Need Help Implementing Cybersecurity Practices?
CISA’s Cyber Essentials is a guide for leaders of small businesses to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
For a deeper look, check out the Cyber Essentials Toolkit, or read below a breakdown for IT and C-suite leadership to work toward full implementation of cybersecurity practices.
Below we’ve highlighted six essential elements. Any questions contact us and an expert will reach out within the hour.
Six essential elements
1. Yourself
You, as leader of your organization, are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to drive cybersecurity strategy, investment and culture.
Actions For Leaders
Lead investment in basic cybersecurity.
Determine how much of your organization's operations are dependent on IT.
Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
Approach cyber as a business risk.
Action to Take in Consultation with IT
Lead development of cybersecurity policies.
2. Staff
As users of your organization’s digital equipment and systems, your staff are essential elements of your organization’s Culture of Cyber Readiness. Your task for this element is to develop cybersecurity awareness and vigilance.
Actions For Leaders
Develop a culture of awareness to encourage employees to make good choices online.
Learn about risks like phishing and business email compromise.
Maintain awareness of current events related to cybersecurity, using lessons learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.
Actions to Take in Consultation with IT
Leverage basic cybersecurity training to improve exposure to cybersecurity concepts, terminology, and activities associated with implementing cybersecurity best practices.
Identify available training resources through professional associations, academic institutions, the private sector, and government sources.
3. Systems
As the infrastructure that makes your organization operational, your systems are an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications.
Action For Leaders
Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at risk from attack.
Actions to Take in Consultation with IT
Leverage automatic updates for all operating systems and third-party software.
Implement security configurations for all hardware and software assets.
Remove unsupported or unauthorized hardware and software from systems.
Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured web pages.
Create application integrity and allow listing policies so that only approved software is allowed to load and operate on their systems.
4. Surroundings
As your organization’s digital workplace, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to ensure only those who belong to your digital workplace have access to it.
Actions to Take in Consultation with IT
Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).
Leverage multi-factor authentication for all users, starting with privileged, administrative, and remote access users.
Grant access and admin permissions based on need-to-know and least privilege.
Leverage unique passwords for all user accounts.
Develop IT policies and procedures addressing changes in user status (transfers, termination, etc.).
5. Data
Your data, intellectual property, and other sensitive information are what your organization is built on. As such, it is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to make backups and avoid the loss of information critical to operations.
Action For Leaders
Learn how your data is protected.
Actions to Take in Consultation with IT
Learn what information resides on your network. Maintain inventories of critical or sensitive information.
Learn what is happening on your network. manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.
Domain name system protection.
Leverage malware protection capabilities.
Establish regular automated backups and redundancies of key systems.
Leverage protections for backups, including physical security, encryption, and offline copies.
6. Crisis Response
As your strategy for responding to and recovering from compromise, this is an essential element of your organization’s Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations.
Actions For Leaders
Lead development of incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.
Learn who to call for help (outside partners, vendors, government/industry responders, technical advisors, and law enforcement).
Lead development of an internal reporting structure to detect, communicate and contain attacks.
Action to Take in Consultation with IT
Leverage in-house containment measures to limit the impact of cyber incidents when they occur.