For businesses, leveraging a framework like CIS Controls makes sure your company and customer data stay safe. You want to use trusted security and privacy frameworks for your business and we think the controls in the CIS framework are an excellent fit for many businesses or even startups.
Customer data breaches, ransomware, theft of company secrets or intellectual property, phishing attacks — cybercrime has become a primary concern for businesses of every size. Protecting your company requires the thoughtful deployment of cybersecurity best practices. That’s where security frameworks come in.
As organizations increasingly adopt digital tools to conduct their business processes, there are more and more opportunities for hackers to steal the valuable data upon which all companies rely upon. It’s not enough to create strong passwords and monitor traffic behind a firewall – modern companies are much more complex.
Developing strong security controls that can meet the challenges created by a dynamic digital environment is central to any cybersecurity strategy. Read on to learn about using CIS Controls to secure your company.
When it comes to cybersecurity best practices, it can be difficult to know where to start. Fortunately, businesses can gain a sense of direction by adopting a security framework.
CIS Controls are a set of 20 best practices that can guide you through the process of creating a layered cybersecurity strategy. Research suggests that implementing CIS Controls can reduce the risk of a successful cyberattack in a company by as much as 85 percent.
The CIS Controls align with the NIST Cybersecurity Framework, which was designed to create a common language for managing risk within a company. In other words, it helps companies answer critical questions about their cybersecurity program such as what inventory they need to protect, and where gaps in security lie. Whereas the NIST Cybersecurity Framework has five core concepts, the CIS Controls have 20 actionable points. Your small business or startup can treat these as steps to building your security program.
Any companies looking to adopt the comprehensive NIST cybersecurity framework to guide their security strategy can start with the CIS Controls. Once a baseline has been achieved there are resources available to ease the transition to the NIST Cybersecurity framework, such as CIS Controls V7.1 Mapping to NIST CSF. While the CIS Controls and NIST Cybersecurity Framework are aligned, they aren’t completely interchangeable.
Here’s how to get started with the CIS framework for your security program.
Even if you don’t implement all 20 best practices, your cybersecurity strategy will be made much stronger with this framework.
Using CIS Controls can help a company gain control of its cybersecurity strategy in a methodical, organized way. Organizations that aren’t sure where to start, or that wish to conduct a thorough cybersecurity assessment, should consider working through the 20 steps of the CIS Controls.
CIS Controls are also put into implementation groups (more on this below), so you’ll know what to prioritize and know where to start. This is ideal for startups or small businesses that don’t have professional security experts on their team.
The first six CIS Controls handle basic cybersecurity best practices, referred to by CIS as “cyber hygiene” controls set. These are all about understanding the people, software, or devices that could have access to your company or customer data. To implement basic controls:
Foundational controls provide advanced guidance to improve overall technical aspects of security. They do this by establishing technical security controls that protect the assets that your company uses to conduct its processes – emails, computers, and consumer data. With an assessment of the security environment complete, it’s now possible to implement these controls:
Foundational controls create a strong cybersecurity program. However, all of these strategies are useless if employees aren’t trained in cybersecurity best practices. Therefore, the final four CIS controls emphasize organizational security processes such as awareness, preparedness, and incident response. In this phase, you should:
What if your company doesn’t have the bandwidth to implement all 20 security controls? CIS Controls also uses a tiered model for businesses to self-assess their resource availability, called implementation groups. This addition to CIS Controls helps address resource constraints at businesses of different sizes. That makes it is ideal for small businesses or startups.
Implementation Group 1 is modeled for small businesses and startups, which have limited resources to implement the CIS Controls and sub-controls. Implementation Group 2 is for medium or mid-market enterprises that have moderate resources to implement controls and sub-controls. Finally, Implementation Group 3 can be implemented by large and multinational enterprises with significant resources, capable of implementing all the CIS controls and sub-controls. (We’ll cover more about these Implementation Groups introduced in CIS Controls V7.1 and their value in a later blog post.)
Overall, the implementation groups make it easier for a security team at small or medium businesses to identify the critical security issues which will have the most impact.
When it comes to security, taking proactive measures is always better than waiting for a breach to occur. A security framework like CIS Controls can provide the foundation that an organization needs to get started developing a cohesive information security strategy.
In the era of cybercrime, it’s not worth it to take risks with security. Companies struggling to acquire the resources or knowledge to enact a security strategy should consider reaching out to experts. Securicy helps companies ranging from startups to large enterprises develop the strategies they need to keep their network safe. All while giving you the tools to showcase your security posture and win new customers.