The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) today released its Cyber Essentials guide, which it describes as “a starting point for small businesses and government agencies to understand and address cybersecurity risk as they do other risks.”
“When it comes to collective defense, we are only as strong as our weakest link, which is why CISA is committed to raising the bar in cybersecurity across all companies and government, regardless of their size,” said CISA Director Christopher Krebs. “Cyber Essentials are designed for those small businesses and local governments who don’t have abundant resources – where the CEO is also the chief information officer, head of marketing and HR – who are looking for where to start.”
The Cyber Essentials, developed in partnership with small businesses and state and local governments, are intended to help smaller organizations and governments that “historically have not been a part of the national dialogue on cybersecurity” with simple steps and resources to shore up their cybersecurity posture.
The guide is broken down into two parts: principles that organization leaders can use to develop “a culture of security,” and specific actions for both leaders and IT professionals to put that culture into action.
The guide covers six Cyber Essentials and actionable items that assist in reducing cyber risks:
- Yourself: Drive cybersecurity strategy, investment, and culture;
- Your Staff: Develop [a] heightened level of security awareness and vigilance;
- Your Systems: Protect critical assets and applications;
- Your Surroundings: Ensure only those who belong on your digital workplace have access;
- Your Data: Make backups and avoid loss of info critical to operations; and
- Your Actions Under Stress: Limit damage and restore normal operations quickly.
CISA also details actions that organizations and governments can take before they even begin to adopt the Cyber Essentials:
- “Backup Data: Employ a backup solution that automatically and continuously backs up critical data and system configurations.
- Multi-Factor Authentication: Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.
- Patch and Update Management: Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.”