Strengthening your cyber defenses can be a daunting task. Where do you start? Which tools do you use? How much will it cost? And, what do you risk losing if you do nothing? It’s not always easy to answer these questions, but in the absence of definitive answers, you may struggle to grow your cybersecurity maturity and leave yourself exposed to cyber attacks.
The CIS Critical Security Controls (CIS Controls) team has published a guide, The Cost of Cyber Defense: Implementation Group 1 (IG1), to help you answer those questions. The purpose of the guide is to provide enterprises such as yours with a real-world view into how realistic and cost-effective it can be to achieve essential cyber hygiene, as embodied in Implementation Group 1 (IG1) of the CIS Controls. This information will help individuals with any level of expertise make informed and prioritized decisions for strengthening cyber defense. Several different audiences can benefit from this guide, too, including members of the executive team (e.g., CEO, CFO, CISO, CIO) and IT administrators.
What you risk if you do nothing
The risk of a cyber attack on an enterprise is greater than ever before. Devices are constantly being added to networks, increasing the digital footprint and providing more opportunities for an attacker to exploit weaknesses in those devices. Enterprises of all sizes are at risk of a cyber attack; however, small- and medium-sized enterprises (SMEs) often have more risk due to small budgets and limited resources. According to a 2021 report published by Accenture, 43% of cyber attacks target small businesses, yet only 14% of SMEs are prepared to defend against an attack.
Depending on the severity of a cyber attack, recovery costs can range from thousands to millions of dollars. The damages depend on the nature of the attack, including the breadth and depth, as well as how long the attacker remained on the network (e.g., days, months, years). For some enterprises, the cost of recovery from a cyber attack might be a significant portion of their budget, if not their entire annual revenue. Some enterprises have even gone out of business after experiencing a cyber attack. According to a report published by Cisco, “60% of small- and medium-sized businesses go out of business within six months of a cyber attack.”
Where you can start: Essential cyber hygiene at a reasonable cost
Every enterprise wants a reasonable starting point at a reasonable cost for cybersecurity. The CIS Controls are a prioritized set of actions that you can implement to create an effective cyber defense program. The key word here is prioritized.
CIS recommends starting with IG1 of the CIS Controls, as this subset constitutes what’s known as “essential cyber hygiene” for any enterprise. It includes a ‘“must do”’ list of actions that you can use to build a foundation for implementing more complex countermeasures later on. For example, larger enterprises that face more sophisticated adversaries and protect more sensitive data or services can move on to implement Safeguards in Implementation Group 2 (IG2) and/or Implementation Group 3 (IG3).
Tools to help you along the way
IG1 consists of 56 actions, which are called Safeguards. This does not mean you need to deploy 56 individual tools in order to implement IG1. In fact, you can accomplish many of the Safeguards using one or a few tools. To pare down the Safeguards in IG1 into a digestible format, we chose 10 categories (e.g., Asset Management, Data Management) to represent the 18 Controls. From there, we created a set of generic tool types along with the policies needed to support them and mapped them to IG1 Safeguards. These tools are not vendor-specific; they’re general in that they group Safeguards together that require similar tooling. For example, obtaining an “Enterprise and Software Asset Inventory Management Tool” can be used to satisfy Safeguards 1.1, 1.2, 2.1, 2.2, 2.3, 9.1, and 12.1. Want to learn more about laying a secure foundation with IG1? Check out our video.
Your enterprise may already have the tools in place (or can easily add on to pre-existing platforms) to implement some of the Safeguards in IG1. For example, if you’re using Microsoft products, you may already have the built-in or added capabilities (e.g., BitLocker, Active Directory) to achieve many of these actions.
How much it will cost you
When it comes to dollars and cents, the industry as a whole has made many attempts to calculate the cost of a cyber attack. The same can’t be said about estimating the costs of implementing cyber defenses. But there’s value in knowing both of those metrics. Knowing what an enterprise can spend to prevent an attack is helpful when you know what they’re willing to spend to recover from an attack. For example, if the cost of recovering from a cyber attack is $1.25 million but an enterprise can spend only $1 million on implementing a set of robust cyber defenses, which one should they choose?
To estimate the cost of IG1 Safeguards, we looked at the tools that an enterprise needs to implement them. Tools are priced in many ways, the most common being the following: by number of employees, users, workstations/servers, and/or by usage (e.g., megabyte, gigabyte, hours). CIS created IG1 Enterprise Profiles to help streamline the process of calculating costs.
Our estimate shows that obtaining and deploying commercially-supported versions of the tools should be less than 20% of the Information Technology (IT) budget for any size enterprise. Even with adding in the overhead of implementing the necessary policies to support them, IG1 Safeguards can provide a reasonable, necessary, and effective starting point for cybersecurity by any enterprise. Our findings reinforce what we already thought to be true – an enterprise can implement the Safeguards in IG1 for a relatively low cost, and the Safeguards constitute a foundational and achievable set of security actions for even the smallest of enterprises.
How to use our Cyber Defense guide
This guide has five main sections.
1. The first section describes our methodology for estimating the cost of implementing IG1 for enterprises of different sizes.
2. The second section briefly discusses the Safeguards themselves.
3. The third section outlines the IG1 Enterprise Profiles.
4. The fourth section identifies the types of tools needed to implement the Safeguards.
5. Finally, the fifth section estimates the cost of deploying the tools for the three different IG1 Enterprise Profiles.
Practitioners can find valuable information in the appendices of this guide that help to further break down the cost for each tool as well as provide some insight into several considerations while procuring these tools. Additionally, a spreadsheet is available for users to download if they wish to use it for budgeting and/or implementation purposes.
Ready to see how cost-effective it is to implement IG1? Download the cost of Cyber Defense