The CyberFundamentals Framework

According to its creator, the Centre for Cybersecurity Belgium (CCB), “The CyberFundamentals Framework is a set of concrete measures to protect data, significantly reduce the risk of the most common cyber-attacks, and increase an organisation’s cyber resilience.”

In short, CyberFundamentals, or CyFun for short, is a framework encompassing a set of practical security rules developed based on other pre-existing frameworks (NIST CSF, ISO 27001, CIS controls, IEC 62443) and the expertise acquired by the CCB by combating and analyzing attacks suffered by companies in recent years.

The Different Levels

CyFun is applicable to all types of companies thanks to a classification of defensive measures based primarily on their size, but also on their sector of activity and the type of potential adversaries.

The table below summarizes the different levels.

Level	Target	% of attacks covered	Controls
Small	Micro-organizations, limited technical skills	N/A	8
Basic	All standard businesses	82	34
Important	Targets of cyberattacks by actors with common knowledge and resources	94	117
Essential	Targets of sophisticated cyberattacks by actors with extensive knowledge and resources	100	140

Tools

Visit the CyFun website. The CCB provides several tools to facilitate the adoption of CyFun:

• A spreadsheet for risk assessment and assurance level selection;
• Lists of measures to be implemented for each level;
• A spreadsheet for self-assessment of the current status of measures;
• Sample policies and instructions based on the “Basic” level;
• A list of authorized conformity assessment bodies (CABs).

Certification

Except for the “Small” level, compliance with the measures may be subject to official verification or certification by an authorized body.

• For the “Basic” and “Important” levels, the company will submit its self-assessment form to the verification body, which will issue a verification assurance upon successful completion;
• For the “Essential” level, an on-site audit will be required to obtain certification, which must be renewed every 3 years.

Why all businesses should implement “Small” measures

1. Small businesses are the most vulnerable.
   Cybercriminals know that small businesses often have fewer resources to protect themselves. As a result, they are easier to attack.
2. An incident can have a serious, even fatal, impact.
   Unlike large companies, a small business doesn’t always have the resources necessary to bounce back from an attack. A data breach can destroy your customers’ trust. A computer outage can interrupt your business for several days. And sometimes, the very survival of the company is at stake.
3. Cybersecurity strengthens your image and your customers’ trust.
   Today, customers are increasingly concerned about the protection of their data. Showing that you apply best practices reassures and gives you a competitive advantage. It’s a sign of seriousness and professionalism.
4. Good practices are simple, inexpensive, and highly effective.
   You don’t need to be an expert or spend a fortune.
5. Regulations are evolving, and you could be subject to them too.
   Even small businesses must comply with rules like the GDPR. In the event of an unanticipated security breach, you could be penalized. Prevention is better than cure.

Controls for the “Small” level

1. Protect all logins with multi-factor authentication.
2. Install all security updates immediately .
3. Install antivirus.
4. Secure your network.
5. Back up your data.
6. Do not use administrative privileges for daily tasks.
7. Final recommendations:
   • Physically protect your devices.
   • Know how and who to contact in case of a cyber incident.

We will detail some of these points in future articles.

Conclusion

Investing a little time and effort in cybersecurity protects yourself, your loved ones, your customers, and the future of your business. The risk is too great to ignore entirely.