According to the Center for Internet Security (CIS), there are 20 cybersecurity controls that are necessary for a secure IT environment. And, every business, no matter its size and even with a seemingly simple IT infrastructure, needs at least seven of these controls to set the right foundation to minimize the risk of a cyberattack.
In this article we look at those seven foundational cybersecurity controls, explain what they mean and the risks of not implementing them. But, before we dive right into that, let’s take a look at the meaning of cybersecurity controls.
What are cybersecurity controls?
Cybersecurity controls or critical security controls (CSCs) are processes, tools, and actionable policies to manage cybersecurity and have real-time visibility of IT infrastructure across an organization. As previously stated, the CIS lists a total of 20 controls with varying degrees of complexity. Not all may apply to every business.
We’ve selected the following seven foundational cybersecurity controls that, at a minimum, every business needs to have in place, whether it is done in-house or through an outsourced IT provider.
1. Inventory of Authorized and Unauthorized Devices
This is a basic CIS control that ensures only authorized hardware devices in a network are granted access.
Hackers are always on the lookout for unprotected systems and devices with which they can use to infiltrate a network. Devices, such as personal laptops, may not be in sync with the latest security updates of a company’s IT structure, and this can be a loophole for cyberattackers. Taking inventory of all devices connected to your organization’s network is important to keep cyber -attackers away.
2. Inventory of Authorized and Unauthorized Software
Like the first control, this one involves the authorization of examined software to be installed and executed on a device. Every other software is prohibited from being installed.
Your business can be compromised if some unsuspecting software is installed. It is not uncommon for hackers to gain access to IT systems through the installation of programs you got from trusted sources. Software inventory tools should be used to have real-time visibility of software on systems to prevent an intrusion. Additionally, having the ability to remotely manage and set policies on which software is allowed on a device helps reduce the risk greatly.
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establishing, implementing and actively managing adequate software and hardware security configurations is as crucial as ever in protecting against cyberattacks.
Default configurations for hardware and software are usually aimed at simplicity of use and rarely for security. This means secure configurations standards need to be developed and implemented to keep these systems secure. However, this development process is not a simple one and requires having in-house expertise and tools to manage adequately or an experienced Managed IT company.
4. Malware Defenses
Having good anti-malware software is crucial to control the installation and execution of harmful codes that can spread to other connected devices in a network.
Cybercriminals know the importance of malware and use it as one of their tools for cyberattacks. Hence, it is essential your business has reputable and up-to-date malware defenses to prevent intrusions.
5. Controlled Use of Administrative Privileges
This refers to the tools, policies and processes that are used in controlling the use of administrative rights on computers, networks, and applications.
Administrative privileges give a user full access to a device’s back-end and the ability to install software and make configuration changes. Given that human error is the most common entry point for hackers, it only takes clicking on a bad link or downloading an infected attachment to give criminals the keys to the kingdom (network).
Administrative rights should only be given on a strict, as needed basis to perform specific tasks (not internet browsing, email, etc.) and those users should have separate accounts for their daily activities.
6. Maintenance, Monitoring, and Analysis of Audit Logs
The sixth foundational cybersecurity CIS control involves the collation, maintenance, and analysis of audit logs of potentially risky events on the network.
While you may have many tools to monitor and detect suspicious activity, audit logs of network activity may be the only proof there has been an attack on a system. It is therefore crucial to properly maintain and more importantly audit these logs regularly. It is recommended to have a security information and event management tool (SIEM) in place that centrally collects and correlates log data from all sources within your network, and can alert whenever there is suspicious activity.
7. E-mail and Web Browser Protections
Web browsers and e-mail clients are an easy point of entry for cybercriminals into an organization’s network given the daily, direct interaction with unsuspected users. To reduce the risk of a breach it is key to implement strong e-mail security (e.g. spam protection) and use the latest versions of browsers approved by your organization.
8. Continuous Vulnerability Assessment and Remediation
Technology is a continuously evolving landscape and as such, your IT infrastructure may become vulnerable over time. Hackers know this and as soon as software or hardware vulnerabilities are known to the world, they will hunt for systems that have not been properly patched.
Cybersecurity is an ongoing process. New methods are continuously being employed by attackers. Taking a proactive role in mitigating those vulnerabilities is crucial. It is recommended to (1) deploy and regularly run a vulnerability scanning tool on the network, and use centralized, automated tools to patch systems.
9. Implement a Security Awareness and Training Program
As previously stated, people are one of the major ways cyberattackers gain access to IT systems. As such, it is imperative to train employees on security awareness to improve this first line of defense. A good security awareness training program should be interactive, and combine both video training with real-life email phishing simulation to keep staff on their toes.
The importance of having a well-structured cybersecurity strategy for a business’ IT system cannot be overemphasized. We’ve seen how essential it is for organizations to implement the basic/foundational cybersecurity controls to reduce the risks of cyberattacks. While a business might choose to do this in-house, it can be complex and costly for organizations and require the right combination of tools and expertise. Fortunately, outsourcing this responsibility to an experienced IT provider such as Envision Consulting can be the most cost-effective way of achieving this goal.