DBIR 2023: SME Cyber Defense Begins with the CIS Controls

We were very pleased to read the 2023 Verizon Data Breach Incident Report (DBIR).  It references the CIS Critical Security Controls (CIS Controls) and Safeguards throughout, making it easier for enterprises of every size to develop a cybersecurity plan that fits their specific needs.

The SME Cyber Threat Landscape

If you are a small- to medium-sized enterprise (SME), understanding your threat landscape is critical to building your cyber defense. SMEs suffered more security incidents (699) versus large enterprises (496) in 2022-2023, according to the DBIR. 

Below are a couple of other notable 2023 DBIR findings for SMEs:

  • A common attacker profile: Most (94%) cyber threat actors (CTAs) who targeted SMEs were external. Their primary (98%) motivation for doing so was financial. Verizon observed a similar pattern for large enterprises, with 89% of CTAs located outside of the target and 97% of CTAs motivated by finance.
  • Credentials as the target: More than half (54%) of security incidents involved SMEs compromised credentials, followed by internal assets (37%). By comparison, the largest category of data compromise for larger enterprises was internal (41%), with credentials not too far behind at 37%.

The CIS Controls: A Portal to Knowing Your Environment

In its report, Verizon references the CIS Controls and Safeguards as effective mitigation tactics for defending against top attack patterns. This valued partnership between CIS and Verizon is one that we've helped foster for over 10 years, with teams from both enterprises maintaining regular contact to ensure the DBIR aligns with the CIS mission to provide best practices and actionable guidance to all organizations.

Specific to the 2023 report, Verizon leveraged CIS Controls for MITRE ATT&CK mapping from the CIS Community Defense Model (CDM). Verizon mapped multiple incident classification patterns to the CIS Controls, an effort which enterprises of all sizes can use to strengthen their cybersecurity defenses. It also referenced the CIS Controls as a starting point for SMEs to protect themselves specifically. 

A Prioritized Approach with Implementation Groups

Regardless of your enterprise's size, we recommend utilizing the Implementation Groups (IGs) as a way to prioritize the steps needed to establish essential cyber hygiene.

We created the three IGs – IG1, IG2, and IG3 – in an effort to simplify and prioritize the process of effectively implementing the CIS Controls. IGs are based on the risk profile and resources your enterprise has available to them to implement the CIS Controls. Each IG identifies a set of Safeguards that you need to implement. IG1, “essential cyber hygiene,” provides effective security value with technology and processes that are generally already available while providing a basis for more tailored and sophisticated action, if warranted. IG2 builds upon IG1 with additional Safeguards that are designed for enterprises with more resources and expertise but also greater risk exposure. Finally, the rest of the Safeguards make up IG3, which applies to enterprises with the greatest risk exposure.

Want more information on how to act upon the findings of the DBIR 2023 using the CIS Controls? Check out our webinar below.


A Universal Cyber Risk

No matter the size or type of enterprise, everyone is at risk. Attackers are largely looking for vulnerabilities or weaknesses in your environment and are largely opportunistic (e.g., RDP open on a public-facing server without multi-factor authentication). These types of weaknesses in an enterprise's environment are ripe for the picking for attackers.

By implementing the Safeguards in the CIS Controls, you'll grow your cyber defense posture against many types of attacks in simple and practical ways. Verizon's DBIR is just the latest endorsement by a globally recognized cybersecurity partner of this fact.