Cybersecurity
7 min read
Secure by Default Is a Myth: Why CIS Controls and Baseline Hardening Matter

Here’s a question worth asking your IT provider: “When you set up a new laptop or server for us, what standard do you configure it against?” If the answer is a shrug, your security posture is whatever the manufacturer’s defaults happen to be—and those defaults were chosen to minimize support calls, not breaches.
Out of the box, operating systems ship with legacy protocols enabled, generous permissions, and features you’ll never use but attackers will. Every one of those defaults is a small unlocked door. Baseline hardening is the practice of walking through the building and locking them—systematically, against a published standard, on every system you own.
What the CIS Controls are
The Center for Internet Security (CIS) is a nonprofit that publishes two things every business leader should know exist. The CIS Critical Security Controls are 18 prioritized safeguards—an ordered to-do list for defending an organization, from knowing what hardware and software you have, through data protection, secure configuration, access control, and incident response. They’re organized into Implementation Groups, and IG1 is explicitly defined as “essential cyber hygiene” for small and mid-sized businesses—roughly 56 foundational safeguards that blunt the vast majority of common attacks.
The second is the CIS Benchmarks: detailed, consensus-built configuration guides for specific technologies—Windows 11, Windows Server, Microsoft 365, macOS, browsers, firewalls, cloud platforms. Where the Controls say “use secure configurations,” the Benchmarks say exactly which settings, and what value each should hold.
What baseline hardening looks like in practice
Disable legacy protocols and services that exist only for backward compatibility—the same ones ransomware uses to spread laterally.
Enforce screen locks, disk encryption, and application controls on every endpoint.
Strip local admin rights from daily-driver accounts, so malware that lands runs with limited power.
Configure audit logging so that when something happens, there’s a trail to investigate.
Standardize browsers, Office macros, and remote access settings—the three doors phishing most often walks through.
Document the baseline, deploy it through policy (not by hand), and re-check systems on a schedule so drift gets caught and corrected.
That last point matters most. Hardening isn’t a one-time project—settings drift as software updates, technicians troubleshoot, and exceptions accumulate. A real hardening program re-scans against the baseline continuously and treats every deviation as a ticket with a reason attached.
Why this matters to the business, not just IT
Fewer incidents: most opportunistic attacks exploit default configurations and unpatched, unmanaged sprawl. Hardened systems are simply harder targets.
Insurance and compliance: cyber insurers and frameworks like HIPAA, SOC 2, and CMMC increasingly ask what standard your systems are configured to. “CIS Benchmarks, verified monthly” is an answer that ends the conversation.
Provability: after an incident, regulators and insurers ask you to demonstrate reasonable safeguards. A documented baseline with scan reports is evidence; good intentions are not.
Predictability: standardized systems behave consistently, which means faster support, cleaner onboarding, and fewer mystery outages.
Where to start
Don’t try to boil the ocean. Start with CIS IG1: inventory what you have, harden the systems your business runs on—Windows endpoints and Microsoft 365 first—and put a cadence around verification. Most businesses can reach a defensible, documented baseline within a quarter.
This is exactly how Entice builds every environment we manage: workstations, servers, and cloud tenants configured against CIS Benchmarks, deployed through policy, and re-checked on a schedule—so the configuration your security depends on stays hardened long after setup day. If you can’t currently prove what standard your systems are configured to, that’s the gap to close first.
View All Posts
Subscribe to updates
Practical IT insights for Colorado business leaders. No spam, unsubscribe anytime.
© 2026 Entice Technology, Inc. All rights reserved. Privacy Policy Terms of Service
