There are several safeguards’ companies can implement to protect themselves, says the report. It points to the controls offered by the Center for Internet Security (CIS) — a nonprofit that provides products and services to help organisations safeguard their system and data from cyber threats — as a “good starting point”.
The nonprofit has developed an interactive software, CIS critical security controls navigator, to assist organisations to analyse their cybersecurity status. It also helps organisations track their advancements in implementing CIS controls, which are guidelines generated by CIS to reduce cyber risk and enhance their defences. It offers a tailored approach by classifying the CIS controls into three implementation groups (IG1, IG2, and IG3) based on the organisation’s security maturity level and resources.
The classifications are:
IG1: Essential cyber hygiene for small businesses with limited resources, providing fundamental steps to defend against common cyber threats.IG2: Advances protection for midsize businesses, addressing social engineering threats and incident response management.
IG3: Comprehensive defence for larger SMBs, incorporating application software security and penetration testing to enhance information security posture.
Adhering to these controls, which builds on top of previous ones, enables SMBs to enhance their security posture and respond effectively to threats.
While the CIS controls provide a strong foundation, each organisation must customise its security measures based on its unique risk profile and tolerance. Regularly tracking security metrics and the ongoing improvements to the security posture are essential for staying ahead of cyber threats.