizations can mitigate most cyber threats through awareness and best practices in cyber security and business continuity. As such, we believe we can successfully apply the 80/20 rule (achieve 80% of the benefit from 20% of the effort) in the domain of cyber security and achieve concrete gains for the cyber security of Canadians. This document presents a condensed set of advice, guidance, and security controls on how organizations can get the most out of their cyber security investments. We call these the baseline cyber security controls (hereafter baseline controls).
We encourage organizations to implement as many of these baseline controls as possible, and we understand that not every organization can implement every control. If the majority of Canadian organizations implement these controls, however, Canada will be more resilient and cyber-secure. For additional advice, please visit cyber.gc.ca.