Welcome to the first installment of our deep dive series on CIS controls that matter most for small business security. As a small business owner myself, I understand the unique challenges we face in protecting our digital assets. That’s why I’m creating this series to break down the most crucial CIS controls in a way that’s relevant and actionable for small businesses like ours.
We’re kicking off with CIS Control 1: Inventory and Control of Enterprise Assets. You might think keeping track of your digital assets is straightforward – after all, you know where your computers are, right? But in today’s interconnected world, managing your digital inventory is more complex—and more critical—than ever before. Let’s dive into what this means for your small business and how you can implement it effectively.
Understanding CIS Control 1
At its core, CIS Control 1 is about knowing what you have and where it is. It sounds simple, but it’s the foundation of a strong cybersecurity strategy. This control requires you to actively manage (inventory, track, and correct) all enterprise assets (end-user devices, network devices, non-computing/IoT devices, and servers) connected to your infrastructure, whether physically, virtually, remotely, or in the cloud.
For a small business, this might include your office computers, employees’ laptops, smartphones used for work, printers, routers, and even smart devices like security cameras or thermostats. If it’s connected to your network, it needs to be on your radar.
Why It Matters for Small Businesses
You might be wondering, “Why is this so important for my small business?” The answer is simple: you can’t protect what you don’t know you have. Unmanaged devices are like unlocked doors in your digital infrastructure—they’re prime targets for cybercriminals.
Consider this scenario: An employee brings in a personal tablet and connects it to your Wi-Fi. Without proper inventory and control measures, this device could access sensitive data or introduce malware to your network without your knowledge. By maintaining an accurate inventory, you can prevent these kinds of security gaps.
Moreover, knowing your assets helps you:
- Ensure all devices are properly secured
- Quickly identify and respond to security incidents
- Make informed decisions about technology investments
- Comply with various regulations and insurance requirements
Implementing CIS Control 1 in Your Small Business
Now, let’s talk about how you can put this control into practice:
- Create a Comprehensive Inventory: Start by listing all devices connected to your network. Include computers, smartphones, printers, routers, and any IoT devices. Don’t forget about cloud services and remote work setups. If this seems overwhelming, consider leveraging the expertise of an IT Provider, Managed Service Provider (MSP), or your internal IT staff to perform a thorough network scan and identify all connected devices.
- Use Asset Management Tools: While a spreadsheet might work for very small businesses, consider using asset management software as you grow. These tools can automatically discover devices on your network and help maintain an up-to-date inventory. Many MSPs offer advanced asset management tools as part of their services, which can be a cost-effective solution. Alternatively, your internal IT staff can recommend and implement suitable tools for your business.
- Implement a Formal Asset Management Process: Establish procedures for adding new devices to your network, retiring old ones, and regularly updating your inventory. Make sure everyone in your organization understands and follows these procedures. An IT Provider, MSP, or your in-house IT team can help you develop and implement these processes, ensuring they align with industry best practices.
- Secure Your Network: Use network access control (NAC) solutions to ensure only authorized devices can connect to your network. This prevents rogue devices from gaining access. If implementing NAC seems daunting, many IT Providers or MSPs offer this as a managed service, handling the setup and ongoing management for you. If you have internal IT staff, they can also take charge of this crucial security measure.
- Regular Audits: Conduct periodic physical audits to ensure your digital inventory matches reality. This can help you identify any discrepancies or unauthorized devices. Some businesses find it helpful to have their IT Provider or MSP perform these audits, bringing an external eye to the process. Alternatively, your internal IT staff can conduct these audits as part of their regular duties.
- Employee Education: Train your staff on the importance of asset management and their role in maintaining security. Make sure they know not to connect personal devices to the company network without approval. Many MSPs and IT Providers offer security awareness training programs that can cover these topics comprehensively. Your internal IT team can also develop and deliver tailored training sessions for your employees.
- Monitor and Maintain: Regularly review and update your inventory. Set up alerts for when new devices join your network or when known devices go missing. This ongoing maintenance can be time-consuming, which is why some small businesses opt to have their IT Provider or MSP handle this task. If you have internal IT staff, they can integrate this into their routine responsibilities to ensure nothing falls through the cracks.
Overcoming Common Challenges
Implementing this control isn’t without its challenges, especially for small businesses. Here are some common hurdles and how to address them:
- Limited Budget: Start with free or low-cost tools and focus on manual processes. As you grow, invest in more sophisticated solutions or consider the cost-effectiveness of partnering with an MSP, which can provide enterprise-grade tools at a fraction of the cost of purchasing them outright. If you have internal IT staff, they can help you find the most cost-effective solutions for your specific needs.
- Lack of Technical Expertise: If you’re not comfortable managing this yourself and don’t have internal IT staff, don’t hesitate to seek help from an IT Provider or MSP. They can fill gaps in your technical knowledge and capabilities, ensuring a robust implementation of CIS Control 1.
- Remote Work Complications: Use virtual private networks (VPNs) and mobile device management (MDM) solutions to keep track of assets used outside the office. If managing remote assets is challenging, consider that many IT Providers and MSPs specialize in securing and managing remote work environments. Your internal IT team, if you have one, can also develop strategies to secure your remote workforce.
- IoT Devices: Don’t overlook less obvious connected devices. Even smart coffee makers or thermostats should be included in your inventory if they’re on your network. An experienced IT Provider, MSP, or your own IT staff can help identify and secure these often-overlooked devices.
The Bottom Line
Implementing CIS Control 1 might seem like a daunting task, especially if you’re starting from scratch. But remember, every step you take towards better asset management is a step towards stronger overall security for your business.
Start small if you need to—even a basic inventory is better than none. As your business grows, you can refine and expand your asset management practices. Whether you handle this in-house with your own IT staff, leverage the expertise of an IT Provider or MSP, or use a combination of these approaches, the key is to start now and make it a consistent part of your operations.
By knowing what assets you have and controlling how they’re used, you’re not just ticking a box on a security checklist. You’re building a foundation for a more secure, efficient, and resilient business in our digital world.
Remember, in the realm of cybersecurity, knowledge truly is power. And when it comes to your digital assets, what you don’t know can hurt you.
Have questions about implementing CIS Control 1 in your small business? Feel free to reach out. I’m always here to help fellow small business owners navigate the complexities of cybersecurity, whether you’re handling it yourself, working with an IT Provider or MSP, or leveraging your internal IT staff.
You can read more about the CIS Security Controls framework at the Center for Internet Security website, and find all 18 controls listed here.
Stay secure!
Michael Zull @ MZ DATA
Long Beach, CA