Why should SMBs work towards CIS 18 Controls IG1?

Originally posted at the Dostal Security blog

Before we get to deep into this topic, let's first discuss what the Center for Internet Security (CIS) 18 controls are, what Implementation Groups (IGs) are, and then we will discuss why every small business should work towards the CIS 18 IG1.

CIS 18 Controls

The CIS controls have a long history behind them of which we won't really get into. The focus of our discussion here is what they even are. The CIS controls are a set of prioritized cybersecurity controls that are meant to help every organization improve their cyber defense. In the past, they were known as the CIS 20 as there were 20 separate controls, with the first few controls being defined as basic Cyber Hygiene.

Beginning with CIS Control v8, they consolidated the controls into 18 controls, and changed to the idea of Implementation Groups to measure the three levels that organizations should meet based on their size and security requirements. Dostal Security has chosen to always focus on meeting the latest requirements from CIS, and so we will only discuss the CIS 18.

The eighteen controls are:

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email Web Browser and Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing

What's important to note is that not every one of these controls is in every implementation group. We'll discuss that a little more in depth in the next section of this post.

Implementation Groups

The CIS 18 introduced the new concept of Implementation Groups. IGs are the recommended way of prioritizing the implementation of the subcontrols found within each of the 18 controls. CIS was developed with the knowledge that not every company is of the same size, nor do they have the same cybersecurity capabilities available to them. Because of this, CIS prioritized implementation of their 153 subcontrols (known as safeguards) into three separate implementation groups.

IG1 is the first implementation group with 56 safeguards, and it is focused on what CIS defines as the "foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks" (Center for Internet Security, 2021). They targeted this IG1 towards companies with a limited level of cybersecurity expertise. In other words, nearly every small business!

IG2 is the second implementation group, which builds upon IG1 with an additional 74 safeguards. IG2 was designed to help enterprises that have multiple departments with different risk profiles and have some form of in-house cybersecurity expertise that can help them with the implementation and maintenance of these additional controls.

IG3 is the third and last implementation group, and builds upon IG2 with an additional 23 safeguards. This final IG is designed to help enterprise who have in-house cybersecurity expertise and have a requirement to secure sensitive and confidential data. IG3 was designed to help prevent or limit the impact of more sophisticated attacks.

Why should every SMB implement CIS 18 IG1?

With the previous information in mind, we get to the real focus of this discussion. Why should every single SMB implement IG1 from the CIS 18. The answer is to protect your business from what could result in the complete closure of your company. In recent studies, damages from Cybercrime is expected to reach $6 trillion by 2021 (Downs & Brewer, 2021). Massive companies regularly get breached resulting in huge damages.

However, you may think that you're a small business, and you won't be a target of anyone. In reality, you're only half right. It is unlikely that you'll be the specific target of any threat actor. However, you are increasingly likely to be the unintended target of general cybercrime. You may have an employee browsing the internet on one of their breaks, and then gets infected with a drive-by Ransomware attack. Or maybe you get an email from a compromised supplier with "your latest invoice," which is really a malicious document that will infect your computer with ransomware when opened.

If your computer (and potentially entire network!) is infected with ransomware, are you able to recover all of your lost data? If you decide to pay the attacker their ransom, of which the average demand is $233,817 as of Q3 2020 (Coveware, 2020), will you be able to afford it? And if the attacker decides to not return your data after you pay the ransom, are you able to survive the hit?

While implementing all of the safeguards found in CIS 18 IG1 is not guaranteed to stop all attacks from being successful, you are far more likely to be less affected by an attack, and less attacks are likely to be successful against your company. The goal behind CIS IG1 is to make you a harder target. The harder the target, the less likely you'll be attacked.


Center for Internet Security. (2021, May 14). CIS controls implementation groups. CIS. https://www.cisecurity.org/controls/implementation-groups/

Coveware. (2020, November 4). Q3 ransomware demands rise: Maze sunsets & Ryuk returns. Coveware: Ransomware Recovery First Responders. https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

Downs, F., & Brewer, D. (2020, November 6). Top cyberattacks of 2020 and how to build Cyberresiliency. ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2020/top-cyberattacks-of-2020-and-how-to-build-cyberresiliency

Cody Dostal

Cody Dostal