CIS Control 2: Securing Your Small Business Through Software Management

Welcome back to our deep dive series on CIS controls crucial for small business security. In our last post, we explored the importance of knowing your digital hardware assets – you can’t protect what you don’t know is on your network. Now, let’s turn our attention to CIS Control 2: Inventory and Control of Software Assets. This control is all about managing the software on your network to ensure only authorized programs are installed and running.

Understanding CIS Control 2

At its core, CIS Control 2 requires you to actively manage all software on your network. This includes operating systems, applications, and even firmware. The goal is to ensure that only authorized software is installed and can execute, while unauthorized and unmanaged software is prevented from installation or execution.

For small businesses, this might seem like overkill. After all, you know what software you’ve installed, right? But in today’s digital landscape, where employees might install software without approval and malware can disguise itself as legitimate programs, having a firm grasp on your software inventory is crucial.

Why It Matters for Small Businesses

You might be wondering, “Why is this so important for my small business?” The answer lies in the significant security risks posed by unmanaged software:

1. Vulnerability Exploitation: Outdated or unpatched software can be a gateway for cybercriminals to access your network.
2. Malware Threats: Unauthorized software could be malware in disguise, putting your entire network at risk.
3. Licensing Issues: Running unlicensed software can lead to legal and financial repercussions.
4. Resource Drain: Unnecessary software can slow down your systems and decrease productivity.
5. Data Leakage: Unapproved software might not have proper security measures, potentially exposing sensitive data.

It’s worth noting that while this control is crucial for all businesses, it’s particularly critical in highly regulated industries. For instance, finance sector firms often face strict compliance requirements regarding software management. However, the principles apply equally to businesses across all sectors.

Implementing CIS Control 2 in Your Small Business

Now, let’s look at how you can put this control into practice:

1. Create a Software Inventory: Start by listing all software installed on your systems. This includes operating systems, applications, and browser plugins. Your IT provider, MSP, or internal IT staff can use automated tools to help compile this inventory.
2. Establish a Software Whitelist: Determine which software is necessary for your business operations and create an approved list. Any software not on this list should be considered unauthorized.
3. Implement Application Control: Use tools to prevent unauthorized software from running on your systems. Many modern operating systems have built-in features for this, or your IT support can recommend third-party solutions.
4. Regular Software Audits: Conduct periodic checks to ensure only authorized software is installed and running. This can be done manually or through automated tools provided by your IT support.
5. Update and Patch Management: Ensure all your software is up-to-date and promptly apply security patches. Consider using automated patch management tools to streamline this process.
6. Employee Education: Train your staff on the importance of not installing unauthorized software and the potential risks it poses to the business.
7. Software Removal Process: Establish a procedure for safely removing unauthorized or unnecessary software when discovered.

Overcoming Common Challenges

Implementing this control can present some challenges for small businesses:

• Limited Resources: Start with built-in OS features and free tools. As you grow, consider more robust solutions or leverage the expertise of an IT provider or MSP.
• User Resistance: Employees might resist restrictions on software installation. Clear communication about the security reasons behind these policies can help.
• Keeping Track of Updates: With multiple software applications, tracking updates can be overwhelming. Consider using a patch management solution or delegating this task to your IT support.
• Legacy Software: Some older, necessary applications might not be compatible with strict controls. Work with your IT support to find secure ways to run these programs if they’re essential.

The Bottom Line

Implementing CIS Control 2 is about more than just keeping your software tidy. It’s a fundamental step in securing your business against a wide range of cyber threats. By knowing what software is running on your network and ensuring it’s all authorized and up-to-date, you’re significantly reducing your attack surface.

Remember, in the world of cybersecurity, what you don’t know can hurt you. Unauthorized software is a risk you can’t afford to take, regardless of your business size.

Whether you’re handling IT in-house, working with an MSP, or relying on an IT provider, implementing strong software management practices is crucial. It’s an investment in your business’s security, compliance, and overall health.

Have questions about implementing CIS Control 2 in your small business? Feel free to reach out. I’m here to help fellow small business owners navigate the complexities of cybersecurity and build more resilient businesses.

You can read more about the CIS Security Controls framework at the Center for Internet Security website, and find all 18 controls listed here.

Stay secure!

Michael Zull @ MZ DATA
Long Beach, CA

Join our mailing list to receive SMB tech news & tips!