We share a lot about security. We do this to protect your company, network, data, and most importantly, your clients from cyber threats. We also do this because businesses today require a layered approach to security. This includes everything from best practices like setting up strong passwords to a modern firewall and backup solution. But how does one know what must be done and how to prioritize which actions to take first? Don’t worry, we have the answer.
Prioritizing which security-related measures to implement first is where many companies struggle. There are two ways you can approach this challenge:
- Bring in a security specialist, like an outsourced IT partner or;
- utilize a security framework, like CIS Controls, to lay a solid foundation that you can build upon.
Consider a security framework as a blueprint to build your security from the straw hut through to the brick house. Trying to do it all at once — while entirely possible — is overwhelming and can be excessive. This is the case as security frameworks are designed to serve a range of business sizes, from small to mega enterprises. Now, no IT team will expect every company to apply a framework such as CIS in its entirety. There is a balance to achieve between good security and reasonable convenience that should be considered for every network.
CIS Controls, version 8 (released May 2021) is a robust security framework developed by the Centre for Internet Security. The 18 CIS Controls, formerly known as the SANS Critical Security Controls (SANS Top 20), provide 18 recommended actions to guide businesses in their cybersecurity defense. At the core of these controls is knowing just what you have and where you have it.
Ask yourself, “do I know every possible thing that has access to my company’s data/information?”
Of course, the obvious, like servers and workstations come to mind, but what about everything else? For example, cell phones, home computers, websites, cloud services and contractors. Creating an inventory (in a way that you can manage, and maintain that information with oversight) to make sure whatever is accessing your data is supposed to and you have control over them. That is CIS v8 first control in a nutshell: knowing what you have, and managing and maintaining it. Also, creating a foundation for the next step in controlling authorized access is important. Future controls draw from that authorized list. The list includes setting policies, and technical implementation steps to ensure only things that are authorized to access data can and do so in what is deemed as the most secure way.
We understand how challenging it can be to prioritize cybersecurity investments (we have implemented these controls ourselves)! CIS Control 15 is all about creating a process to evaluate service providers to ensure that outsourced parties are protecting your data. At Smart Dolphins we meet CIS Controls. If you have questions about our adherence to CIS Controls or anything else cybersecurity-related, please reach out to us.
For more information visit: https://www.cisecurity.org/controls/cis-controls-list/