Implementing CIS Controls in Small and Medium Enterprises

Cybersecurity is a critical concern for organizations of all sizes. Implementing robust security measures is a best practice and essential to protect against increasingly sophisticated cyber threats. However, the challenge is often more significant for small and medium enterprises (SMEs) due to limited resources, lack of security expertise, and other common obstacles.

The Center for Internet Security (CIS) Controls provides a comprehensive cybersecurity framework that SMEs can adopt to enhance their cybersecurity posture. This blog covers CIS Controls, cybersecurity challenges for SMEs, and tips for smaller organizations to implement these security controls.

Take your cybersecurity management to the next level with UpGuard >

What are the CIS Critical Security Controls?

The Center for Internet Security (CIS) Controls are a set of best practices for cybersecurity designed to help organizations protect themselves against cyber threats. The Center for Internet Security (CIS) develops and maintains CIS Controls, which security teams widely adopt as a framework for improving cybersecurity posture. CIS Controls are divided into three Implementation Groups (IGs) to help organizations prioritize and implement them based on their resources and risk profile.

• Implementation Group 1: Focuses on basic cyber hygiene and essential protections suitable for small organizations with limited cybersecurity expertise and resources
• Implementation Group 2: Builds on IG1 with intermediate-level controls designed for organizations with moderate resources, aiming to enhance security measures and address more complex threats
• Implementation Group 3: Targets advanced security needs for organizations with substantial resources and complex environments, implementing the most comprehensive and sophisticated protections

Each IG builds upon the previous one, allowing organizations to scale their cybersecurity program until they meet all CIS Controls.

CIS Controls v8 includes the following:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

Common cybersecurity challenges in SMEs

Small and Medium Enterprises (SMEs) are businesses whose personnel numbers or financial metrics fall below certain limits. These limits can vary by country and industry, but generally, SMEs fall under maximum thresholds for employees and annual revenue. Small businesses encounter numerous cybersecurity challenges that can significantly affect their operations and overall security, which include:

• Limited resources: Smaller budgets for cybersecurity tools, technologies, and personnel and limited access to specialized cybersecurity expertise
• Insufficient security policies: Inadequate or outdated cybersecurity policies and procedures, lack of formalized incident response plans
• Outdated technology: Use of legacy systems and obsolete software that may no longer receive security updates, limited ability to invest in modern, secure infrastructure
• Third-party risks: Dependence on third-party vendors and service providers can introduce additional security risks and make it difficult to assess and manage partners' security practices
• Target for cybercriminals: SMEs are often perceived as easier targets by cybercriminals due to weaker defenses, increasingly targeted by ransomware and phishing attacks
• High impact of data breaches: Cyber incidents can have a more severe financial and operational impact on SMEs, and recovery from cyber attacks can be more difficult due to limited financial reserves
• Lack of dedicated security staff: There is often no dedicated cybersecurity team, and with IT staff handling security as one of many responsibilities, it isn't easy to attract and retain skilled cybersecurity professionals
• Lower awareness and training: Employees may lack awareness of cybersecurity best practices (NIST CSF) and limited resources for ongoing cybersecurity training and education‍
• Compliance challenges: Navigating complex regulatory requirements with limited resources and ensuring compliance with data protection laws (e.g., GDPR, CCPA, HIPAA) can be resource-intensive

These challenges, combined with the severe impact that even a single cyber incident can have on SMEs' financial and operational stability, make cybersecurity a critical concern. Implementing CIS Controls provides SMEs with a solid cybersecurity foundation that addresses many of these common challenges.

10 Tips for Implementing CIS Controls in SMEs

CIS Controls implementation in SMEs significantly bolsters their cybersecurity posture and protects against prevalent threats. These controls provide a structured and prioritized set of best practices designed to help organizations of all sizes, including those with limited resources.

By adopting CIS Controls, SMEs can mitigate common vulnerabilities and reduce the risk of cyberattacks that could lead to financial loss, reputational damage, and operational disruptions. If your organization wants to implement CIS Controls, check out these tips below.

1. Start with an inventory

SMEs should start their implementation process by assessing their current inventory. This process encompasses two primary controls: Inventory and Control of Enterprise Assets (Control 1) and Inventory and Control of Software Assets (Control 2).

SMEs should actively manage and document all hardware devices connected to their network, ensuring only authorized devices receive access. Similarly, keeping a comprehensive and up-to-date inventory of all software applications helps identify unauthorized or outdated software that could pose security risks. Regularly reviewing and updating the inventory ensures personnel quickly identify and manage new assets appropriately.

2. Secure configurations

The next step in the implementation process is to secure existing configurations. This step primarily involves the Secure Configuration of Enterprise Assets and Software (Control 4).

SMEs should establish and maintain secure configurations for all hardware and software, using best practice benchmarks like those provided by CIS Benchmarks. These configurations minimize the potential attack surface by turning off unnecessary services, removing default accounts, and applying stringent access controls and firewalls. Ensuring all systems are configured correctly from the outset also helps streamline other security efforts, such as patch management and vulnerability assessments.

3. Prioritize data protection

Data protection is a critical aspect of cybersecurity for SMEs, addressing CIS Control 3, Data Protection. Protecting sensitive data from unauthorized access and other threats involves several layers of security measures.

SMEs should restrict access to sensitive data to only those who need it, following the principle of least privilege. Regularly backing up data and ensuring these backups are secure and recoverable is also essential to mitigate the effects of data loss or ransomware attacks. Implementing data loss prevention (DLP) technologies can help monitor and protect sensitive information from being improperly accessed or exfiltrated. Additionally, SMEs should develop and enforce information security policies regarding the handling, storing, and transmission of sensitive data.

4. Implement access controls

The next step to implementing CIS Controls is establishing access controls, which are essential for safeguarding an SME's information systems.  Account Management (Control 5) and Access Control Management (Control 6) each cover access controls in detail.

SMEs should enforce strong password policies, use multi-factor authentication, and regularly review access permissions to ensure users have the necessary resources. Automating user account management, implementing role-based access controls, and monitoring access attempts can help enhance security. Additionally, SMEs should conduct periodic access reviews and audits to identify and rectify any discrepancies.

5. Manage vulnerabilities

Regular vulnerability management is a proactive approach to identifying and mitigating security weaknesses within an organization's IT environment, addressing Continuous Vulnerability Management (Control 7).

SMEs should regularly implement automated vulnerability scanning tools to assess their systems for known vulnerabilities. Once security teams identify vulnerabilities, they should prioritize remediation based on each vulnerability's severity and risk to the organization. Timely patching and remediation of these vulnerabilities are crucial to minimize attackers' window of opportunity.

Developing a vulnerability management policy and integrating it into the organization's overall security strategy can help ensure consistency and effectiveness. It’s also essential to regularly review and update this policy as the threat landscape evolves and new zero-day vulnerabilities emerge.

6. Log management and monitoring

SMEs must establish log management and monitoring tools to detect and respond to security incidents, as explained in Audit Log Management (Control 8).

SMEs can collect and manage logs from all critical operating systems, including network devices, servers, and applications. Implementing a centralized log management solution can help aggregate and correlate log data from multiple sources, providing a comprehensive view of security events.

Automated log analysis tools can aid in detecting patterns that may indicate a security incident. SMEs should also ensure that logs are stored securely and retained appropriately to support incident investigations and compliance requirements. Establishing a log review process and assigning responsibilities for log analysis can enhance the effectiveness of this control.

7. Establish email and web security

Email and web security are critical components of an SME's cybersecurity strategy, addressing Email and Web Browser Protections (Control 9). These vectors are common entry points for phishing attacks, malware, and other threats.

SMEs should implement robust email filtering solutions to detect and block malicious emails, including phishing attempts and malware attachments. Configuring email clients to display email addresses and warning users of potential threats can also help mitigate risks.

For web security, SMEs should deploy web filtering solutions to restrict access to malicious websites and enforce safe browsing practices. Regularly updating and patching email clients and web browsers is essential to protect against known vulnerabilities.

8. Implement malware defenses

SMEs can protect themselves from malicious software by implementing robust Malware Defenses (Control 10).

SMEs should deploy comprehensive antivirus and anti-malware solutions across all endpoints, including desktops, laptops, and servers. Additionally, SMEs should implement endpoint detection and response (EDR) solutions to provide advanced threat detection and automated response capabilities.

Regularly backing up data and ensuring the integrity of these backups can also help mitigate the impact of ransomware attacks. Educating employees about safe computing practices, such as avoiding suspicious downloads and attachments, is another critical component of malware defense.

9. Develop an incident response plan

SMEs can effectively manage and mitigate the impact of security incidents by developing a comprehensive incident response plan. This step addresses Incident Response Management (Control 16).

This plan should outline the steps personnel should follow during a cybersecurity incident and clear roles and responsibilities, ensuring that all team members understand their duties. Regularly testing and updating the incident response plan through drills and simulations can help identify gaps and improve preparedness. Establish communication protocols for internal and external stakeholders, including reporting incidents and notifying affected parties. Maintaining an incident response toolkit with necessary resources, such as contact lists, documentation templates, and forensic tools, can enhance the efficiency of response efforts.

10. Provide security training

Finally, SMEs can foster a culture of cybersecurity awareness within their organization by providing regular security training to employees, which addresses Security Awareness and Skills Training (Control 14).

SMEs should implement a comprehensive training program that educates security teams and other employees on the latest cybersecurity threats, safe computing practices, and organizational security policies. Training should cover topics such as recognizing phishing attempts, handling sensitive data securely, and responding to potential security incidents. Regularly updating the training program to reflect new threats and changing technologies is also essential.

Enhance Your Organization’s Cybersecurity Posture with UpGuard

CIS Controls are the perfect foundation for a strong cybersecurity posture, but if your organization wants to take its security program a step further, UpGuard is here to help. Our all-in-one external attack surface management platform, BreachSight, has everything you need to comprehensively manage your cybersecurity efforts, from risk identification to remediation and beyond.

BreachSight helps you understand the risks impacting your external security posture and ensures your assets are constantly monitored and protected. Our user-friendly platform makes it easy to view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents. Other features include:

• Data Leak Detection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches‍
• Continuous Monitoring: Analysis tools provide real-time information and manage exposures, including domains, IPs, and employee credentials‍
• Attack Surface Reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍
• Shared Security Profile: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page‍
• Workflows and Waivers: Simplify and automate how you remediate issues, waive risks, and respond to security queries‍
• ‍Reporting and Insights: Access tailor-made reports for different stakeholders and view information about your external attack surface