CIS Controls V8: What’s Different?
Cybersecurity is an ever-evolving industry that requires constant attention to the latest changes: new threats, new security measures, and new challenges that businesses may face in dealing with those concerns.
CIS Controls help provide a blueprint that makes it easier to address those challenges.
Created in 2008 by an international, grass-roots consortium, CIS Controls are designed to meet the changing cybersecurity needs of businesses of all sizes. The system includes cyber analysts, expert vulnerability finders, users, consultants, solution-finders, academia, auditors, and more, all of whom work together to create an effective set of controls that will help establish higher degrees of security for everyone involved. The latest version–version 8–has been designed to offer new enhancements that keep up with the latest software, systems, and needs. Version 8 also addresses mobile needs specifically: an important element of growing and adapting security to the changing technology needs of the average user.
When it comes to CIS controls, it’s important to note, as the company points out, that it’s “not about the list.” You cannot achieve security within your ecosystem by going down a checklist and simply making a tick next to each box. Instead, it’s critical to create a cybersecurity ecosystem that starts with those principles and then grows to create a more effective, secure environment as a whole. It’s about training, how others have implemented and used those recommendations, and how you can measure the overall progress toward security within your organization.
Version 8 defines 18 critical controls that use simplified language and single actionable steps to help enhance the overall security of your organization. Some of these standards include, and go deeper into defining, a variety of the cybersecurity controls you likely already have in place across your organization.
Active Management Standards
In order to protect your organization, you need to know what assets you’re using on a regular or irregular basis across your organization. CIS Controls Version 8 institutes a standard for keeping up with inventory, tracking, and managing all devices, platforms, and apps used by your company. In order to keep your organization secure, you must manage both hardware and software effectively–and these controls give you basic strategies for managing them and keeping up with the latest updates.
Configuration Suggestions and Account Management
In addition to knowing what assets you have and how you need to act in order to protect them, you may need to configure your assets in specific ways in order to create enhanced data protection. In addition, users must keep track of how processes and tools are assigned and who can access specific information–and be able to control who can continue to access information in the event of an emergency or disaster. Access control can also help track and limit who can access specific digital assets, which may help provide additional layers of protection against a cyberattack.
Managing Vulnerabilities and Instituting Malware Protection
Protecting against cyberattacks is an ongoing process, not one that your organization can handle as a background task. Version 8 of the CIS Controls sets out specific vulnerability management and malware protection habits, including how to guard your web browsers and email servers.
Protecting Your Data
Ransomware has become a much bigger issue over the past year–and many businesses have already felt the weight. Data protection and recovery has become more important than ever. With the right data recovery standards, you can easily return your business to pre-attack standards and get it up and running again–but you must first implement those vital protections.
For years, cybersecurity experts have pointed out that your business’s biggest vulnerability is its employees. A huge percentage of cyberattacks come, not due to a skilled hacker or dangerous external attack that manages to break your system open, but through the–often inadvertent–actions of your employees. Human vulnerability is one of the biggest threats to most organizations. With the right training, however, you can increase overall security awareness in a way that will help protect your organization and provide your employees with the skills and knowledge they need to avoid attacks or react quickly when faced with a potentially dangerous scenario.
Using the Right Service Providers
Service providers are just as important to your organization as your internal team. Your service providers often work with critical IT platforms or processes or work with or hold your sensitive data–and that means that if they’re vulnerable to a breach, you may be, too. The Kaseya attack, for example, highlighted the importance of using a service provider who not only has robust cybersecurity protections in place, but who can respond quickly and effectively in the event of an attack to help protect its users. Control 15 in CIS Controls Version 8 establishes a strategy for choosing the right vendors, partners, and service providers to ensure they are offering a high degree of security for your organization.
Testing and Preparation
When it comes to cybersecurity, testing and preparation are just as essential as the safeguards you actually have in place. Penetration testing can help you establish what vulnerabilities your organization might have and how you can help protect against them, while regular incident response planning and testing can help you prepare for potential disasters and increase the odds that your organization will respond appropriately in an emergency. Working with an external provider for these tasks can also offer you vital insights into your organization’s overall security and responses that you might not have developed on your own.
CIS Controls, whether you’re using Version 8 or a previous version of the controls, are designed to help you design a highly effective cybersecurity ecosystem: a system in which all the elements work together to form better overall protections. Do you need a provider who can help you meet these standards through your IT management? We can help. Contact us today to learn more about our IT management solutions and how they can benefit your business–and to determine how we meet the criteria for managed service providers who can help enhance your organization’s security.