Harnessing the Power of CIS 18 Controls

In today’s rapidly evolving digital and threat landscape, small and medium-sized businesses (SMBs) are no longer exempt from the devastating impact of cyberattacks. As these businesses increasingly rely on technology for day-to-day operations, they become attractive targets for cybercriminals. With limited resources and budgets compared to larger enterprises, SMBs often struggle to implement comprehensive cybersecurity measures. Fortunately, there’s a solution designed to help organizations of all sizes strengthen their security posture: the CIS 18 Critical Security Controls.

In this article, we’ll dive into the world of cybersecurity and explore how your organization can leverage these controls to build a robust defense against cyber threats. We’ll discuss practical steps, tailor-made strategies, and cost-effective solutions that SMBs can adopt to create a secure and resilient IT infrastructure. By the end of this article, our hope is that your management team is better equipped with the knowledge and tools we suggest for fortification of your business against potential cyberattacks and the safeguarding of your valuable assets.

smplsolutions expert cybersecurity team stands ready to assist your organization, and technical team (if IT resources are internally available) when addressing these controls, with our proven and effective solutions.

Table of the 18 CIS Controls:

A successful implementation of the CIS Controls (previously called the SANS Top 20 controls) starts by building a strong understanding of what these controls require and by what means they can be fulfilled.

The below outlines each of the 18 CIS Controls, the high-level steps you can take to achieve conformance, as well as those solutions we offer to assist your organization in that path to compliance.

1. Inventory and Control of Hardware Assets

This control aims to maintain a comprehensive and accurate inventory of all hardware assets, which helps organizations manage devices, detect unauthorized equipment, and support security incident response efforts.

Steps to achieve:

• Develop a hardware inventory policy outlining roles and responsibilities.
• Use automated asset discovery and inventory tools for tracking hardware devices.
• Update the inventory regularly to reflect changes in devices and ownership.
• Implement a physical asset tagging system for managing devices throughout their lifecycle.

Our Solutions for Compliance:

• Ask a representative about our smplRMM, smplEDR and smplAsset Manager product offerings

2.  Inventory and Control of Software Assets

This control focuses on creating and maintaining an accurate software inventory, which helps organizations manage software installations, detect unauthorized applications, and ensure adherence to licensing requirements.

Steps to achieve:

• Develop a software inventory policy outlining roles and responsibilities.
• Use automated software inventory tools and application whitelisting solutions.
• Update the inventory regularly to reflect changes in installations, updates, and licenses.
• Establish a software procurement process for authorized installations.

Our Solutions for Compliance:

• Ask a representative about our smplRMM and smplAsset Manager product offerings

3. Continuous Vulnerability Management

This control seeks to identify and remediate vulnerabilities in hardware, software, and network infrastructure, reducing the risk of exploitation and ensuring the ongoing security of an organization’s systems.

Steps to achieve:

• Adopt a vulnerability management policy outlining assessment frequency and remediation priorities.
• Use automated vulnerability scanning tools for hardware, software, and network infrastructure.
• Establish a patch management process for prompt and consistent deployment of security updates.
• Conduct regular penetration testing to evaluate security measures and identify weaknesses.

Our Solutions for Compliance:

• Ask a representative about our smplVulscan, smplPentest and smplRMM product offerings

4. Controlled Use of Administrative Privileges

The goal of this control is to manage and monitor the use of administrative privileges, minimizing the risk of unauthorized access, data breaches, and other security incidents stemming from privileged account misuse.

Steps to achieve:

• Develop an access control policy outlining criteria for granting and revoking administrative privileges.
• Implement the principle of least privilege for user access.
• Use privileged access management (PAM) solutions for monitoring and controlling administrative privileges.
• Conduct regular audits of user accounts to ensure appropriate use of administrative privileges.

5. Secure Configuration for Hardware and Software

This control aims to establish and maintain secure configurations for hardware and software systems, reducing the attack surface and helping to prevent unauthorized access or tampering.

Steps to achieve:

• Develop configuration policies and baselines for hardware and software systems.
• Implement change management processes to control modifications to system configurations.
• Regularly review and update configuration baselines to align with industry standards and best practices.
• Conduct configuration audits to identify and remediate deviations from the established baselines.

6. Maintenance, Monitoring, and Analysis of Audit Logs

The purpose of this control is to collect, store, and analyze audit logs, enabling organizations to detect and respond to security events and identify trends or potential threats.

Steps to achieve:

• Develop an audit log management policy outlining log retention, review, and analysis requirements.
• Implement centralized logging solutions to collect, store, and manage audit logs from various sources.
• Regularly review and analyze logs to detect and respond to security events.
• Use automated log analysis tools to identify trends and potential threats.

Our Solutions for Compliance:

• Ask a representative about our smplSOC product offering

7. Email and Web Browser Protections

This control focuses on implementing security measures for email and web browsing, helping to protect organizations from phishing attacks, malicious websites, and other internet-based threats.

Steps to achieve:

• Establish email and web browsing policies outlining acceptable usage and security requirements.
• Train employees on recognizing and reporting phishing emails and malicious links.
• Implement email security gateways for filtering spam, phishing, and malware.
• Use secure web gateways and browser security settings to restrict access to harmful websites and block malicious content.

Our Solutions for Compliance:

• Ask a representative about our smplShield and smplDNS product offerings

8. Malware Defenses

The goal of this control is to deploy a multi-layered approach to malware defense, detecting and preventing infections and minimizing the impact of malware on an organization’s systems and data.

Steps to achieve:

• Employ antivirus and anti-malware software on all endpoints and servers with regular updates.
• Use network-based malware detection solutions for identifying and blocking malicious traffic.
• Implement application whitelisting to prevent unauthorized software execution.
• Train employees on recognizing and avoiding potential malware threats.

Our Solutions for Compliance:

• Ask a representative about our smplEDR, smplShield and smplSEAT product offerings

9. Limitation and Control of Network Ports, Protocols, and Services

This control aims to minimize an organization’s attack surface by limiting and controlling network ports, protocols, and services, reducing the risk of cyberattacks.

Steps to achieve:

• Develop a network security policy outlining approved use of network ports, protocols, and services.
• Implement firewalls and intrusion prevention systems (IPS) to block unauthorized traffic and detect threats.
• Use network segmentation to separate sensitive systems and data from other network areas.
• Regularly audit and review network configurations to ensure that only necessary services are running and unused ports are closed.

Our Solutions for Compliance:

• Ask a representative about our smplFirewall product offering

10. Data Recovery Capabilities

The purpose of this control is to ensure the availability and integrity of critical data by implementing effective backup and recovery processes, minimizing the impact of data loss or corruption.

Steps to achieve:

• Develop a data backup and recovery policy outlining backup frequency, storage locations, and testing requirements.
• Implement automated backup solutions to ensure consistent and accurate backups.
• Store backup copies in secure, off-site locations to protect against data loss due to disastersConduct regular tests of your backup and recovery processes to validate their effectiveness and identify areas for improvement.

Our Solutions for Compliance:

• Ask a representative about our smplBackup Cloud an smpl365BU product offerings

11. Secure Configuration for Network Devices

This control focuses on establishing and maintaining secure configurations for network devices, helping to protect an organization’s network infrastructure from unauthorized access or tampering.

Steps to achieve:

• Develop configuration policies and baselines for network devices, such as routers, switches, and firewalls.
• Implement change management processes to control modifications to network device configurations.
• Regularly review and update configuration baselines to align with industry standards and best practices.
• Conduct configuration audits to identify and remediate deviations from established baselines.

12. Boundary Defense

The goal of this control is to secure the network perimeter by implementing multi-layered defenses, such as firewalls, intrusion prevention systems, and network segmentation, to protect against external threats.

Steps to achieve:

• Develop a network perimeter security policy outlining the use of firewalls, intrusion prevention systems, and other boundary defense technologies.
• Implement multi-layered defenses, such as firewalls, intrusion prevention systems, and network segmentation, to protect your network perimeter.
• Regularly update and patch boundary defense technologies to protect against emerging threats.
• Monitor and analyze network traffic to detect and respond to potential security incidents.

Our Solutions for Compliance:

• Ask a representative about our smplFirewall product offering

13. Data Protection

This control seeks to safeguard an organization’s data from unauthorized access and tampering by implementing data classification, encryption, and data loss prevention measures.

Steps to achieve:

• Develop a data classification policy for categorizing data based on sensitivity and defining handling procedures.
• Use encryption for sensitive data, both at rest and in transit.
• Implement data loss prevention (DLP) solutions to detect and prevent unauthorized data transmission.
• Regularly back up critical data and test backup and recovery processes.

Our Solutions for Compliance:

• Ask a representative about our smplOffice, smplBackup Cloud, and smpl365BU product offerings

14. Controlled Access Based on the Need to Know

The purpose of this control is to limit access to sensitive information based on job responsibilities, reducing the risk of unauthorized access or data breaches.

Steps to achieve:

• Establish role-based access control (RBAC) systems for granting permissions based on predefined roles.
• Use access control lists (ACLs) to manage access permissions for specific resources.
• Regularly review and update access permissions based on employees’ current job functions.
• Implement strong authentication methods, such as two-factor authentication (2FA), for sensitive systems and data access.

15. Wireless Access Control

This control aims to secure wireless networks by implementing strong encryption and authentication methods, regularly updating and patching network devices, and separating wireless traffic from sensitive systems and data.

Steps to achieve:

• Develop a wireless access policy outlining security requirements and acceptable usage.
• Implement strong encryption and authentication methods for wireless networks.
• Regularly update and patch wireless access points and other network devices.
• Use network segmentation to separate wireless traffic from sensitive systems and data.

16. Account Monitoring and Control

The goal of this control is to prevent unauthorized access and detect potential security threats by monitoring and controlling user accounts, ensuring that only authorized individuals have access to an organization’s systems and data.

Steps to achieve:

• Develop an account management policy outlining user account creation, modification, and termination processes.
• Use automated account provisioning and deprovisioning tools for accurate account management.
• Implement user behavior analytics (UBA) and other monitoring solutions to detect suspicious account activities.
• Regularly audit user accounts and access permissions to ensure proper access control.

17. Security Skills Assessment and Appropriate Training to Fill Gaps

This control focuses on training employees to recognize and respond to cyber threats, fostering a security-conscious culture and reducing the risk of security incidents stemming from human error.

Steps to achieve:

• Develop a security awareness training program covering topics like phishing, password security, and safe browsing habits.
• Conduct regular skills assessments to identify gaps in employee knowledge and target training to address those gaps.
• Use engaging and interactive training formats, such as videos, quizzes, and hands-on exercises.
• Encourage a security-conscious culture by recognizing and rewarding employees who demonstrate good security practices.

Our Solutions for Compliance:

• Ask a representative about our smplSEAT product offering.

18. Application Software Security

The purpose of this control is to secure an organization’s applications by adopting best practices for application development and deployment, ensuring the protection of sensitive data and preventing unauthorized access.

Steps to achieve:

• Establish secure software development policies and procedures for guiding developers in creating secure code.
• Train developers on secure coding practices, such as input validation, error handling, and encryption.
• Use code review tools and automated testing solutions to identify and remediate vulnerabilities in applications.
• Regularly update and patch third-party software components to reduce the risk of exploitation.

Our Solutions for Compliance:

• Ask a representative about our smplGRC and smplRMM product offerings

Conclusion

Implementing the CIS 18 Critical Security Controls can significantly enhance the cybersecurity posture of your SMB. By following the practical steps and strategies outlined in this article, you can build a robust defense against cyber threats and safeguard your valuable assets.

Remember, cybersecurity is an ongoing process that requires continuous improvement and adaptation to stay ahead of emerging threats. Invest in employee training, adopt best practices, and regularly review and update your security measures to maintain a secure and resilient IT infrastructure.

Find out how smplsolutions can be your trusted advisor when navigating the CIS Control Set, as well as other frameworks or standards that might apply to your regulated business. Our cybersecurity consultants can also aid your SMB in taking advantage of the free, hosted CIS CSAT Tool ( a free web application that enterprises can use to conduct, track, and assess their implementation of the CIS Controls) through our “guided” assessment, planning and gap remediation service offering.