informa
/
Attacks/Breaches
Commentary

How CIS Controls v8 Impacts SMBs

The Center for Internet Security has made big changes to its Control specs, including a greater focus on vendor relationships and cloud technologies.

Small to midsized businesses (SMBs) are suffering their fair share of digital attacks. CNBC reported that threat actors were targeting SMBs almost half (43%) of the time. These attack efforts translated into security incidents for two-thirds of SMBs globally that year, according to TechRepublic. A lack of preparedness was a contributing factor for those attacks.

A Way Forward for SMBs with the CIS Controls
SMBs need to get real with their digital security. Toward that end, SMBs might consider leveraging the Center for Internet Security's Critical Security Controls (CIS Controls). These safeguards consist of fundamental security measures that get to the heart of an organization's security posture. As such, organizations of any size can use them to mitigate some of the most prevalent digital threats facing their systems and networks.

When it comes to SMBs specifically, the Center for Internet Security explained in its v7.1 companion guide that organizations can use its Critical Security Controls in a three-step plan to augment their digital defenses. The first phase involves getting to know their environments such as by creating an inventory of hardware and software assets that are connected to the network. With that knowledge, SMBs can move on to the second phase of protecting their assets through the use of technical tools and employee awareness training. These initiatives lead into the third phase — that of organizations preparing their response capabilities for when they do suffer a security incident.

The Release of CIS Controls v8
The Center for Internet Security is constantly working on updating its Critical Security Controls to reflect organizations' evolving network environments as well as the changing threat landscape. This explains the recent release of version 8 of the CIS Controls.

As noted by the Center for Internet Security on its blog, the newest iteration of the CIS Controls contains some important changes. Those include a heightened focus around vendor relationships and cloud technologies, as shown by the addition of a new CIS Control that provides recommendations on how organizations can manage their upstream service providers. This new control reads like a timely warning to "Watch out for supply chain attacks," which is of particular interest to federal, state, and local municipalities, considering recent events.

These updates are welcome but might be difficult for SMBs to implement. "I'm a big fan of the CIS Controls, and I feel that the v8 changes that focus on cloud, mobile, and supply chain, if implemented correctly will make small/medium-sized organizations more secure, but it will also increase complexity," explains Scott Smith, CISO with the City of Bryan, Texas. "Implementing new technical and procedural controls to manage mobile, cloud, and supply chain resources is not a small undertaking, and it will require additional resources for already overtasked staff to enact those changes."

One thing that can simplify implementation is the dispersal of all Controls and their Safeguards (formerly Sub-Controls) across three Implementation Groups (IGs), a modification that occurred in CIS Controls v7.1. The Center for Internet Security originally created those IGs to help organizations prioritize their implementation of its Critical Security Controls. IG1 consists of basic cyber hygiene that all organizations can use to defend against the most common types of attacks. IG2 builds on IG1, and IG3 encompasses the other two categories along with additional measures.

Tyler Morgan, vice president and CSO at Farmers and Merchants Bank in Arkansas, says it's those groupings that will ultimately make it easier for organizations to approach the changes introduced in v8.

"In my view, any addition to the CIS Controls is a net positive for organizations of all sizes," he says. "The fact of the matter is, all organizations (regardless of size) are facing the challenges introduced via cloud, mobile, and supply chain risk vectors (along with many others). The primary difference is the level of scale faced by the larger organizations. The fundamental truth, regardless of the technology stack, is that you can't protect what you don't know about or don't understand, and this is something the CIS Controls expound upon across their Safeguards. The CIS Controls do a better job than any framework at highlighting the real-world question, ‘How do we do this?' Small/medium-sized orgs are going to have to answer these questions anyway, and the CIS Controls provide examples of practical application."

Putting the Revamped CIS Controls into Perspective
With the introduction of IGs in v7.1 and the reorganization/changes in v8, the CIS Controls offer the best and easiest-to-follow path to good cyber hygiene for smaller organizations. There are many new resources available to track your progress, but it doesn't have to be that complicated. Start off by simply highlighting all the items in IG1 and seeing how your organization's security initiatives stack up against those recommendations.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5