After 2020’s performance as the worst year on record for data breaches, data protection is a huge concern for CISOs, IT departments, government agencies, and business owners. Data protection is also becoming a matter of public safety, as ransomware attacks frequently disrupt operations at hospitals, pipelines, food processing plants, and other critical enterprises for profit.
In addition to the safety consequences of data exposures, there can be serious financial impacts for organizations that fail to fully secure their data and comply with data-management regulations. For example, the EU recently imposed on Amazon its biggest-ever GDPR fine ($888 million), while Colonial Pipeline paid nearly $5 million in ransom and now faces a class-action lawsuit from businesses and consumers who were affected by the cyberattack that temporarily closed the pipeline in May.
If, like many organizations, you’re now reviewing your data security posture, it’s important to know that the most recent version of the Center for Internet Security’s Critical Security Controls Framework has overhauled the way it organizes its data-protection recommendations. These changes can help organizations prioritize the steps in their security programs and avoid the rising tide of data exposures that are putting business operations, sensitive government data, and personally identifiable information at risk.
CIS Controls v.8 Contains Key Changes to Improve Your Security Posture
The updated CIS Critical Security Controls were released in May 2021 to outline best practices that take into account the rising importance of mobile devices, remote access, and the cloud to organizations of all sizes.
In addition to consolidating the Safeguards (called Sub-Controls in previous versions), Version 8 reorganizes the Safeguards to group them by activities within an organization instead of by who manages the hardware.
These new categories, called Implementation Groups (IGs), build in sequence from basic cybersecurity through security for complex IT environments to best practices for organizations dealing with confidential data. Organizations can adopt the Safeguards in the IGs that align with their risk profile and security resources and use the IGs as a way to prioritize implementation.
Implementation Group 1 Safeguards address basic cyber hygiene best practices and represent the minimum security standards that every organization should follow. By implementing these Safeguards across all 18 Controls, organizations can protect themselves from many common types of cyberattacks.
The Safeguards in Implementation Group 2 add another layer of protection for large organizations with departments that have varying levels of risk, and that have the resources to implement more complex or costly security practices.
For organizations that have elevated risk profiles and the expertise to implement stringent security, Implementation Group 3 offers measures to avoid or reduce the harm caused by sophisticated attacks—the kind of attacks that can do widespread damage to the organization and its clients or customers and partners. Protect your data with precise vulnerability scanning and real-time monitoring.
What Data Protection and Security Practices Does CIS Control 3 Include Now?
In previous versions of the CIS Controls, Control 3 dealt with continuous vulnerability management and Control 13 focused on data protection. Now, the 15 Safeguards in Control 3 create a path for protecting the organization’s data in an increasingly complex environment.
Within Implementation Group 1, Control 3 focuses on the basic cyber hygiene practices that every organization should follow to manage and secure their data. These include setting up and maintaining a data management process (Safeguard 3.1) and a corresponding data inventory (3.2), building data-access control lists to reduce access control vulnerabilities (3.3), data retention enforcement (3.4), and secure data disposal practices (3.5). IG1 also calls for encryption of sensitive data on end-user devices (3.6).
After the IG1 Safeguards are in place, organizations with complex IT infrastructure can then move on to the six additional Safeguards in IG2. These focus on:
• Identifying data by setting up and maintaining a data classification scheme that sorts data according to sensitivity (Safeguard 3.7) and documenting data flows, including flows from service providers (3.8).
• Protecting data through encryption of data on removable media, in transit and at rest (3.9-3.11) and segmenting data by sensitivity for processing and storage (3.12).
Finally, IG3 offers two Safeguards specifically for IT security teams in organizations that work with confidential and sensitive data. The first is to use an automated data-loss prevention tool to track and continuously update sensitive data across the enterprise (3.13). The second is to log access to sensitive data, to document any potential access control violations and expedite data breach notifications, and to log sensitive data modifications and disposal (3.14).
Image: Center for Internet Security
What Stands Between Your Team and Full CIS Control 3 Implementation?
In order to manage, inventory, monitor and secure your organization’s data, you first need to know where the data is located in your environment, where it goes within and outside your environment, and how it’s transmitted. To answer these questions, you need full visibility of all the devices operating on your networks—agented and unagented, supported and unsupported, on-premises or cloud, permanent or temporary. Remote work poses additional challenges if workers are accessing your networks via their personal devices or work devices that have unapproved software installed on them. These behaviors can create security gaps that attackers can exploit to exfiltrate, corrupt, or ransom data.
Another challenge to full Control 3 implementation is the need for real-time data monitoring. When critical data is at stake, your organization can’t wait for the next scheduled scan to find out where it’s located and where it’s going. For example, transmitting protected health information (PHI) without encryption is a HIPAA violation. To maintain compliance and reduce the risk of patient data exposure, you need instant alerts when sensitive data is sent unencrypted or is sent to devices outside the network segment or organization.
Lastly, the complexity of today’s enterprise environments can make security data unification and prioritization a challenge, unless you have one place where you can see everything along with risk assessments. You need a dashboard that shows you all your devices and the data they’re handling, classifies their risk level, and helps you prioritize remediation and responses.
What Are the Risks When Data Protection Falls Short of CIS Control 3 Standards?
When you can’t manage and inventory all your data, whether it’s on-premises or in the cloud, you simply can’t know if that data is securely stored, accessed, transmitted, and disposed of. That puts your organization at risk for data breaches, ransomware attacks, HIPAA and GDPR violations, and damage to your brand, contracts, and customer relationships. Cyberattacks on IoT devices and data access control vulnerabilities can also put data used by industrial control systems (ICS) or connected medical devices at risk of exposure to outside actors.
These costs add up. The average cost of a data breach is now $4.24 million, with remote work-enabled breaches costing more than $1 million more to clean up, on average. Breaches can also cost CISOs their jobs, as has happened after high-profile data incidents at Capital One, Equifax, Uber, Target, and other organizations. Investing in data leakage protection and endpoint security improvements now can help organizations reduce their risk of large, unplanned breach remediation expenses later.
CIS Controls for Effective Cyber defense: CIS Control 3 Implementation
CIS Control 3 builds on Controls 1 and 2, meaning that you must identify your devices and software before you can see where your data is and how it’s moving. Once you know what devices are on your network, you can identify end-user devices and set rules for data encryption (Safeguards 3.6 and 3.7), document data flows (3.8), and encrypt sensitive data in transit (3.8) as part of a data loss prevention program (3.13).
Full implementation of CIS Control 3 gives your data protection compliance manager and IT team the unified, real-time view they need of every device, program, and data movement across your enterprise. That comprehensive view can help you identify, prioritize and address a wide range of data-related issues, including OT/ICS, medical device, and IoT security concerns, to keep your information, your organization, and your clients or customers safe.
Strengthen Your Data Protection With Security Best Practices That Include Continuous Data Monitoring
The Armis platform supports CIS security methods to protect the data your enterprise relies on, whether it’s moving within your network or transmitting to devices outside it. Armis flags unusual data movement and raises alerts when key data moves unencrypted, to enhance your organization’s sensitive data protection, reduce your risk of data exposure, and help you avoid fines and brand damage. Because Armis can identify and monitor every device in your environment, including unagented devices, our platform can reduce the risks of security attacks in IoT environments as well as in traditional networks.
Learn more about implementing Control 3 and the rest of the CIS critical security controls framework with Armis.