In this interview with Curtis Dukes, Executive Vice President And General Manager at The Center for Internet Security, we discussed the past, present and future of CIS and cybersecurity as a whole, including some expert tips on the best practices to keep online businesses safe from identity theft and other common cyber threats.
What’s The Story Behind The Center For Internet Security: How Did It All Start, And How Has It Changed During The Years?
Back in August of 2000, a small group of business and government leaders met at the legendary Cosmos Club in Washington, D.C. to discuss a concerning rash of cyber-attacks. From that meeting and others, a vision emerged for an independent, mission-driven, nonprofit organization dedicated to preventing and mitigating new cyber threats.
Today, CIS is the embodiment of that vision. Over the course of 20 years, we have been privileged to work with some of the best minds in the cybersecurity and IT professions. Through a global, collaborative effort, we have developed world-class standards in the form of the CIS Controls and CIS Benchmarks, along with specialized technology tools to help security practitioners implement and manage their cyber defenses.
What Kind Of Cybersecurity Services Do You Offer, And What Makes Them Stand Out?
CIS offers a variety of tools, memberships, and services to help organizations around the world start secure and stay secure. These solutions range from no-cost memberships and services for State, Local, Tribal and Territorial organizations in our Multi-State Information Sharing and Analysis Center (MS-ISAC) to a full slate of professional tools as part of our Secure Suite offerings, as well as industry standards such as CIS Critical Security Controls and Benchmarks.
What Are The Essential Tools That Small Businesses Should Implement In Order To Prevent Cyber Attacks Or Data Hacks?
Unfortunately, ransomware is still the biggest cyber threat facing small to medium-sized businesses. Simply put, cybercriminals are taking advantage of unpatched, misconfigured, or outdated software to steal or hold hostage an organization’s information that disrupts business operations. One essential tool that helps prevent this is our Blueprint for Ransomware Defense which is based on the Center for Internet Security critical security controls, as the set of cybersecurity best practices to protect your organization from this scourge.
October Was Cybersecurity Awareness Month. What Do You Think About The Way Online Media Are Spreading Cybersecurity Awareness And What Can Be Improved?
For those of us who work in this industry, every month is Cybersecurity Awareness Month. The goal of the national campaign is to get the messages to the general public, to educate them about the risks and ways to protect themselves in a way that is clear and easy to understand. Cybersecurity starts with all of us, and teaching non-tech folks what they need to be aware of is critically important. For the most part, I think we are doing a good job with that by teaming up with partners like the Cybersecurity and Infrastructure Security Agency (CISA) to spread the word.
What Is Your Suggested Course Of Action If A Website Gets Hacked?
There are several things you need to do but first collect yourself and be calm. While quick action is important, remember the damage has already been done, let’s not make it worse. Second, involve your IT staff or external support if hosted externally, immediately. They should be familiar with the web site, its configuration, and have the appropriate login credentials. Third, take the website off-line to remediate the cyber breach. Again, this will involve your IT staff or external support. Fourth, you will want to conduct a vulnerability scan of your local network for signs of additional compromise. Finally, you will want to implement your incident response plan to inform both staff and consumers of the website to the compromise.
Is There Any Recent Cyber-Attack That Concerned You More Than Others?
The biggest concern continues to center on the high number of ransomware attacks. Each year we continue to see that attack as the most prevalent globally. Outside of ransomware the other concern centers on the emergence of supply chain attacks. A supply chain attack is where an adversary compromises a product or software component that is used by many organizations. In effect compromise one, exploit many. SolarWinds and Log4j are two recent examples of supply chain attacks that drew international attention.
What Cybersecurity Trends Do You Think Will Be Crucial In The Near Future?
Security consolidation. Today it’s common for IT staff to manage between 10 and 30 different security products to protect the enterprise. Consolidating around a single or a couple security vendor platforms can remove integration challenges, reduce the attack surface, and minimize supply chain risks.
And What About Your Future? What Is Next For The Center For Internet Security?
CIS will continue its focus in providing cybersecurity best practices to small and medium enterprises, both public and private. Where possible, we will simplify the process of establishing, implementing and measuring an organization’s cybersecurity program. Key to simplifying is automating the configuration to a known security standard (CIS Critical Security Controls and Benchmarks).