The introduction of new technologies has many industries peddling on the backfoot when it comes to cybersecurity. The CIS critical security controls framework addresses the issues that industries face when it comes to best practice cybersecurity.
The center for internet security (CIS) has developed a framework that is intended to showcase and fix vulnerabilities found in various operating systems, devices, and network configurations.
The CIS critical security controls framework applies to almost any business that requires varying levels of cybersecurity, but specific industries can benefit more from the framework let’s discuss.
CIS Critical Security Controls Framework
The CIS critical security controls framework (CIS CSC for short), was developed in response to rising global cyber threats. Essentially, the broader cybersecurity community realized the risks associated with “out-of-the-box” security configurations, that being, the lack of any. The framework aims to develop the most secure design for operating systems, devices, sensors, etc.
Among the best practice security configurations, the CIS CSC also lays out 20 controls points that explain cybersecurity best practices as incremental maturity levels (from basic cyber hygiene to institutional implementation). If you would like to read more about the CIS CSC framework, check out this article on the blog.
Cybercrime and Associated Risks
As mentioned in the previous section, cybercrime and the reputational and financial consequences on established industries were among the driving forces behind the CIS CSC development.
Cybercrime motivation, like any crime, varies drastically. One thing that your organization can be sure of, is that bad actors will most likely be targeting sensitive data or business-critical information. This type of targeting is a primary motivation for attackers as this type of data or information has strong monetization potential. In essence, if personal reasons don’t drive cybercrime, there is a high likelihood it is financial.
The costs of cybercrime can often go beyond purely stolen data. It can cost the organization a great deal of stress through reputational or morale damage.
Keeping this in mind, there are specific industries targeted for cyberattacks and could consequently benefit the most from CIS CSC implementation.
- Financial Industry
- Health Industry
- Construction Industry
- IT and Telecoms Industry
- Small-Medium sized businesses
In the coming sections, we will explore each industry in more detail and how the CIS control framework can benefit them.
Financial Industry, It’s All About The Money
The financial industry is an obvious target for cybercrime if you consider financially driven motivation as the primary motivation behind cyberattacks.
A well-devised, designed, and executed cyber attack can see attackers gain access directly to the capital. In one monumental case, hackers managed to heist $81 Million from the bank of Bangladesh by exploiting the SWIFT software.
The kind of data the financial industry collects and processes:
- Personal financial data
- Business-critical information
- Insider information
- Data-driven industry
The CIS control framework benefits the industry by outlining the need to protect endpoints like servers and computer terminals. Out of the five industries mentioned, the financial and health industry would benefit the most from a robust staff training program.
The financial industry in particular is highly susceptible to human error, where the stakes are also high. Lastly, the financial industry is evolving to be more reliant on technology and data with fintech carving out its position in the market. The increasing demand for fintech grows proportionally with the need to apply best practice cybersecurity, which the CIS control framework can offer.
Health Industry, The Most Lucrative Personal Data
Cyberattackers are drawn to the health industry like bees to a flower. There is nothing more lucrative for cyber attackers than personal health data. Most hackers or bad actors would prefer personal health data over an individual’s credit card information.
It is no wonder the health industry is in dire need of a robust cybersecurity architecture. Although the financial motivation of stolen health data is reason enough for most attackers to carry out a cyberattack, some would target the industry for more nefarious reasons.
With enough control over the information system, an attacker can cause severe injury or even death to patients within the premises. They can achieve this by altering medical records and tricking staff into administering the wrong medication or by merely shutting down life-support systems.
It is in the best interest of society that governments and third-party organizations push for best practice cybersecurity within the health industry.
More so, with a robust security environment, a general improvement of the information system of varying enterprises within the industry will occur naturally. For example, with the CIS control framework, even within the first control grouping, most hospitals will have a detailed inventory of all software and hardware. Thus, opening space for decision-makers within the organization to rid themselves of legacy or inefficient systems.
The more advanced critical control groupings of the framework outline security configurations for devices and operating systems that are critical to the ongoing operation of hospitals, like respirators and life-saving appliances.
Construction Industry, Easily Spoofed
The construction industry remains the most vulnerable to phishing attacks. According to some reports, “phishing prone” employees plague the industry.
The motivation to carry out such attacks is due to the nature of data the construction industry collects. Personal data is not the only data type that cyber attackers target. The construction industry keeps valuable data in the form of corporate information, such as:
- Building plans
- Project bids and valuations
- Trade secrets
- Client redesigns of systems and infrastructure
This type of industry information can cause severe harm and financial damage if stolen. The CIS control framework addresses issues and vulnerabilities within the industry. With the institutional control grouping, the CIS framework can reduce the effects of phishing on the industry by requiring the organization to implement a robust staff training awareness program.
IT and Telecoms Industry, IoT Dependency
Nowadays, mobile phones often contain the entirety of an individual’s private and professional life. Mobile dependency became the gateway to the growth in the IoT sector, as organizations clamored to create the latest smart device, security fell by the wayside.
Bad actors quickly took advantage of this factor and IoT device security is now a top priority in third-party acquisitions and vendor risk management. Coupled with the fact that IoT devices tend to attach themselves to many networks and ports leading to higher vectors of data exposure. This also means that the angle of attack is much higher than conventional computer terminals and mobile devices.
It is for his reason precisely that the IT and Telecommunications industry can utilize the CIS framework to its benefit.
The framework outlines the best security configurations for most OS that run on various IoT devices.
Small Medium Size Businesses, The Attackers Choice
Small to medium-sized businesses are not exactly an industry, as they could fall under any category. Nonetheless, it is important to discuss them.
SMEs tend to be cyberattackers’ favorite target. But why?
Simply put, SMEs don’t have the resources or time to invest in robust cybersecurity, so breaching their information system is relatively easy.
For these reasons, SMEs have the highest chance of business failure due to cyberattacks.
Thankfully, the CIS control framework outlines some basic cyber hygiene practices that can drastically reduce the chance of successful cyberattacks. A greater blessing is that they are not that difficult to implement, and comprise only the first 6 critical security controls, so even an SME with limited resources can benefit from doing so.
Every industry offers unique solutions to everyday problems, but at the same time, every industry is open to unique forms of cyberattack.
The CIS critical security controls framework, devised by the wider cybersecurity community, does provide a system to tackle some of the vulnerabilities that many industries face. By applying security configurations for operating systems and devices and by implementing the control groupings, the five industries mentioned in this article can greatly reduce the chance of successful cyberattacks.
Here at RSI Security we live and breathe cybersecurity. If you have any questions about any security frameworks, including this one, and the best practice cybersecurity methods out there, do not hesitate to reach out.
We are here for you, book a free consultation today!