Should I use the CIS Controls?
As a small business owner, cybersecurity is likely a top concern for you. With the increasing number of cyber attacks targeting small businesses, it's important to take steps to protect your business. One tool that can be helpful in this process is the CIS Controls. In this blog post, we will discuss the CIS Controls and whether or not they are a good fit for your small business.
The CIS Controls are a set of best practices for cybersecurity developed by the Center for Internet Security (CIS). They provide a prioritized approach to securing an organization's IT systems and data, and are designed to be simple, practical, and effective. The CIS Controls are divided into three categories: Basic, Foundational, and Organizational. Each category is further divided into Implementation groups.
The Basic Controls are the most essential controls that should be implemented by all organizations, regardless of size. These controls include:
Inventory of Authorized and Unauthorized Devices
Inventory of Authorized and Unauthorized Software
Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Continuous Vulnerability Management
Controlled Use of Administrative Privileges
Maintenance, Monitoring, and Analysis of Audit Logs
The Foundational Controls build on the Basic Controls and provide additional security measures for organizations. These controls include:
Email and Web Browser Protections
Malware Defenses
Limitation and Control of Network Ports, Protocols, and Services
Data Recovery Capabilities
Security Skills Assessment and Appropriate Training to Fill Gaps
The Organizational Controls are specific to each organization and should be tailored to the organization's specific needs. These controls include:
Incident Response and Management
Penetration Tests and Red Team Exercises
Controlled Access Based on the Need to Know
Account Monitoring and Control
Security Continuous Monitoring
It's important to note that the CIS controls are not a one-time implementation but rather a continuous process, regularly reviewing and updating the controls according to the organization's changing needs and new threats.
As a small business, it may be challenging to implement all of the controls, but it's important to start with the Basic controls which are essential for all organizations. These controls are designed to be simple and practical, making them easy to implement even for small businesses with limited resources. Additionally, the CIS controls provide a framework for small businesses to demonstrate compliance with industry standards and regulations.
In conclusion, the CIS controls are a valuable tool for small businesses looking to improve their cybersecurity posture. They provide a prioritized approach to securing an organization's IT systems and data and are designed to be simple, practical, and effective. While it may be challenging to implement all of the controls, starting with the Basic controls is a good place to begin. It's important to remember that the CIS controls are not a one-time implementation but rather a continuous process that should be regularly reviewed and updated. With the increasing number of cyber attacks targeting small businesses, implementing the CIS controls can provide a much-needed layer of protection for your business. By prioritizing the most essential controls first, small businesses can quickly and effectively improve their security posture, even with limited resources. Additionally, by demonstrating compliance with industry standards and regulations, small businesses can also benefit from improved reputation and increased customer trust. If you are a small business looking to improve your cybersecurity, consider implementing the CIS controls as part of your overall security strategy.