"Good Enough" Security for Small Business Budgets

Show Notes

In this episode of Practical Cybersecurity, host Jen Stone talks with Curt Dukes, EVP and GM of Security Best Practices at the Center for Internet Security (CIS). Drawing on his 30-year career at the NSA, Dukes breaks down how small and medium businesses (SMBs) can implement "good enough" security without unlimited resources. The conversation focuses on Implementation Group 1 (IG1)—a prioritized set of safeguards that provide essential "cyber hygiene". Dukes introduces free resources like the CSAT (Controls Self-Assessment Tool) and CIS Workbench to help leaders move past the intimidation of technical jargon and establish a "standard of reasonableness" for their organization's defense.

CIS Resources

• 
  CIS (Center for Internet Security): The nonprofit organization that creates the global standards discussed in this episode.
• NSA (National Security Agency): The U.S. intelligence agency where Curt Dukes led defensive security efforts for 30+ years.
• IG1 (Implementation Group 1): The essential "Cyber Hygiene" tier of the CIS Controls designed for small businesses.
• CSAT (Controls Self-Assessment Tool): A free web-based application to track and measure your security progress.
• CIS Workbench: A collaborative platform to ask technical questions and get help from the security community.
• CIS RAM (Risk Assessment Method): A free methodology to identify security gaps and prioritize investments based on risk.
• CIS Benchmarks: Free, consensus-based configuration recommendations for OS and network devices.
• MS-ISAC (Multi-State Information Sharing and Analysis Center): The division of CIS providing threat intelligence for state and local governments.
• EI-ISAC (Elections Infrastructure ISAC): A dedicated team at CIS focused on securing election-related systems.
• The Community Defense Model (CDM): A data-driven report proving the effectiveness of the Controls against top cyber attacks.
• The Cost of Cyber Defense: A breakdown of the financial investment needed for various security models.

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

Transcript

Curt Dukes: I’ll be upfront with you, Jen. Small and medium businesses just want to be told what to do. Equally important is knowing what is "good enough," because they don’t have unlimited resources.

Jen Stone: Tell us a little bit about your background and how you came to work at the Center for Internet Security.

Curt Dukes: I spent five years in the United States Air Force and then signed on with the National Security Agency (NSA)—or, as some like to say, "No Such Agency". I thought I’d be there for three to five years; 30-plus years later, I finally said I’d had enough. I’ve now been with the Center for Internet Security (CIS) for eight years.

My title is Executive Vice President and General Manager for Security Best Practices. We create and promulgate cybersecurity guidance in two main ways:

1. CIS Benchmarks: Configuration recommendations for major operating systems and network devices (Windows, Linux, Cisco, etc.).
2. CIS Critical Security Controls: A prioritized framework of actions organizations should take.

We have three Implementation Groups. Implementation Group 1 (IG1) is where you get started.

Curt Dukes: CIS also has an operational arm called the ISAC (Information Sharing and Analysis Center). We run sensors that give us actual threat data. We look at new and emerging threats, but we also see the same threats year in and year out.

Take ransomware: there’s not a lot unique about it from my lens. Attackers are still exploiting known vulnerabilities for which there’s already a patch available. That threat data directly informs our cybersecurity best practices.

Jen Stone: Small business leaders are often jacks-of-all-trades. Cybersecurity can be intimidating because it’s so technical. Where do they start?

Curt Dukes: Start with the CIS Critical Security Controls. They are available for free as a download. We recommend starting with Implementation Group 1 (IG1). We also offer:

• CIS CSAT (Controls Self-Assessment Tool): A free, web-based tool to assess yourself against the controls.
• Workbench: A collaboration platform where you can post questions. The community is very active and willing to help because everyone started in that same spot.

Curt Dukes: There is a legal term called the "standard of reasonableness". If you suffer a cyber incident and end up in court, you want to be able to say that what you did was reasonable for the resources you had.

We’ve published a piece on reasonable cybersecurity based on the controls. If you are implementing IG1 and measuring yourself against it, you can show the court the specific, reasonable actions you took to protect your business.

Curt Dukes: Every business owner wants to know: "How much is this going to cost me?" We looked at this through three use cases:

1. On-Premise: You manage your own servers and endpoints.
2. Outsourced: You use a Managed Service Provider (MSP).
3. Cloud-Based: You put everything in the cloud and let the provider manage it.

In our "Cost of Cyber Defense" paper, we call out ten tool categories. You may not need all ten—some vendor products cover multiple categories—but it helps you tie the safeguards to actual technology.

Jen Stone: Where do we send people to find these resources?

Curt Dukes: Visit our website at cisecurity.org. You can find both the ISAC and our Security Best Practices there, or just search for "Center for Internet Security" in your browser.