Skip to main content

For many small and medium-sized businesses (SMBs) the concept of a comprehensive cybersecurity program can be a difficult process to initiate. Fortunately, there are many resources available for SMB owners to begin the process of reducing their cyber risk.

One such resource is the Center for Internet Security (CIS) Critical Security Controls (CSC). A set of 18 guidelines for improving cybersecurity. They are designed to prioritize the most essential security measures and provide a framework for effective cybersecurity defense. Here are some of the key points to understand from the CIS 18 Critical Security Controls:

  1. The CIS CSCs are a prioritized set of guidelines: The controls are numbered 1 through 18, and each control is designed to build on the previous one. 
  2. The controls are adaptable: The CIS CSCs are not meant to be a one-size-fits-all solution. They are adaptable to different organizations’ needs and priorities. Organizations can implement the controls in a way that works best for them. 
  3. The CSCs are designed to be measurable: Each control has specific criteria that can be used to assess an organization’s implementation of the control. This allows organizations to measure their progress and identify areas that need improvement. 
  4. The CSCs are designed to be effective: The controls are based on real-world threats and are designed to be effective at mitigating those threats. Implementing the CSCs can significantly improve an organization’s cybersecurity posture. 
  5. The first six controls are foundational: The first six controls are considered foundational because they provide a solid base for an organization’s cybersecurity defense. These controls focus on basic cybersecurity hygiene, such as inventorying hardware and software, controlling administrative privileges, and maintaining secure configurations. 
  6. The CSCs cover a wide range of cybersecurity areas: The controls cover areas such as vulnerability management, incident response, access control, and network security. By implementing the CSCs, organizations can improve their security posture across multiple areas. 
  7. The CSCs are regularly updated: The CIS CSCs are updated regularly to reflect changes in the threat landscape and advances in cybersecurity technology. This ensures that the controls remain relevant and effective. 
  8. The CSCs are widely recognized: The CIS CSCs are widely recognized as a best practice framework for cybersecurity. Many organizations, including government agencies, use the controls as a benchmark for their cybersecurity programs. 
  9. The CSCs are not a comprehensive cybersecurity solution: While the CIS CSCs are a valuable tool for improving cybersecurity, they are not a comprehensive solution.

Organizations should also consider other cybersecurity frameworks and best practices to create a holistic cybersecurity program.

The CIS 18 Critical Security Controls are a good starting point for business owners to begin the process of adding extra layers of protection to their cybersecurity posture. They can be viewed at https://www.cisecurity.org/controls/cis-controls-list. Contact BAWN if you need assistance in understanding or implementing these controls to protect your company’s network infrastructure.

Critical security controls for businesses