Are the CIS Controls for small companies too?

cis controlscybersecuritysansdefense
Written By Christian Grupp

The CIS Controls are a set of best practices for cybersecurity developed by the Center for Internet Security (CIS) that provide a prioritized approach to securing an organization's IT systems and data. They are designed to be simple, practical, and effective, making them a valuable tool for companies of all sizes. In this blog post, we will discuss whether or not the CIS Controls are appropriate for small companies.

 

Small companies are often seen as vulnerable to cyber attacks due to their limited resources and lack of dedicated cybersecurity personnel. However, implementing the CIS Controls can provide a much-needed layer of protection for small companies. The CIS Controls are designed to be scalable and can be tailored to the specific needs of small companies.

 

The CIS Controls are divided into three categories: Basic, Foundational, and Organizational. The Basic Controls are the most essential controls that should be implemented by all organizations, regardless of size. These controls include:

  •  Inventory of Authorized and Unauthorized Devices

  • Inventory of Authorized and Unauthorized Software

  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

  • Continuous Vulnerability Management

  • Controlled Use of Administrative Privileges

  • Maintenance, Monitoring, and Analysis of Audit Logs

The Foundational Controls build on the Basic Controls and provide additional security measures for organizations. These controls include:

  •  Email and Web Browser Protections

  • Malware Defenses

  • Limitation and Control of Network Ports, Protocols, and Services

  • Data Recovery Capabilities

  • Security Skills Assessment and Appropriate Training to Fill Gaps

The Organizational Controls are specific to each organization and should be tailored to the organization's specific needs. These controls include:

  •  Incident Response and Management

  • Penetration Tests and Red Team Exercises

  • Controlled Access Based on the Need to Know

  • Account Monitoring and Control

  • Security Continuous Monitoring

It's important to note that the CIS controls are not a one-time implementation but rather a continuous process, regularly reviewing and updating the controls according to the organization's changing needs and new threats.

 

By focusing on the Basic controls, small companies can quickly and effectively improve their security posture with limited resources. Additionally, the CIS controls provide a framework for small companies to demonstrate compliance with industry standards and regulations.

 

In conclusion, small companies can benefit from implementing the CIS Controls. They are designed to be scalable and can be tailored to the specific needs of small companies. By focusing on the most essential controls first, small companies can quickly and effectively improve their security posture with limited resources. Additionally, the CIS controls provide a framework for small companies to demonstrate compliance with industry standards and regulations. If you are a small company looking to improve your cybersecurity, consider implementing the CIS controls as part of your overall security strategy.

Christian Grupp
Previous

Five ways to improve my security
Next

How often should I run vulnerability assessments on my business?