Assess your SMB cybersecurity defences at warp-speed

Do you think cybersecurity is expensive and consumes too much staff time? Do you believe your organization is too small, low profile and inconsequential to attract the attention of cyber attackers? Too many Small and Midsize Business (SMB) managers believe these misperceptions and sweep the topic of cybersecurity under the carpet.

This blog describes assessing your SMB cybersecurity defences using a comprehensive, low-cost, low-effort process. Using the CIS Critical Security Controls® (CIS Controls) to assess your cybersecurity risks will produce:

1. Confirmation of which of your cybersecurity actions are going well.
2. An actionable list of cybersecurity gaps that need remediation.
3. A high level of assurance about the state of your SMB cybersecurity.

If your immediate reaction is that you don’t have any controls, making this assessment process irrelevant, you’d be wrong. Most IT organizations operate cybersecurity defences with related controls. They just don’t label their work using these terms. Senior executives are conversant with the controls concept through their work with financial controls and C-SOX audits.

What risks am I accepting by ignoring cybersecurity?

Cyberattacks include phishing attacks, data breaches, ransomware, theft of company intellectual property, corporate espionage, and identity theft. The adverse impacts of successful cyberattacks include:

1. Reputational damage among customers and suppliers leading to loss of business.
2. Financial losses due to the cost of repairing the computing infrastructure’s damage and recreating data.
3. Fines payable to regulators for violating General Data Protection Regulation (GDPR) or similar regulations.
4. Market share losses when theft of intellectual property creates competitors.
5. Loss of revenue due to operational disruption.

Taken together, these likely impacts create a risk of bankruptcy.

For practical tips and information that strengthen cybersecurity, please register for MAPLESEC on 19 – 20 October 2022. This free conference brings together industry, non-profits, and government agencies to exchange best practices with experts.

What is CIS?

The Center for Internet Security (CIS) is a non-profit organization founded in 2000. Its mission is to develop, promote and sustain best practices in cybersecurity to enable the Internet as a trusted environment. The members include government agencies, corporations and academic institutions. These members developed the CIS Controls® for computing environments by collaborating with experts in various disciplines, including security analysts, auditors, executives and policymakers.

What value do the CIS controls create?

The CIS community asserts that implementing the CIS controls:

1. Prevents the vast majority of cyberattacks.
2. Assures organizations that cybersecurity defences are comprehensive.
3. Provides a framework for automating and managing cybersecurity defences well into the future.

What are the CIS controls?

CIS defines 153 cyber defence safeguards grouped into 18 CIS controls. The safeguards are divided into three implementation groups (IG) as follows:

1. IG1 – Implement essential cyber hygiene to thwart general attacks.
2. IG2 – Manage complex IT infrastructure.
3. IG3 – Secure confidential data to prevent sophisticated attacks.

The IGs recognize the resource constraints most SMBs operate with. To reduce cybersecurity risk, CIS recommends that SMBs focus resources first on the most straightforward and cheapest controls in IG1.

What differentiates the CIS controls from alternatives?

The CIS controls are an example of a governance, risk management, and compliance (GRC) standard. GRC standards describe cybersecurity best practices with their related processes and procedures. However, few GRC standards provide much detail on what is actually expected, recommended, or proven effective. The CIS controls’ structure, description, and organization address this shortcoming of other standards and make it easier and cheaper for SMBs to implement and assess.

The CIS controls have proven their value by defining a base level of cybersecurity practices that all organizations, regardless of size or mission, should embrace and incorporate into their IT operations.

How do I begin?

Begin by downloading and reading the 4-page summary of the CIS Implementation Groups. This document illustrates how CIS divides cybersecurity into various topics and provides an overview of all the safeguards in the context of the control they belong to.

Then download the CIS Critical Security Controls® v8 Excel workbook. Reading the detailed descriptions of the many safeguards in the worksheet Controls V8 will give you a good understanding of the scope of the controls and how they are grouped.

Then, to conduct the cybersecurity assessment of your organization, download the CIS Critical Security Control v8.0 Assessment Tool from the AuditScripts website. This assessment tool expands on the CIS Excel workbook by providing:

1. Dropdown lists of choices for assessment conclusions.
2. A dashboard that shows the results of your assessment graphically.
3. An assessment summary of results for each control.
4. More detailed instructions for conducting the cybersecurity assessment.

The effort required to conduct the cybersecurity assessment of your organization is typically one to two days.

The first cybersecurity assessment will form the baseline of the state of your cybersecurity defences. By repeating the assessment every year, you can demonstrate continuous improvement.

What’s next?

Once you have completed the assessment of CIS controls, you have a definitive result that shows which cybersecurity controls are effective and which ones are not effective.

You are now ready to reduce your cybersecurity risks by remediating the not-effective controls. Start by remediating the not-effective IG1 controls. Move on to the not-effective IG2 and IG3 controls once you have completed work on IG1 controls and feel the need to reduce cybersecurity risks further.

You are also ready to:

1. Describe the state of your cybersecurity defences to senior management and your board of directors in a summary form.
2. Explain your remediation plan to raise cybersecurity defences.

These two points will provide the organization with a high level of assurance that your cybersecurity risks are being comprehensively managed.

What ideas can you contribute to help organizations improve their cybersecurity defences? We’d love to read your opinion. You can share that with us below. Select the checkmark for agreement or the X for disagreement. In either case, you’ll be asked if you also want to send your comments directly to our editorial team.