1. Introduction: Why Election Security Matters to Business

Election infrastructure and business infrastructure face the same fundamental security challenges:

High-value targets: Adversaries know the impact of successful attacks
Complex systems: Multiple interconnected components, each a potential vulnerability
Legacy technology: Systems deployed years ago that haven't kept pace with threats
Access control challenges: Too many people with too much access
Limited security expertise: Technical staff focused on operations, not security
Resource constraints: Security competes with other priorities for budget

In 2018, Ohio recognized these challenges in its election infrastructure and directed counties to conduct comprehensive security assessments. Clark State Community College led the assessment for Clark County and brought us in to handle the technical evaluation.

The methodology we used wasn't specific to elections. It was the same systematic, framework-based approach used across critical infrastructure sectors. That's what makes the lessons applicable to business security today.

2. Understanding the CIS Controls Framework

The Center for Internet Security (CIS) Controls are a prioritized set of cybersecurity best practices developed by security professionals across sectors. They're not theoretical recommendations—they're based on actual attack patterns and proven defenses.

The framework consists of 18 controls organized into three implementation groups:

CIS Controls implementation pyramid showing three tiers: Essential Cyber Hygiene (controls 1-6), Established Practices (7-16), and Advanced Security Operations (17-18)

CIS Controls organized by implementation priority: start with the foundation, build capability over time

Implementation Group 1: Essential Cyber Hygiene (Controls 1-6)

These are foundational controls that every organization should implement, regardless of size or sophistication:

Inventory and Control of Enterprise Assets: You can't protect what you don't know you have. This means maintaining an up-to-date inventory of all hardware—servers, workstations, network devices, mobile devices.
Inventory and Control of Software Assets: Same principle for software. What's installed? What's authorized? What's outdated?
Data Protection: Where is sensitive data stored? Who can access it? Is it encrypted? How is it backed up?
Secure Configuration: Default configurations are rarely secure. Systems need to be hardened according to established baselines.
Account Management: Who has accounts? What privileges do they have? When was the last review?
Access Control Management: Least privilege principle—users should have the minimum access needed to do their jobs.

In the 2018 Clark County assessment, these six controls accounted for the majority of our findings. Not because the county was negligent, but because maintaining these fundamentals across evolving systems is genuinely difficult.

Implementation Group 2: Establishing Security Practices (Controls 7-16)

Once fundamentals are in place, organizations need ongoing security operations:

Continuous Vulnerability Management: Regular scanning to identify security weaknesses before attackers do
Audit Log Management: Collecting and analyzing logs to detect suspicious activity
Email and Web Browser Protections: Defending the most common attack vectors
Malware Defenses: Multiple layers to prevent, detect, and respond to malicious code
Data Recovery: Tested backup and restoration procedures
Network Infrastructure Management: Proper segmentation and monitoring
Network Monitoring and Defense: Intrusion detection and prevention systems
Security Awareness and Skills Training: Users as the last line of defense
Service Provider Management: Extending security requirements to vendors
Application Software Security: Secure development and deployment practices

Implementation Group 3: Advanced Security Operations (Controls 17-18)

For organizations facing sophisticated threats or with substantial resources:

Incident Response Management: Formal processes for handling security events
Penetration Testing: Simulating attacks to identify weaknesses

What made this framework effective for election security in 2018—and what makes it effective for business security in 2026—is the prioritization. You don't need to implement all 18 controls simultaneously. You start with the essentials, build capability over time, and continuously improve as threats evolve.

3. The 2018 Clark County Assessment: What We Actually Did

The assessment followed a four-phase methodology mapped to the CIS Controls:

Four-phase election security assessment framework showing documentation review, onsite evaluation, technical testing, and gap analysis

The systematic four-phase assessment methodology

Phase 1: Documentation Review

We started with existing documentation—security policies, network diagrams, access control procedures, system configurations, vendor contracts. This established the baseline: what was documented, what was current, what was missing.

Key focus areas:

Asset inventories (hardware and software)
Network architecture and segmentation
Access control policies and user lists
Backup and disaster recovery procedures
Incident response plans
Vendor management and contracts

Phase 2: Onsite Technical Evaluation

Multiple site visits to observe systems in operation, interview personnel, and verify that documented procedures matched reality. We looked at:

Voter registration database systems
Electronic pollbook preparation and deployment
Vote capture and tabulation equipment
Election night reporting infrastructure
Physical security controls
Personnel security practices

Phase 3: Technical Testing

Evaluation of technical controls against CIS framework:

Network Segmentation: Were election systems properly isolated from general county networks?
Access Controls: Who had administrative privileges? Were passwords strong? Was multi-factor authentication in use?
Monitoring Capabilities: What logs were collected? Was anyone reviewing them? Could suspicious activity be detected?
Backup Procedures: Were backups tested? How quickly could systems be restored?
Incident Response: What would happen if something went wrong? Who would be called? What were the procedures?

Phase 4: Gap Analysis and Recommendations

For each CIS Control, we documented:

Current State: What was implemented and how
Recommended State: What should be implemented per CIS guidelines
Gap: The difference between current and recommended
Risk Level: How significant was this gap?
Remediation: Specific steps to close the gap
Priority: What should be fixed first?

The specific findings remain confidential—that's standard for security assessments. But the patterns we identified in 2018 are the same patterns we see in business assessments in 2026.

4. How Threats Have Evolved: 2018 to 2026

Threat Landscape Evolution: 2018 vs 2026 comparison showing increased sophistication and frequency of attacks

How the threat landscape has evolved from 2018 to 2026

The fundamentals of security haven't changed. You still need asset inventory, access controls, monitoring, and incident response. But the threat landscape has evolved significantly.

Ransomware: From Emerging to Assumed

2018: Ransomware was a concern but not universal. Organizations could reasonably debate whether they were likely targets.

2026: Ransomware is assumed. Every organization is a potential target. Attacks are more sophisticated, ransom demands are higher, and recovery success rates are lower.

What changed: Ransomware-as-a-Service lowered the barrier to entry for attackers. Double and triple extortion tactics (encrypt data, steal data, threaten to publish) made paying ransoms less effective. Critical infrastructure became explicit targets.

What this means: Backup and recovery procedures that were optional in 2018 are critical in 2026. But backups alone aren't enough—you need network segmentation to prevent ransomware from reaching backups, and you need tested restoration procedures.

Supply Chain Attacks: The New Preferred Vector

2018: Supply chain attacks were rare and theoretical. Organizations focused on perimeter security.

2026: Supply chain attacks are the preferred method for sophisticated adversaries. Compromising one vendor provides access to hundreds of victims.

What changed: High-profile attacks (SolarWinds, Kaseya, MOVEit) demonstrated effectiveness. Organizations hardened perimeters, so attackers shifted to trusted relationships.

What this means: Vendor management went from administrative task to security-critical function. Every vendor with network access or data access is a potential vulnerability. Vendor security assessments are no longer optional.

AI-Powered Social Engineering

2018: Phishing was identifiable—poor grammar, generic greetings, obvious impersonation attempts.

2026: AI-generated phishing is sophisticated. Messages are contextually appropriate, grammatically perfect, and personalized. Voice cloning enables phone-based attacks. Deepfakes create video "proof" of executive approval.

What changed: Large language models and voice synthesis became commercially available. Attackers can generate convincing content at scale.

What this means: Security awareness training that worked in 2018 is insufficient in 2026. Technical controls (email filtering, multi-factor authentication, verbal verification procedures) are more critical than ever.

Insider Threats in Remote Work Era

2018: Insider threats were primarily access control problems—too many people with too much access.

2026: Remote work complexity multiplied insider threat vectors. Personal devices, home networks, shared workspaces, and blurred work-life boundaries create new vulnerabilities.

What changed: The shift to remote work happened rapidly during 2020-2021. Security controls designed for office environments don't translate directly to home offices.

What this means: Access controls need to be more granular. Network segmentation needs to assume internal compromise. Monitoring needs to detect unusual behavior, not just unauthorized access.

Zero-Day Exploits: From Occasional to Regular

2018: Zero-day exploits were occasional events. Patch management could wait for monthly maintenance windows.

2026: Zero-day exploits are regular occurrences. Exploitation happens within hours of disclosure. Ransomware groups actively scan for vulnerable systems.

What changed: Exploit marketplaces commoditized zero-day knowledge. Automated scanning tools accelerated exploitation timelines.

What this means: Patch management went from monthly schedule to emergency response. Vulnerability management requires continuous monitoring and rapid response capabilities.

5. Applying Election Security Lessons to Business

The same systematic approach we used for Clark County's election infrastructure applies to business security. The specific systems differ, but the methodology is identical.

Healthcare: Protecting Patient Data and Clinical Systems

Healthcare organizations face challenges similar to election infrastructure:

High-value targets: Patient records command premium prices on dark web markets
Legacy systems: Medical devices and EHR systems with long lifecycles
Access complexity: Multiple providers, locations, and emergency access requirements
Regulatory requirements: HIPAA adds compliance layer to security needs

The CIS Controls framework maps directly to HIPAA Security Rule requirements. Asset inventory (Control 1) supports device and system tracking. Access controls (Control 6) implement minimum necessary access. Audit logs (Control 8) provide required audit trails.

What's changed since 2018: Ransomware attacks on healthcare accelerated. Average ransom for hospitals now exceeds $2M. Recovery time impacts patient care. Most healthcare ransomware enters through supply chain (billing companies, IT vendors, medical device manufacturers).

Legal: Safeguarding Confidential Case Information

Law firms manage highly sensitive information with limited IT resources:

Confidentiality requirements: Attorney-client privilege makes breaches catastrophic
Small IT teams: Most firms under 100 attorneys have 1-2 IT staff
Document-heavy: Terabytes of case files, depositions, evidence
External collaboration: Opposing counsel, expert witnesses, clients, courts

Application of CIS Controls: Data protection (Control 3) ensures encryption of client files. Email security (Control 9) prevents business email compromise targeting trust accounts. Incident response (Control 17) addresses breach notification requirements.

What's changed since 2018: Business email compromise targeting law firm trust accounts surged. Average loss per incident: $300K. AI-powered impersonation makes these attacks harder to detect. Most successful attacks exploit weak multi-factor authentication.

Financial Services: Transaction Security and Compliance

Financial services firms balance security with accessibility:

Real-time requirements: Transaction processing can't wait for security reviews
Multiple regulatory frameworks: SEC, FINRA, state banking regulations
Third-party integrations: Payment processors, portfolio management, CRM systems
Client access: Portals, mobile apps, third-party aggregators

CIS Controls implementation: Network monitoring (Control 13) detects unusual transaction patterns. Penetration testing (Control 18) validates security before new platform launches. Service provider management (Control 15) addresses third-party risk.

What's changed since 2018: Supply chain attacks via financial software vendors increased 400%. Most breaches now come through integrated platforms, not direct attacks. API security became critical as firms connected more services.

6. What Organizations Should Be Doing in 2026

Based on both the 2018 election security work and eight years of threat evolution, here's what organizations need to prioritize:

Seven essential security priorities for 2026: asset inventory, network segmentation, access controls, monitoring and logging, backup testing, vendor risk management, and rapid vulnerability response

Essential security priorities for organizations in 2026

1. Start With Accurate Asset Inventory

You can't protect what you don't know you have...

1. Start With Accurate Asset Inventory

You can't protect what you don't know you have. This sounds basic, but in our security assessments, asset inventory is the most common gap.