How To Use CIS Cybersecurity Controls To Protect Your Business

    Charles Brandt
    By: Charles Brandt
    July 1, 2024

    In a world where cybercriminals half a world away are preying upon small businesses and nonprofits day and night, it can feel like it’s every organization for itself. But that’s not true. 

    The Center for Internet Security (CIS) has been around since 2000 to help people, businesses, and governments protect themselves against evolving cyber threats. It provides a wealth of free resources to help simplify cybersecurity best practices, and in this blog, I’ll explore how you can put its resources to good use. 

    CIS Foundational Controls Explained
    An illustration of an IT worker aplying CIS cybersecurity controls to their organization.

    CIS Critical Security Controls are a set of prioritized best practices designed to help organizations reduce their risk of a cybersecurity incident. These controls are divided into three categories: basic, foundational, and organizational. 

    Basic Controls

    A wavy outer castle wall, remniscent of the strong perimeter defenses organizations need as part of CIS basic controls.

    CIS Basic Controls are hardly basic. They’re the most essential and fundamental cybersecurity controls and form the foundation of an effective cybersecurity program. 

    You can find the full version in the link (above), but I’ve simplified them here: 

    • Take an inventory of your hardware and software so you can properly manage and secure them 
    • Continuously assess and mitigate your organization’s vulnerability
    • Make sure only trusted personnel have administrative privileges 
    • Limit access to data based on role and job function
    • Apply security configurations properly to all hardware and software 
    • Maintain, monitor, and regularly analyze audit logs from systems and apps to detect any potential security incidents or policy violations 

    Those are just the basics, but depending on the software you use, configuring it properly can take some doing. Some Microsoft tools, for example, are known for being difficult to secure properly if you don’t have specialized IT experience. 

    If you’re not sure whether your organization is doing all of the above, I’d advise you to do some digging immediately. Because without these basics in place, you’re highly vulnerable to an attack

    Foundational Controls 

    A spiked castle gate, signifying a more advanced form of defenses that are part of CIS foundational controls.

    These Foundational Controls build on the basics and are designed to provide more comprehensive and advanced security measures. I’ve simplified these below:

    • Protect email and web browsing with spam filters, malware scanning, and web content filtering 
    • Use anti-malware solutions and scan your devices regularly
    • Restrict your network ports, protocols, and services your systems are running to reduce your attack surface with firewalls and host-based security tools
    • Implement a reliable backup and recovery system, and test your recovery process regularly
    • Properly configure and maintain networked devices like firewalls, routers, and switches 
    • Implement network segmentation to control and monitor network traffic 
    • Use encryption, access controls, and other data loss prevention solutions

    Organizational Controls

    A human firewall in cybersecurity, as depicted by a knight guarding their castle.

    Organizational Controls are geared towards building human capabilities, processes, and governance mechanisms to manage security risks effectively. Here’s what these look like in action: 

    • Implement a security awareness program for all employees 
    • Perform security testing and address any software vulnerabilities before deployment 
    • Develop an incident response plan, including steps for containment, eradication, and recovery
    • Regularly conduct penetration testing to identify vulnerabilities and weaknesses

    Implementing CIS Basic Controls and Beyond

    CIS also offers implementation groups to help organizations implement their cybersecurity controls based on their specific resources, risks, and constraints. Group 1 is best for most small businesses and startups, Group 2 is intended for medium or mid-market enterprises with access to moderate resources, and Group 3 is designed for large, enterprise-scale organizations with significant resources. 

    Additional Help Aligning Your Cybersecurity Program With CIS

    CIS isn’t the only cybersecurity organization offering guidance. The National Institute of Standards and Technology (NIST) also has created a Cybersecurity Framework that we’ve simplified into an interactive, downloadable checklist

    However, while many businesses just want guidance on whether or not they’re following best practices, many will also need ongoing help implementing new tools and properly configuring their software. Unfortunately, while that type of guidance does exist, it would typically come from a seasoned chief information security officer (CISO) with salary expectations to match…which means most SMBs are priced out. 

    At Marco, we’ve recently started offering fractional CIO and CISO services to help bridge the gap — so the businesses that cybercriminals prey upon most can finally afford the protection they need. Click the link below to visit our consulting services page.

    Explore IT Consulting Services Learn More
    Topics: Managed IT Services, Security