In an effort to help small businesses and state and local governments improve their cyber security posture, the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a set of guidelines to help these entities organize and implement best practices.
The Cyber Essentials include six actionable items to reduce risk and six essential elements to help guide leaders and information technology professionals and services providers within small businesses and governments.
CISA officials in September and October began discussing the Cyber Essentials broadly as a way to help resource-challenged organizations have a framework for bolstering their cyber security (Defense Daily, Oct. 3). Like the National Institute for Standards and Technology Cybersecurity Framework, which was developed through public and private efforts during the Obama administration, the Cyber Essentials are viewed by CISA as “the starting point to cyber readiness,” the Department of Homeland Security agency says.
“When it comes to collective defense, we are only as strong as our weakest link, which is why CISA is committed to raising the bar in cybersecurity across all companies and government, regardless of size,” Christopher Krebs, director of CISA, said in a statement. “Cyber Essentials are designed for those small businesses and local governments that don’t have abundant resources—where the CEO is also the chief information officer, head of marketing and HR—who are looking for where to start. This is a set of cybersecurity practices that are easy to adopt and understand and together constitute ‘the basics.’”
The six essentials are yourself, your staff, your systems, your surroundings, your data, and your actions under stress. Yourself refers to the particular organization and recommends that leaders “Drive cybersecurity strategy, investment and culture” that leaders, working with their IT professionals, understand what operations are dependent on IT, approach cyber as a business risk, and develop cybersecurity policies.
The actionable items, which overlap in part with the essentials, recommended by CISA include driving cybersecurity strategy, investment and culture, developing heightened level of security awareness and vigilance, protecting critical assets and applications, ensuring only those who belong on your digital workplace have access, making backups and avoiding loss of info critical to operations, and limiting damage and restoring normal operations quickly.
The Cyber Essentials also include a brief section on steps that organizations can take immediately to build readiness and be more prepared. These include continuously backing up critical data, requiring multi-factor authentication to access systems, and automatically patching and updating applications, systems and hardware when possible.