Discover the truth about cybersecurity for small businesses and how to bridge the gaps in your defences

Yogi SchulzDo you think cybersecurity is expensive and consumes too much staff time? Do you believe your organization is too small, low profile and inconsequential to attract the attention of cyber attackers? Too many Small and Midsize Business (SMB) managers believe these misperceptions and sweep the topic of cybersecurity under the carpet at their peril.

This article describes assessing your SMB cybersecurity defences using a comprehensive, low-cost, low-effort process. Using the CIS Critical Security CIS Controls to evaluate your cybersecurity risks will produce:

  • Confirmation of which of your cybersecurity actions are going well.
  • An actionable list of cybersecurity gaps that need remediation.
  • A high level of assurance about the state of your SMB cybersecurity.


More on

Small business

Not yet a member? Join Us

979 words
Reading Time: 5 minutes

If your immediate reaction is that you don’t have any controls, making this assessment process irrelevant, you’d be wrong. Most IT organizations operate cybersecurity defences with related controls. They just don’t label their work using these terms. Senior executives are conversant with the controls concept through their work with financial controls and C-SOX audits.

What risks am I accepting by ignoring cybersecurity?

Cyberattacks include phishing attacks, data breaches, ransomware, theft of company intellectual property, corporate espionage, and identity theft. The adverse impacts of successful cyberattacks include:

  • Reputational damage among customers and suppliers leading to loss of business.
  • Financial losses due to the cost of repairing the computing infrastructure’s damage and recreating data.
  • Fines payable to regulators for violating the General Data Protection Regulation (GDPR) or similar regulations.
  • Market share losses when theft of intellectual property creates competitors.
  • Loss of revenue due to operational disruption.

Taken together, these likely impacts create a risk of bankruptcy.

For practical tips and information that strengthen cybersecurity, please watch the videos of MAPLESEC presentations. This conference brings together industry, non-profits, and government agencies to exchange best practices with experts.

What is CIS?

The Center for Internet Security (CIS) is a non-profit organization founded in 2000. Its mission is to develop, promote and sustain best practices in cybersecurity to enable the Internet to be a trusted environment. The members include government agencies, corporations and academic institutions. These members developed the CIS Controls® for computing environments by collaborating with experts in various disciplines, including security analysts, auditors, executives and policymakers.

What value do the CIS controls create?

The CIS community asserts that implementing the CIS controls:

  • Prevents the vast majority of cyberattacks.
  • Assures organizations that cybersecurity defences are comprehensive.
  • Provides a framework for automating and managing cybersecurity defences well into the future.

What are the CIS controls?

CIS defines 153 cyber defence safeguards grouped into 18 CIS controls. The safeguards are divided into three implementation groups (IG) as follows:

  • IG1 – Implement essential cyber hygiene to thwart general attacks.
  • IG2 – Manage complex IT infrastructure.
  • IG3 – Secure confidential data to prevent sophisticated attacks.

The IGs recognize the resource constraints most SMBs operate with. To reduce cybersecurity risk, CIS recommends that SMBs focus resources first on the most straightforward and cheapest controls in IG1. Then, SMBs can evaluate if any of the controls in IG2 and IG3 need to be implemented.

What differentiates the CIS controls from alternatives?

The CIS controls are an example of a governance, risk management, and compliance (GRC) standard. GRC standards describe cybersecurity best practices with their related processes and procedures. However, few GRC standards provide much detail on what is actually expected, recommended or proven effective. The CIS controls’ structure, description and organization address this shortcoming of other standards, making it easier and cheaper for SMBs to implement and assess.

The CIS controls have proven their value by defining a base level of cybersecurity practices that all organizations, regardless of size or mission, should embrace and incorporate into their IT operations.

How do I begin?

Begin by downloading and reading the 4-page summary of the CIS Implementation Groups. This document illustrates how CIS divides cybersecurity into various topics and provides an overview of all the safeguards in the context of the control they belong to.

Then download the CIS Critical Security Controls v8 Excel workbook. Reading the detailed descriptions of the many safeguards in the worksheet Controls V8 will give you a good understanding of the scope of the controls and how they are grouped.

Then, to conduct the cybersecurity assessment of your organization, download the CIS Critical Security Control v8.0 Assessment Tool from the AuditScripts website. This assessment tool expands on the CIS Excel workbook by providing:

  • Dropdown lists of choices for assessment conclusions.
  • A dashboard that shows the results of your assessment graphically.
  • An assessment summary of results for each control.
  • More detailed instructions for conducting the cybersecurity assessment.

The effort required to conduct the cybersecurity assessment of your organization is typically one to two days.

The first cybersecurity assessment will form the baseline of the state of your cybersecurity defences. By repeating the assessment every year, you can demonstrate continuous improvement.

What’s next?

Once you have completed the assessment of CIS controls, you have a definitive result showing which cybersecurity controls are effective and which are not.

You are now ready to reduce your cybersecurity risks by remediating the ineffective controls. Start by remediating the not-effective IG1 controls. Move on to the not-effective IG2 and IG3 controls once you have completed work on IG1 controls and feel the need to reduce cybersecurity risks further.

You are also ready to:

  • Describe the state of your cybersecurity defences to senior management and your board of directors in a summary form.
  • Explain your remediation plan to raise cybersecurity defences.

These two points will provide your organization with a high level of assurance that your cybersecurity risks are being comprehensively managed.

Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.

For interview requests, click here.

The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.

© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.