In today’s rapidly evolving digital and threat landscape, small and medium-sized businesses (SMBs) are no longer exempt from the devastating impact of cyberattacks. As these businesses increasingly rely on technology for day-to-day operations, they become attractive targets for cybercriminals. With limited resources and budgets compared to larger enterprises, SMBs often struggle to implement comprehensive cybersecurity measures. Fortunately, there’s a solution designed to help organizations of all sizes strengthen their security posture: the CIS 18 Critical Security Controls.
In this article, we’ll dive into the world of cybersecurity and explore how your organization can leverage these controls to build a robust defense against cyber threats. We’ll discuss practical steps, tailor-made strategies, and cost-effective solutions that SMBs can adopt to create a secure and resilient IT infrastructure. By the end of this article, our hope is that your management team is better equipped with the knowledge and tools we suggest for fortification of your business against potential cyberattacks and the safeguarding of your valuable assets.
smplsolutions expert cybersecurity team stands ready to assist your organization, and technical team (if IT resources are internally available) when addressing these controls, with our proven and effective solutions.
Table of the 18 CIS Controls:
CIS Control Number |
Control Name |
Summary |
Suggested Administrative, Physical & Technical Solutions |
| 1 | Inventory and Control of Hardware Assets | Identify and maintain an inventory of authorized hardware devices. | Administrative: Policy development, asset management processes, and personnel training.
Physical: Asset tagging and physical access control. Technical: Automated asset discovery and inventory tools. |
| 2 | Inventory and Control of Software Assets | Maintain an inventory of authorized software, and prevent unauthorized software from executing. | Administrative: Software procurement policies and application whitelisting.
Physical: Restricted access to software installation media. Technical: Software inventory tools and application control solutions. |
| 3 | Continuous Vulnerability Management | Regularly assess and remediate vulnerabilities to reduce risk. | Administrative: Vulnerability management policies and procedures.
Physical: N/A Technical: Vulnerability scanning tools and patch management systems. |
| 4 | Controlled Use of Administrative Privileges | Limit administrative privileges and monitor their use to prevent unauthorized access or changes. | Administrative: Access control policies and privilege management processes.
Physical: N/A Technical: User account management tools and privileged access management solutions. |
| 5 | Secure Configuration for Hardware and Software | Establish and maintain secure configurations for hardware and software systems. | Administrative: Configuration management policies and baseline development.
Physical: N/A Technical: Configuration management tools and automated compliance monitoring. |
| 6 | Maintenance, Monitoring, and Analysis of Audit Logs | Collect, manage, and analyze audit logs to detect and respond to security events. | Administrative: Logging and monitoring policies and procedures.
Physical: N/A Technical: Security information and event management (SIEM) systems and log analysis tools |
| 7 | Email and Web Browser Protections | Enhance email and web browser security to protect against attacks. | Administrative: Email and web browsing policies and training.
Physical: N/A Technical: Email security gateways, secure web gateways, and browser security settings. |
| 8 | Malware Defenses | Implement malware defenses to detect and prevent malicious software. | Administrative: Malware defense policies and user training.
Physical: N/A |
| 9 | Limitation and Control of Network Ports, Protocols, and Services | Minimize potential attack surfaces by limiting and controlling network services. | Administrative: Network policies and procedures, including segmentation and firewall rules.
Physical: N/A Technical: Firewalls, intrusion prevention systems, and network access control (NAC) solutions. |
| 10 | Data Recovery Capabilities | Ensure proper data backup and recovery to minimize the impact of data loss. | Administrative: Data backup and recovery policies, procedures, and testing.
Physical: Offsite storage of backup media and secure backup facilities. |
| 11 | Secure Configuration for Network Devices | Establish and maintain secure configurations for network infrastructure devices. | Administrative: Network device configuration policies and baseline development.
Physical: N/A Technical: Network device configuration management tools and automated compliance monitoring. |
| 12 | Boundary Defense | Protect the organization’s network perimeter with robust defenses. | Administrative: Network perimeter defense policies and procedures.
Physical: N/A Technical: Firewalls, intrusion prevention systems, network segmentation, and VPNs. |
| 13 | Data Protection | Implement data protection measures to prevent unauthorized access or tampering. | Administrative: Data classification policies and handling procedures.
Physical: Secure storage areas for sensitive data. Technical: Data encryption, data loss prevention (DLP) solutions, and access controls |
| 14 | Controlled Access Based on the Need to Know | Limit access to sensitive information based on job responsibilities. | Administrative: Access control policies based on job roles and responsibilities.
Physical: Secure areas for storing sensitive information. Technical: Role-based access control (RBAC) systems and access control lists. |
| 15 | Wireless Access Control | Secure wireless access points and monitor their use. | Administrative: Wireless security policies and procedures.
Physical: Secure placement of wireless access points. Technical: Wireless encryption, wireless intrusion prevention systems, and network access control (NAC). |
| 16 | Account Monitoring and Control | Monitor and control user accounts to prevent unauthorized access. | Administrative: Account management policies and procedures.
Physical: N/A Technical: User account management tools, automated account provisioning, and monitoring. |
| 17 | Security Skills Assessment and Appropriate Training to Fill Gaps | Assess and improve employee security skills to reduce risk. | Administrative: Security awareness training programs and skills assessments.
Physical: N/A Technical: Training platforms and assessment tools. |
| 18 | Application Software Security | Ensure the security of applications by following best practices in development and deployment. | Administrative: Secure software development policies and procedures.
Physical: Restricted access to development environments. Technical: Secure coding practices, code review tools, and application security testing. |
A successful implementation of the CIS Controls (previously called the SANS Top 20 controls) starts by building a strong understanding of what these controls require and by what means they can be fulfilled.
The below outlines each of the 18 CIS Controls, the high-level steps you can take to achieve conformance, as well as those solutions we offer to assist your organization in that path to compliance.
1. Inventory and Control of Hardware Assets
This control aims to maintain a comprehensive and accurate inventory of all hardware assets, which helps organizations manage devices, detect unauthorized equipment, and support security incident response efforts.
Steps to achieve:
- Develop a hardware inventory policy outlining roles and responsibilities.
- Use automated asset discovery and inventory tools for tracking hardware devices.
- Update the inventory regularly to reflect changes in devices and ownership.
- Implement a physical asset tagging system for managing devices throughout their lifecycle.
Our Solutions for Compliance:
- Ask a representative about our smplRMM, smplEDR and smplAsset Manager product offerings
2. Inventory and Control of Software Assets
This control focuses on creating and maintaining an accurate software inventory, which helps organizations manage software installations, detect unauthorized applications, and ensure adherence to licensing requirements.
Steps to achieve:
- Develop a software inventory policy outlining roles and responsibilities.
- Use automated software inventory tools and application whitelisting solutions.
- Update the inventory regularly to reflect changes in installations, updates, and licenses.
- Establish a software procurement process for authorized installations.
Our Solutions for Compliance:
- Ask a representative about our smplRMM and smplAsset Manager product offerings
3. Continuous Vulnerability Management
This control seeks to identify and remediate vulnerabilities in hardware, software, and network infrastructure, reducing the risk of exploitation and ensuring the ongoing security of an organization’s systems.
Steps to achieve:
- Adopt a vulnerability management policy outlining assessment frequency and remediation priorities.
- Use automated vulnerability scanning tools for hardware, software, and network infrastructure.
- Establish a patch management process for prompt and consistent deployment of security updates.
- Conduct regular penetration testing to evaluate security measures and identify weaknesses.
Our Solutions for Compliance:
- Ask a representative about our smplVulscan, smplPentest and smplRMM product offerings
4. Controlled Use of Administrative Privileges
The goal of this control is to manage and monitor the use of administrative privileges, minimizing the risk of unauthorized access, data breaches, and other security incidents stemming from privileged account misuse.
Steps to achieve:
- Develop an access control policy outlining criteria for granting and revoking administrative privileges.
- Implement the principle of least privilege for user access.
- Use privileged access management (PAM) solutions for monitoring and controlling administrative privileges.
- Conduct regular audits of user accounts to ensure appropriate use of administrative privileges.
5. Secure Configuration for Hardware and Software
This control aims to establish and maintain secure configurations for hardware and software systems, reducing the attack surface and helping to prevent unauthorized access or tampering.
Steps to achieve:
- Develop configuration policies and baselines for hardware and software systems.
- Implement change management processes to control modifications to system configurations.
- Regularly review and update configuration baselines to align with industry standards and best practices.
- Conduct configuration audits to identify and remediate deviations from the established baselines.
6. Maintenance, Monitoring, and Analysis of Audit Logs
The purpose of this control is to collect, store, and analyze audit logs, enabling organizations to detect and respond to security events and identify trends or potential threats.
Steps to achieve:
- Develop an audit log management policy outlining log retention, review, and analysis requirements.
- Implement centralized logging solutions to collect, store, and manage audit logs from various sources.
- Regularly review and analyze logs to detect and respond to security events.
- Use automated log analysis tools to identify trends and potential threats.
Our Solutions for Compliance:
- Ask a representative about our smplSOC product offering
7. Email and Web Browser Protections
This control focuses on implementing security measures for email and web browsing, helping to protect organizations from phishing attacks, malicious websites, and other internet-based threats.
Steps to achieve:
- Establish email and web browsing policies outlining acceptable usage and security requirements.
- Train employees on recognizing and reporting phishing emails and malicious links.
- Implement email security gateways for filtering spam, phishing, and malware.
- Use secure web gateways and browser security settings to restrict access to harmful websites and block malicious content.
Our Solutions for Compliance:
- Ask a representative about our smplShield and smplDNS product offerings
8. Malware Defenses
The goal of this control is to deploy a multi-layered approach to malware defense, detecting and preventing infections and minimizing the impact of malware on an organization’s systems and data.
Steps to achieve:
- Employ antivirus and anti-malware software on all endpoints and servers with regular updates.
- Use network-based malware detection solutions for identifying and blocking malicious traffic.
- Implement application whitelisting to prevent unauthorized software execution.
- Train employees on recognizing and avoiding potential malware threats.
Our Solutions for Compliance:
- Ask a representative about our smplEDR, smplShield and smplSEAT product offerings
9. Limitation and Control of Network Ports, Protocols, and Services
This control aims to minimize an organization’s attack surface by limiting and controlling network ports, protocols, and services, reducing the risk of cyberattacks.
Steps to achieve:
- Develop a network security policy outlining approved use of network ports, protocols, and services.
- Implement firewalls and intrusion prevention systems (IPS) to block unauthorized traffic and detect threats.
- Use network segmentation to separate sensitive systems and data from other network areas.
- Regularly audit and review network configurations to ensure that only necessary services are running and unused ports are closed.
Our Solutions for Compliance:
- Ask a representative about our smplFirewall product offering
10. Data Recovery Capabilities
The purpose of this control is to ensure the availability and integrity of critical data by implementing effective backup and recovery processes, minimizing the impact of data loss or corruption.
Steps to achieve:
- Develop a data backup and recovery policy outlining backup frequency, storage locations, and testing requirements.
- Implement automated backup solutions to ensure consistent and accurate backups.
- Store backup copies in secure, off-site locations to protect against data loss due to disastersConduct regular tests of your backup and recovery processes to validate their effectiveness and identify areas for improvement.
Our Solutions for Compliance:
- Ask a representative about our smplBackup Cloud an smpl365BU product offerings
11. Secure Configuration for Network Devices
This control focuses on establishing and maintaining secure configurations for network devices, helping to protect an organization’s network infrastructure from unauthorized access or tampering.
Steps to achieve:
- Develop configuration policies and baselines for network devices, such as routers, switches, and firewalls.
- Implement change management processes to control modifications to network device configurations.
- Regularly review and update configuration baselines to align with industry standards and best practices.
- Conduct configuration audits to identify and remediate deviations from established baselines.
12. Boundary Defense
The goal of this control is to secure the network perimeter by implementing multi-layered defenses, such as firewalls, intrusion prevention systems, and network segmentation, to protect against external threats.
Steps to achieve:
- Develop a network perimeter security policy outlining the use of firewalls, intrusion prevention systems, and other boundary defense technologies.
- Implement multi-layered defenses, such as firewalls, intrusion prevention systems, and network segmentation, to protect your network perimeter.
- Regularly update and patch boundary defense technologies to protect against emerging threats.
- Monitor and analyze network traffic to detect and respond to potential security incidents.
Our Solutions for Compliance:
- Ask a representative about our smplFirewall product offering
13. Data Protection
This control seeks to safeguard an organization’s data from unauthorized access and tampering by implementing data classification, encryption, and data loss prevention measures.
Steps to achieve:
- Develop a data classification policy for categorizing data based on sensitivity and defining handling procedures.
- Use encryption for sensitive data, both at rest and in transit.
- Implement data loss prevention (DLP) solutions to detect and prevent unauthorized data transmission.
- Regularly back up critical data and test backup and recovery processes.
Our Solutions for Compliance:
- Ask a representative about our smplOffice, smplBackup Cloud, and smpl365BU product offerings
14. Controlled Access Based on the Need to Know
The purpose of this control is to limit access to sensitive information based on job responsibilities, reducing the risk of unauthorized access or data breaches.
Steps to achieve:
- Establish role-based access control (RBAC) systems for granting permissions based on predefined roles.
- Use access control lists (ACLs) to manage access permissions for specific resources.
- Regularly review and update access permissions based on employees’ current job functions.
- Implement strong authentication methods, such as two-factor authentication (2FA), for sensitive systems and data access.
15. Wireless Access Control
This control aims to secure wireless networks by implementing strong encryption and authentication methods, regularly updating and patching network devices, and separating wireless traffic from sensitive systems and data.
Steps to achieve:
- Develop a wireless access policy outlining security requirements and acceptable usage.
- Implement strong encryption and authentication methods for wireless networks.
- Regularly update and patch wireless access points and other network devices.
- Use network segmentation to separate wireless traffic from sensitive systems and data.
16. Account Monitoring and Control
The goal of this control is to prevent unauthorized access and detect potential security threats by monitoring and controlling user accounts, ensuring that only authorized individuals have access to an organization’s systems and data.
Steps to achieve:
- Develop an account management policy outlining user account creation, modification, and termination processes.
- Use automated account provisioning and deprovisioning tools for accurate account management.
- Implement user behavior analytics (UBA) and other monitoring solutions to detect suspicious account activities.
- Regularly audit user accounts and access permissions to ensure proper access control.
17. Security Skills Assessment and Appropriate Training to Fill Gaps
This control focuses on training employees to recognize and respond to cyber threats, fostering a security-conscious culture and reducing the risk of security incidents stemming from human error.
Steps to achieve:
- Develop a security awareness training program covering topics like phishing, password security, and safe browsing habits.
- Conduct regular skills assessments to identify gaps in employee knowledge and target training to address those gaps.
- Use engaging and interactive training formats, such as videos, quizzes, and hands-on exercises.
- Encourage a security-conscious culture by recognizing and rewarding employees who demonstrate good security practices.
Our Solutions for Compliance:
- Ask a representative about our smplSEAT product offering.
18. Application Software Security
The purpose of this control is to secure an organization’s applications by adopting best practices for application development and deployment, ensuring the protection of sensitive data and preventing unauthorized access.
Steps to achieve:
- Establish secure software development policies and procedures for guiding developers in creating secure code.
- Train developers on secure coding practices, such as input validation, error handling, and encryption.
- Use code review tools and automated testing solutions to identify and remediate vulnerabilities in applications.
- Regularly update and patch third-party software components to reduce the risk of exploitation.
Our Solutions for Compliance:
- Ask a representative about our smplGRC and smplRMM product offerings
Conclusion
Implementing the CIS 18 Critical Security Controls can significantly enhance the cybersecurity posture of your SMB. By following the practical steps and strategies outlined in this article, you can build a robust defense against cyber threats and safeguard your valuable assets.
Remember, cybersecurity is an ongoing process that requires continuous improvement and adaptation to stay ahead of emerging threats. Invest in employee training, adopt best practices, and regularly review and update your security measures to maintain a secure and resilient IT infrastructure.
Find out how smplsolutions can be your trusted advisor when navigating the CIS Control Set, as well as other frameworks or standards that might apply to your regulated business. Our cybersecurity consultants can also aid your SMB in taking advantage of the free, hosted CIS CSAT Tool ( a free web application that enterprises can use to conduct, track, and assess their implementation of the CIS Controls) through our “guided” assessment, planning and gap remediation service offering.
Free IT Consultation
Learn more about our financial services offerings
