Fast-Track Your Implementation of Essential Cyber Hygiene


Cybersecurity is not just a concern for large corporations and government entities; it's a critical issue for businesses of all sizes. Cyber threat actors (CTAs) are increasingly targeting small businesses in particular. If successful, the consequences of those cyber attacks can be devastating.

To help you defend your small or medium-sized enterprise (SME), we released the "CIS Implementation Guide for Small- and Medium-Sized Enterprises." This comprehensive resource works as a ladder to help you rapidly adopt Implementation Group 1 (IG1) of the CIS Critical Security Controls (CIS Controls). In this blog post, we'll explain how.

The Importance of Essential Cyber Hygiene

IG1 is not just another list of good things to do; it is a set of steps that help you deal with today's most common types of attacks by establishing essential cyber hygiene.

Want to learn more about you can use essential cyber hygiene in IG1 to defend against common threats? Check out our video below.


The methodology provided in this guide helps you to fast-track a large majority of the recommended actions within IG1. Once you've taken all of the steps recommended within this guide, you should identify the IG1 Safeguards you have yet to complete and ensure you are putting all of the IG1 Safeguards into place within your IT infrastructure.

3 Common Cybersecurity Challenges for Small Businesses

Small businesses like yours represent the foundation of business and public service sectors. They are also often the least prepared to protect themselves against a cyber attack. Here are a few cybersecurity challenges that SMEs everywhere commonly face every day:

  1. Limited Resources: Small businesses often operate on tight budgets, leaving little room for substantial investments in cybersecurity measures. This limitation can lead to vulnerabilities that cybercriminals are quick to exploit.
  2. Lack of Expertise: Many small business owners and employees lack the expertise needed to navigate the ever-evolving landscape of cyber threats effectively. Without adequate knowledge and training, they may inadvertently expose the business to risks.
  3. Insufficient Security Policies: Often, small businesses operate without comprehensive cybersecurity policies and procedures. This lack of structure can result in weak password management, data exposure, and inadequate access controls.

Countering Cyber Threats with Our Guide

Our implementation guide helps you to defend your small- or medium-sized enterprise against the following types of threats:

Theft of Information 

Malicious hackers and dissatisfied employees try to obtain personally identifiable information (PII) or steal credit card information, customer lists, intellectual property, and other sensitive information.

Password Theft 

Attackers steal passwords to access company systems.

Phishing Attacks 

A phishing email looks like legitimate correspondence and tries to trick recipient into clicking on a link that installs malware on the system.


Ransomware is malicious software that blocks access to a computer, enabling criminals to hold your data for ransom.

Natural Disasters 

Data loss occurs due to natural events and accidents like fires and floods.

Defacement and Downtime 

Attackers force your website or other technology to no longer look or function properly. This could be as a joke, for political reasons, or to damage your reputation.

It’s Not All or Nothing

To help you address the threats discussed above, this guide lists a variety of free or low-cost tools as well as procedures you can implement to improve your security. Additionally, CIS recommends the following cybersecurity approach to help you prioritize your efforts within the constraints listed above. This phased approach is as follows:

Phase 1 – Complete the five inventory worksheets included in the guide:

  • Enterprise Asset Inventory Worksheet
  • Software Asset Inventory Worksheet
  • Data Inventory Worksheet
  • Service Provider Inventory Worksheet
  • Account Inventory Worksheet

Phase 2 – Complete the Asset Protection Worksheet for each asset in the inventory.

Phase 3 – Complete the Account Security Worksheet for each account in the account inventory.

Phase 4 – Complete the Backup and Recovery Worksheet for each asset.

Phase 5 – Complete the Incident Response Worksheet.

Phase 6 – Ensure that all employees review the training options listed in the Cyber Education Worksheet.

Each step in Phase 1 includes worksheets or spreadsheets to help you along the way. This phase involves knowing what’s connected to your network, the software you use, what data is being protected, your service providers, and your accounts.

Phase 2 focuses on protecting your technology, while Phase 3 ensures that you've appropriately locked down each account your enterprise uses. Phase 4 helps you to back up and store enterprise data elsewhere. Finally, Phases 5 and 6 help your enterprise to prepare in advance for disruptive events using planning and education.

Your Roadmap to Digital Safety

It's time to take action. This guide is your roadmap to digital safety; you can begin using it with limited resources and technical know how. Your small business might be a target, but you don't have to be a victim. Be prepared, be informed, and stay safe.