An Introduction to CIS Controls for Small Business Cybersecurity

For small and medium businesses (SMBs), cybersecurity is more important than ever. As digital technology underpins more key business functions, SMBs face growing cyber risks that can disrupt operations, damage reputations, and incur major costs. Recent surveys show 60% of small businesses have experienced a cyber attack.

To strengthen cybersecurity in a strategic way, SMBs need a reliable framework outlining essential security controls. One such framework is the Center for Internet Security (CIS) Controls. This globally-recognized set of safeguards represents cybersecurity best practices developed by experts.

What are the CIS Controls?

The CIS Controls are a prioritized list of 18 actions businesses can take to safeguard against the most common cyber attacks. They follow a “offense informs defense” philosophy, meaning they focus on proven defenses against real-world threats.

The controls cover key security functions like asset management, access control, and incident response. Each control has multiple specific safeguards providing tactical recommendations. For example, Control 1 covers inventory and control of hardware and software assets. Its safeguards include maintaining detailed inventories, finding unauthorized assets, and using tools for active discovery.

The controls are divided into three implementation tiers based on business size and resources:

• IG1 – Basic cyber hygiene for smaller businesses
• IG2 – Essential controls with dedicated security staff
• IG3 – Comprehensive controls for advanced security teams

Why Follow the CIS Controls?

The CIS Controls offer several benefits for resource-constrained SMBs:

• Focus – The controls highlight the most critical security activities for protection. SMBs avoid spreading efforts too thin.
• Guidance – The controls provide detailed guidance on how to secure environments effectively based on real-world attacks.
• Flexibility – SMBs can implement tiered recommendations based on their risk profile and resources.
• Community – As an industry-recognized standard, the controls tap into shared knowledge and tools.
• Maturity – The controls help SMBs take a strategic approach to evolving cybersecurity over time.

By leveraging the CIS Controls, SMBs can make steady progress building robust cyber defenses aligned to business needs and constraints. The controls serve as an accessible roadmap to improving security posture in a comprehensive way. They represent cybersecurity fundamentals every small business should aim to follow.