CIS Controls Implementation Groups: How to protect enterprises

Every day we are more and more exposed to cybercrime. Computers, smartphones and IoT devices are part of everyday life in every home and business. Added to this is the emergence of cutting-edge technologies such as artificial intelligence, cloud services, smart cities and 5G. All these results in endless opportunities and advantages for people, professionals and companies. But it also means an increase in cyber exposure. Therefore, all companies, not just the largest, must place cybersecurity at the center of their strategy. This is precisely the goal of the CIS Controls Implementation Groups.

The Center for Internet Security (CIS) is a non-profit organization whose mission is to build trust in the digital world. To this end, it has developed various solutions and a methodological framework based on global best practices in cybersecurity. Within this work, creating and updating the CIS critical security controls stands out above all.

The latest version of this guide consists of 18 security controls and 153 safeguards. In other words, concrete actions must be taken to implement each control effectively.

Is it feasible for a medium-sized company to implement these 153 actions? The guide resolves these questions by defining three groups for implementing CIS controls, depending on the company’s size, resources, and cybersecurity maturity level.

Below, we will explore the key CIS controls implementation groups. And their relevance in helping small and medium-sized enterprises arm themselves against cybercriminals.

1. Digitalization and cybersecurity

Digitalization has spread to all areas of our lives and also to the business world as a whole. Today, most companies use software, digital devices or WiFi networks and have websites and other elements exposed to the Internet and, therefore, to cyber-attacks.

The digital transformation of companies must be accompanied by a cybersecurity strategy commensurate with the company’s exposure area and the data it stores.

Otherwise, companies expose themselves to being victims of fraud or data theft. As well as the consequences of these security incidents: damage to the company’s reputation, financial losses linked to the attack, legal repercussions and possible fines…

Large companies undertook their digital transformation years ago, which has led to a higher level of awareness of the importance of cybersecurity. This, together with their ability to mobilize economic resources and the need to comply with increasingly demanding regulations, has made it easier for these organizations to have specialized departments or to hire advanced cybersecurity services to optimize their security measures, controls and policies.

On the other hand, SMEs have joined the digital revolution later, need more economic resources, have to deal with less demanding legal requirements and, above all, have a significantly lower level of awareness of the importance of cybersecurity.

This is also because many cybersecurity incidents this type of companies suffer go unreported. In contrast, the cyberattacks that large companies have to deal with are made public and are reported by the media to the public.

2. SMEs, the target of cyberattacks

Given the above context and the increasing cyber-exposure they face, SMEs and medium-sized companies have become ideal targets for criminals. It is easier to detect security breaches in this type of organization than in companies that use cybersecurity services to defend themselves.

According to the Ministry of Home Office, there were more than 200,000 cybercrimes in Spain between January and September 2022. Without knowing the figure for the last quarter and incorporating data from Catalonia and the Basque Country, this headline gives a good account of the number of criminal actions carried out over the Internet. A figure that is growing year after year.

Despite this, many companies and citizens do not perceive cyber-attacks as a major threat, which can exfiltrate their data and have a far-reaching impact on business activity and personal life.

As it is, Google’s Current Cybersecurity Landscape in Spain report provides worrying data. For example, only 12% of IT managers in SMEs consider that their organizations have a «very secure» level of protection against attacks. Moreover, 32% of these managers need to be clearer about cybersecurity. All this translates into 2 out of 3 SMEs lacking cybersecurity measures.

What is the direct consequence of this data? First, criminals have targeted small and medium-sized companies.

Additionally, SMEs must pay more attention to cybersecurity when designing their business strategy. Otherwise, they will put their business continuity and survival at stake.

3. CIS Controls Implementation Groups: Cybersecurity on demand

As mentioned above, the CIS’s mission is to help make the Internet ecosystem safer for businesses and the general public.

Therefore, critical security controls are not a checklist for companies or cybersecurity experts to follow. Rather, they are a starting point for organizations to create their cybersecurity ecosystem.

In this sense, the implementation of controls and safeguards should be carried out, considering each company’s:

• Characteristics.
• Needs.
• Resources.
• As well as its exposure to cybercrime.

The CIS controls implementation groups seek precisely to adapt this globally recognized methodology to the reality and complexity of all types of companies. Thus banishing the idea that cybersecurity is only a matter for large companies and public administrations.

3.1. How do the CIS control implementation groups work?

Very simply. As with the OWASP methodology, one could say that each of the CIS controls implementation groups is a layer of security:

• The first group (IG1) includes all the safeguards that must be executed to ensure a basic cyber hygiene level.
• The second group (IG2) comprises safeguards designed for companies with a higher level of cyber exposure.
• While the third group (IG3) would include safeguards that contribute to securing a company against sophisticated cyber-attacks.

Thus, small and medium-sized companies with limited resources could focus their resources on the most important cybersecurity issues by implementing the 56 safeguards of IG1.

While companies with greater cyber exposure and more resources to optimize their security strategy, in addition to implementing the 56 basic cyber hygiene safeguards, should undertake the 74 safeguards of IG2 and, if necessary, the 23 actions included in IG3.

3.2. Tailoring controls to the needs of each enterprise

It should be noted that, as this is not a closed list, the implementation of CIS controls can be adapted to each case.

Let’s think, for example, of an SME that due to its characteristics and resources would fall into implementation group 1. However, it is interested in further implementing CIS control 17: Incident response management to ensure business continuity during a security incident.

Thus, in addition to the three safeguards to be implemented by IG1 organizations, it has decided to implement three actions designed for IG2 and IG3:

• First, establish and maintain an incident response process (17.4.)
• Second, assign key roles and responsibilities (17.5.)
• Third, define communication mechanisms during the incident response (17.6.).

This example allows us to observe an issue we pointed out earlier; the CIS controls are a starting point. A tool designed to help all types of companies to design and optimize their security strategy and protect their business model, technological infrastructure and customers’ data from cybercriminals.

Hence, the CIS controls implementation groups are designed to guide companies, especially small and medium-sized ones, using CIS controls to secure themselves. And, above all, to help them decide how to manage their resources and what security actions to prioritize.

4. Ensuring that small and medium-sized enterprises have basic cyber hygiene

Although many small and mid-sized companies believe that cyber-attacks are targeted at large companies that handle huge amounts of sensitive data, for example, banks, reality has shown that SMEs are also a target for criminals. Unfortunately, they cannot look the other way.

In addition, adopting the GDPR or the NIS2 directive obliges thousands of companies, not only large ones, to strengthen their security measures, have effective incident management and information transfer policies in place, and store and handle their customers’ and employees’ data securely.

For all these reasons, CIS critical security controls can be a good starting point for evaluating and optimizing the security mechanisms of a small or medium-sized company.

In this sense, the safeguards included in the first implementation groups are basic actions a company should put in place to protect its assets.

The CIS guide argues that small and medium-sized companies, in terms of data protection, must, above all, safeguard «employee information and financial information».

Therefore, the actions selected for Implementation Group 1 focus on helping companies resist «general and non-targeted attacks». And they can be implemented using commercially available hardware and software.

4.1. Failure to invest resources in the most advanced security controls

It should be noted that the 56 safeguards selected for IG1 are not distributed among the 18 CIS controls.

There are three critical security controls that companies with lower cybersecurity requirements and needs do not have to implement:

• Network Monitoring and Defense (13).
• Application software security (16)
• Penetration testing (18)

This is because these are controls that require advanced cybersecurity resources and expertise. For example, pentesting services must be performed by professionals with extensive experience and knowledge.

Such an exhaustive analysis is not indispensable for small and medium-sized companies with lower cyber exposure and information sensitivity.

As any business owner or professional knows, an organization’s resources are limited. It is, therefore, essential to prioritize the actions to be taken and direct economic resources to the areas where the cost/benefit ratio is most advantageous for the company.

4.2. Focus on data recovery and training

On the other hand, we must highlight the fact that there are two critical security controls in which almost all of their safeguards must also be implemented by small and medium-sized companies:

• Data recovery (11)
• Security awareness and skills training (14).

4.2.1. Data recovery

Regarding data recovery, SMEs have to execute 4 of the 5 safeguards that make up this control:

• First, establish and maintain a data recovery process (11.1.)
• Second, perform automated backups (11.2.)
• Third, protect the recovery data (11.3.)
• Last, establish and maintain an isolated instance of recovery data (11.4.)

This is a good illustration of the importance of information for all companies today. As well as the legal requirements in terms of data protection. All organizations must have effective mechanisms to recover their data and restore normality during a security incident. Otherwise, the company’s business may be seriously and irreparably affected.

4.2.2. Cybersecurity training and awareness raising

Cybersecurity awareness and training are essential to prevent professionals from committing careless or imprudent acts that trigger security incidents.

Moreover, as we have argued throughout this article, one of the big reasons small and medium-sized companies do not give cybersecurity the relevance it should have is that decision-makers are unaware of the repercussions of a successful cyberattack.

With these issues in mind, the guidance states that IG1 companies should perform 8 of the 9 safeguards selected for this group of implementing CIS controls:

• Establish and maintain a security awareness program (14.1.).
• Train the company’s professionals and workers:
  • To recognize social engineering attacks (14.2.)
  • On authentication best practices (14.3.)
  • On data handling best practices (14.4.)
  • On the causes of unintentional data exposure (14.5.)
  • On the recognition and reporting of security incidents (14.6.)
  • To enable them to identify and report if business assets are missing security updates (14.7.)
  • The dangers of connecting to and transmitting business data over secure networks (14.8.)

5. Securing organizations most exposed to cyber-attacks

After analyzing the features of IG1, it is time to dwell slightly on the most advanced CIS controls implementation groups: IG2 and IG3.

To the 56 basic cyber defense safeguards of IG1, we must add the 74 additional actions of IG2 and, finally, for the most mature companies, the 23 safeguards of IG3.

5.1. Companies responsible for managing and protecting IT infrastructure

Which type of organization is the second group of CIS controls implementation intended?

Companies that have professionals in charge of managing and safeguarding their technological infrastructure. We are talking, therefore, about companies of a certain size, made up of various departments with a different risk profiles.

Unlike SMEs, these companies store and process particularly sensitive information, vital business data and their customers’ personal information.

Therefore, they need to ensure the protection of their data and business continuity to avoid «loss of public confidence in the event of a breach».

The 130 safeguards to be implemented enable these companies to meet the challenges of their growing cyber exposure successfully. As well as the demands linked to a complex technology infrastructure.

To implement these safeguards, companies must rely on professionals experienced in providing cybersecurity services and handling reference methodologies such as CIS, OWASP or NIST.

Executing the actions selected in IG2 involves implementing the 18 critical CIS security controls. In addition, five of these controls are fully implemented in this implementation group:

• Account Management (5)
• Continuous vulnerability management (7)
• Malware defenses (10)
• Data recovery (11)
• Security awareness and skills training (14)

5.2. Companies hiring cybersecurity professionals

Finally, we would come to the last of the CIS controls implementation groups: IG3. This group is intended for companies that hire advanced cybersecurity services to cover the main areas of the security strategy of a fully digitized company: risk management of assets and technological infrastructure, periodic penetration tests to assess the functioning of security measures, security audits of web applications and mobile apps, etc.

5.2.1. Safeguarding data and complying with regulations

In such a way that we are faced with companies that:

• Store, process and protect extremely sensitive information. They store, process, and protect extremely sensitive information, both of a business nature and the private data of their customers and employees.
• They must comply with a very strict regulatory framework. RGPD, NIS2 directive, DORA regulation.

They must therefore ensure that their security strategy is optimal. And constantly updated to deal with the most advanced techniques developed by cyber criminals.

Data availability, confidentiality, integrity and accessibility are paramount when designing, evaluating and improving security systems.

The repercussions of a successful attack can be catastrophic: financially, legally and socially.

Hence, the 23 safeguards added to those selected in IG2 are designed to help companies and their cybersecurity experts ensure that the organization is capable of early detection, containment and mitigation of sophisticated attacks.

We can point to some of these advanced cyber defense actions:

• Using a passive asset discovery tool (1.5.).
• Logging access to sensitive data (3.14.).
• Implementing email server anti-malware protections (9.7.).
• Or performing internal penetration testing regularly (18.5.).

In short, the CIS controls implementation groups are an extra functionality of this methodology that helps any company to design, evaluate and improve its security strategy.

Thus, thanks to the CIS controls implementation groups, not only companies with higher turnover and resources can protect themselves against cyber-attacks. In addition, small and mid-sized companies can also implement critical security controls and manage their resources to protect their assets and business models from the increasing fraud and attacks they are experiencing.