Thanks for coming back for our deep dive on the Center for Internet Security controls for small business. This week we’ll look at CIS Control #5: Account Management and detail some practical steps you can take to secure and protect your business. Let’s go!
As a small business owner, you might think, “I’m too small to be a target for cybercriminals.” It’s time to recalibrate that thinking. In today’s digital landscape, size doesn’t matter to hackers – vulnerability does. And small businesses are often the most vulnerable because they frequently overlook crucial security measures, particularly in the realm of account management. This is where CIS Control 5 comes in:
The full verbiage from CIS: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
The Stark Reality of Small Business Cybersecurity
Let’s look at some eye-opening statistics that highlight the importance of robust account management:
- 80% of hacking-related breaches involve compromised or weak credentials. That’s right, four out of five breaches could potentially be prevented with better password practices.
- 55% of employees use the same password for multiple work accounts. This is like using the same key for your house, car, and office – lose it once, and everything’s at risk.
- 29% of all breaches, regardless of attack type, involve the use of stolen credentials. Hackers are actively hunting for your passwords.
For small businesses, especially those in sensitive sectors like finance or healthcare, the stakes couldn’t be higher. Poor account management isn’t just a technical issue – it’s a business survival issue. It can lead to identity theft, insider threats, regulatory fines, and perhaps most devastatingly, a loss of customer trust that can take years to rebuild – if you get the chance to rebuild at all.
Your Defense Strategy: Implementing CIS Control 5
So, what can you do to protect your business? Implement CIS Control #5 Account Management . Here’s a breakdown of practical steps you can take:
- Conduct a Comprehensive Account Audit: Start by listing all user accounts across your systems. This includes employees, contractors, and even service accounts used by your software. Like so many of the other security controls, the first step is to know what you are dealing with: you can’t protect what you don’t know you have.
- Implement the Principle of Least Privilege: Not everyone in your organization needs access to everything. Grant only the permissions necessary for each role. This limits the damage a compromised account can do. Most applications have Role Based Access Controls (RBAC) that you can implement.
- Enable Multi-Factor Authentication (MFA): I can’t stress this enough, this is your security silver bullet. By requiring a second form of identification beyond just a password (typically an authorization app or text message code on the user’s phone), MFA makes it much harder for attackers to use stolen credentials. Enable it wherever possible, especially for accounts with access to sensitive data.
- Establish and Enforce Strong Password Policies: Require complex, unique passwords for each account. Consider implementing a password manager to help your team maintain good password hygiene without the headache of remembering dozens of complex passwords. NIST has updated their password policy guidelines for 2024, review them and implement as many as you can!
- Set Up Robust Account Monitoring: Keep a watchful eye on user activities. Look for red flags like unusual login times, multiple failed attempts, or unexpected access to sensitive data. Many security breaches are detected through anomalies in account behavior. Work with your IT team to monitor and setup alert notifications for suspicious behaviors.
- Create Formal Processes for Account Management: Work with your IT team to develop clear procedures for creating, modifying, and terminating accounts. This is especially crucial when employees leave – ensure their access is immediately revoked across all systems.
- Conduct Regular Access Reviews: Schedule reviews of all accounts and their permissions. As roles change and people come and go, access rights need to be adjusted. Regular reviews help ensure no unnecessary access lingers.
Remember, implementing CIS Control 5 is not a one-and-done task. It’s an ongoing process of improvement and vigilance. Start with the basics and gradually build up your defenses. The key is to begin now – every step you take significantly reduces your risk and strengthens your security posture. Once you get a process defined, it’s very little work to continuously implement for big gains in your security posture.
In the world of cybersecurity, a single compromised account can be the key that unlocks your entire kingdom to attackers. For small businesses, especially those handling sensitive data, implementing CIS Control 5 isn’t just about following best practices—it’s about ensuring your business’s very survival in an increasingly hostile digital environment.
Have questions about implementing CIS Control 5 in your business? Drop a comment below or get in touch with any questions you might have.
You can read more about the CIS Security Controls framework at the Center for Internet Security website, and find all 18 controls listed here.
Stay secure, stay successful!
Michael @ MZ DATA
Long Beach, CA