Tips for Small Business Cyber Security. CISA Cyber Essentials.
In a connected world, cyber-attacks are a growing threat for small and medium-sized businesses. Often, such threats can be prevented with few basic actions and resources aimed to improve the company’s cybersecurity resilience. According to the Cybersecurity and Infrastructure Security Agency (CISA), the leaders of small businesses should consider a holistic approach to reducing the organization’s cyber risks. The culture of cybersecurity includes the management’s policies, the employees’ awareness and the strong assessment of current assets and systems in place.
Coherent with NIST Cybersecurity Framework, CISA’s Cyber Essentials infographic encompasses the necessary actions for each of the six elements of the culture of cyber readiness. This guide will also be useful for small and medium-sized manufacturers who are preparing to do business with the Department of Defense (DoD) or meeting compliance with NIST SP 800-171 or Cybersecurity Maturity Model Certification (CMMC) frameworks. Support the National Cyber Security Awareness Month and start protecting your business today!
CISA’s Essential Actions for Building a Culture of Cyber Readiness (click to download the inforgraphic):
- The Leader
- Lead investment in basic cybersecurity.
- Determined how much of their operations are dependent on IT.
- Built a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
- Approached cyber as a business risk.
- Led development of cybersecurity policies.
- The Staff
- Leveraged basic cybersecurity training to improve exposure to cybersecurity concepts, terminology and activities associated with implementing cybersecurity best practices.
- Developed a culture of awareness to encourage employees to make good choices online.
- Learned about risks like phishing and business email compromise.
- Identified available training resources through professional associations, academic institutions, private sector, and government sources.
- Maintained awareness of current events related to cybersecurity, using lessons learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.
- The Systems
- Learned what is on their network. Maintained inventories of hardware and software assets to know what is in-play and at-risk from attack.
- Leveraged automatic updates for all operating systems and third-party software.
- Implemented secure configurations for all hard-ware and software assets.
- Removed unsupported or unauthorized hardware and software from systems.
- Leveraged email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.
- Created application integrity and whitelisting policies so that only approved software is allowed to load and operate on their systems.
- The Surroundings
- Learned who is on their network. Maintained inventories of network connections (user accounts, vendors, business partners, etc.).
- Leveraged multi-factor authentication for all users, starting with privileged, administrative and remote access users.
- Granted access and admin permissions based on need-to-know and least privilege.
- Leveraged unique passwords for all user accounts.
- Developed IT policies and procedures addressing changes in user status (transfers, termination, etc.).
- The Data
- Learned what information resides on their network. Maintained inventories of critical or sensitive information.
- Established regular automated backups and redundancies of key systems.
- Learned how their data is protected.
- Leveraged malware protection capabilities.
- Leveraged protections for backups, including physical security, encryption and offline copies.
- Learned what is happening on their network. Managed network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.
- The Actions Under Stress
- Led development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
- Leveraged business impact assessments to prioritize resources and identity which systems must be recovered first.
- Learned who to call for help (outside partners, vendors, government/industry responders, technical advisors and law enforcement).
- Led development of an internal reporting structure to detect, communicate and contain attacks.
- Leveraged in-house containment measures to limit the impact of cyber incidents when they occur.
Looking for help with your organization’s cybersecurity assessment or meeting compliance with NIST SP 800-171 or CMMC? Send us your email to firstname.lastname@example.org or fill out the form below to schedule your free consultation with one of our experts.