More organizations are realizing the importance of reducing cyber-risk. With the widespread use and reliance on information technology, telecommunications, and data-driven business coupled with the somewhat alarming growth in technology, there is a growing need for organizations to integrate cybersecurity practice within the corporate culture. The Center for Internet Secruity Critical Secruity Controls (CIS CSC) framework can do just that, in this article we will discus the CIS security benefits and how it have help reduce your cyber risk.
The risks associated with cyberattacks nowadays can cause severe loss both financially and to the availability of service. These increasing threats have galvanized the security communities, with many creating public and living frameworks that are intended to foster a positive ecosystem of security-conscious businesses.
One such framework is known as the Center for Internet Security Critical Security Controls (CIS CSC). The CIS CSC is designed in a way for organizations to reduce the risk of cyber attack through implementing the 20 controls, a full detail of the 20 CIS critical security controls.
Although CIS CSC compliance is not mandated by any regulation or government, it can greatly assist in reducing cyber-risk, with the Center for Internet Security quoting a decrease in risk of cyberattack by 84% just from implementing the first six controls, knowns as the basic controls.
In this article we will explore why adopting this framework can reduce your cyber-risk, and what the CIS security benefits are. There are three main ways in which a CIS cyber infrastructure can help reduce cyber-risk those are:
- Organizationally or strategically.
- Improving general data management.
Reducing Technical Cyber Risk
When analyzing the technical cyber-risk, the organization should be looking at vulnerabilities that involve hardware and software assets. This could mean using outdated tech, unpatched browsers, unsecure network ports, undisciplined control of administrative privileges, etc.
Attackers will consistently scan the network looking to exploit any technical flaw. Implementing the majority of the CIS security controls can mitigate most of the risks associated with technical issues. A good example of this is the first six controls, which are known to the wider cybersecurity community as “cyber hygiene”.
The first two controls which involve the inventory of both hardware and software assets are seldom implemented by many organizations but are pivotal in reducing technical cyber-risk. Knowing what you own is the first battle. There are a whole host of CIS security controls that are designed to reduce technical risk some include, but not limited to:
- Email and web browser protection
- Malware defense
- Security configuration for hardware and software on mobile devices, laptops, workstations, and servers
Although implementing the CIS security controls listed above is a great step toward reducing an organization’s cyber-risk, the Center for Internet Security devised a benchmarking system that is key to reducing technical risk.
The CIS community at large consists of various professionals, governments, and organizations. These entities come together to agree upon the best security configuration for a multitude of “out-of-box” devices, operating systems, and software.
This consensus-based mode, known as CIS Benchmarks, ensures that the best security configurations are applied to said devices, operating systems, and software. This makes it easy for any organization to then implement those security configurations.
The configuration can be downloaded as a pdf and then manually changed, or through the platform that is provided by CIS.
Along with the technically leaning control points, this is the primary way an organization can reduce the risk associated with a technical cyberattack (those exploited through software or hardware attached to the network).
Reducing Organizational or Strategic Cyber Risk
You may be thinking, how can there be cyber-risks that aren’t associated with the technical aspects of the business?
This might surprise some readers, but most successful cyberattacks are not attributed to top-notch hackers bypassing the best cyberdefense. In fact, the leading cause of data breaches or cyberattacks, are from attackers exploiting poor management practices and a general lack of security awareness.
What we mean by reducing organizational or strategic cyber-risk, is mitigating all the vulnerabilities that may arise from the day-to-day operation of an organization. This may involve the staff itself, company policies and processes, data management, etc. Essentially anything that doesn’t directly involve the use of software and hardware attached to the network.
So what are the CIS security benefits that help in reducing this aspect of risk?
As in the previous section, certain control points relate directly to the organizational and strategic aspects of cyber-risk. We will explore a couple of the points to further elaborate on how this can help.
The last four points in the framework are called the organizational controls. These controls relate to the strategic implementation of cybersecurity by design. The controls don’t have a heavy emphasis on the technical aspect of things and lean more toward designing a corporate culture of security that can foster the growth of a cybersecurity mentality within the organization.
An example of this can be seen specifically within two of the controls and those are points 17 and 20, “Implement a security awareness and training program” and “penetration testing and red team exercises” respectively.
Security Awareness Program
A security awareness program is an organizational measure your business can take to reduce the cyber-risk associated with untrained staff. People are often the most easily exploitable vulnerability in any system, especially those who are unaware of the security risks associated with their online habits.
A security training program ensures that employees know the best practice and methods of personal security. Everyone taking responsibility for the security needs of the organization can prevent future headaches and greatly reduce the cyber risk.
This is one example of the CIS security benefits. The last grouping of the framework known as the organizational controls, addresses the strategic implementation of cybersecurity and can help mitigate the risk associated with that.
Improving General Data Management Practices
One of the CIS security benefits that often fly under the radar is the data practices that the framework unwittingly teaches us.
Many of the cybersecurity frameworks out there, NIST, CIS CSC, NERC CIP, etc. have an uncanny ability to get the organization… well … organized. The structure of the CIS CSC and the implementation of all 20 steps, instills a data practice method that can be carried throughout the organizational structure.
By following the structure of the framework, the flow of data, both non-sensitive and sensitive, will be well known to management and all key individuals, departments, etc.
This alone is a huge boon when it comes to reducing cyber-risk, knowing is half the battle. While implementing the controls may seem like a checklist, the organization is building a schema in the collective mindset of how to best apply security principles throughout the ecosystem. This is primarily achieved through sharpening general data management practices.
Whether your organization wishes to mitigate technical cyber-risk, organization cyber-risk, or improve the general data management practices, adopting the CIS CSC framework can help in reducing your overall cyber-risk, and RSI Security is here to help.
Does your organization need a general cyberhealth check-up, or are you looking for advice on the latest cybersecurity frameworks? RSI Security are your cyber-angels. We live and breathe cybersecurity, with years of experience under our belt. We can help you with all your cybersecurity needs. Get in touch today and book a free consultation!