Reading Time: minutes
For small and medium businesses (SMBs), cybersecurity is more important than ever. As digital technology underpins more key business functions, SMBs face growing cyber risks that can disrupt operations, damage reputations, and incur major costs. Recent surveys show 60% of small businesses have experienced a cyber attack.
To strengthen cybersecurity in a strategic way, SMBs need a reliable framework outlining essential security controls. One such framework is the Center for Internet Security (CIS) Controls. This globally-recognized set of safeguards represents cybersecurity best practices developed by experts.
The CIS Controls are a prioritized list of 18 actions businesses can take to safeguard against the most common cyber attacks. They follow a “offense informs defense” philosophy, meaning they focus on proven defenses against real-world threats.
The controls cover key security functions like asset management, access control, and incident response. Each control has multiple specific safeguards providing tactical recommendations. For example, Control 1 covers inventory and control of hardware and software assets. Its safeguards include maintaining detailed inventories, finding unauthorized assets, and using tools for active discovery.
The controls are divided into three implementation tiers based on business size and resources:
The CIS Controls offer several benefits for resource-constrained SMBs:
By leveraging the CIS Controls, SMBs can make steady progress building robust cyber defenses aligned to business needs and constraints. The controls serve as an accessible roadmap to improving security posture in a comprehensive way. They represent cybersecurity fundamentals every small business should aim to follow.