The Center for Internet Security recently released version 8 of the CIS Controls, a list of 18 safeguards that mitigate the most prevalent cyber-attacks against systems and networks. With this 8th update, CIS aims to keep their security practices up to date with modern systems and software.

The goal of this update is to support an enterprise’s security as they move to cloud-based environments (fully cloud or hybrid), and it was prompted by various IT-related factors, such as:

  1. Transitions to Cloud-Based Computing
  2. Virtualisation
  3. Mobility
  4. Outsourcing
  5. Working From Home
  6. Changes in Cyberattack Tactics

What IT-related factors does CIS Controls Version 8 cover?

Previously, CIS Controls v7 covered 20 different aspects of cybersecurity pertaining to business operations. Since then, the latest update has consolidated this list into 18 points, which are:

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets
  5. Account Management 
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Management
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

These points cover the various ways in which a business can protect itself from cyber attacks, including:

  1. Anticipating cybersecurity threats
    1. Installing infrastructure and safeguards
    2. Securing data
    3. Setting up user accounts and regulating user accessibility
    4. Training important stakeholders (i.e. staff and security)
    5. Testing and monitoring for potential vulnerabilities
  2. Responding to cybersecurity threats
    1. Implementing pre-established processes for incident response
    2. Recovering lost data
    3. Logging threats and vulnerabilities, as well as the processes used to mitigate them

What are some common mistakes that businesses make regarding security solutions?

Not investing enough

Too many businesses make the mistake of thinking that securing their business ends at purchasing a firewall and some new antivirus software.

IT is a constantly changing landscape. As infrastructure and processes evolve with the times, so do cybersecurity risks. In order to prevent threats such as technology failure or cyberattacks, it is important to consistently invest in all of the aspects outlined in CIS Controls Version 8. 

Not allocating funds correctly

Security involves three key aspects that all play into one another; people, processes and technology. Each of these aspects require adequate funding in order to function effectively and support each other.

  1. Internal staff require funding for training, while extra investing is also required for outsourcing experienced IT consultants that can provide help for less regular, larger scale IT tasks.
  2. Processes require funds so that they can be updated in order to keep up with changes across all aspects of IT. This funding goes into aspects such as planning, audits, implementation and documentation.
  3. Technology, regardless of whether it’s software or hardware, requires funding for aspects such as sourcing, evaluation, maintenance, repairs and updates. 

Failing to invest enough in any of these aspects will have a negative impact on the others.

  1. Not investing in staff means that processes are conducted incorrectly, which can result in technological failure and the emergence of vulnerabilities that can be exploited
  2. Outdated or poorly planned processes, due to insufficient funds, are ineffective security solutions that serve only to drain energy and resources.
  3. Purchasing the wrong technology and refusing to adequately maintain or update it further increases the risk of it failing and leaving gigantic holes in your security that can be taken advantage of.

Failing to discern what security issues specifically relate to the IT department

A common misconception is that cyber security is solely the responsibility of the IT department. However, this is not the case. The primary objective of the IT department is to interact with technology, but people and processes are the responsibility of the business as a whole and should be addressed by upper management. 

It’s important to keep this in mind because the IT department can only focus on technology. Neglecting the other areas increases the risk of security vulnerabilities.

Not properly assessing the risks facing the business

CIS is a globally recognised cybersecurity organisation that has spent over 20 years observing the IT landscape and compiling a comprehensive list of controls that cover all aspects of cybersecurity. While each version of the CIS controls has changed with the IT landscape, the content remains largely the same and can be enacted upon by practically any business.

Often it is not feasible for a business to implement all of the controls listed in the CIS framework. This can be due to a variety of constraints, from budget to time. That is why a preliminary assessment of the risks facing your business is important, as you can then determine which of the CIS controls to prioritise in order to effectively protect your business in the long run. Failure to properly assess the risks facing your business means wasting time and resources on security solutions that could potentially fail to mitigate any of those risks.

If you have any questions, or you want to start taking control of the cybersecurity of your business, contact us and we will provide you with high quality IT solutions.

Hayden McMaster