Blog

CISA Cybersecurity Essentials for Small Business Leaders

January 2, 2020 | Articles

CISA Cybersecurity Essentials for Small Business Leaders

CISA Cyber Essentials

The United States Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) recommends that small business leaders develop an actionable understanding of cybersecurity basics and best practices. They have published a Cyber Essentials Guide to help small business leaders understand the importance of building a “Culture of Cyber Readiness.” The guide addresses the six Essential Elements and a checklist of actions.

Easy Targets, Significant Impact

The CISA Cybersecurity Essentials are consistent with the NIST Cybersecurity Framework and designed as a starting point for small business cyber readiness. Most small businesses think that cybercriminals have “bigger fish to fry,” but in reality, small organizations are easier targets. In fact, two of the most notable enterprise breaches in history were traced back to stolen credentials that were obtained during attacks on smaller supply chain partners.

Just one successful cyber attack can significantly impact your organization’s:

  • Operations
  • Data
  • Reputation
  • Revenue
  • Profitability
  • Survival

Creating a Cyber Readiness Culture

The CISA Cyber Essentials guide helps you understand how to protect your business from these risks and create a culture of cyber readiness with six essential elements. The six elements are:

  • Yourself
  • Your Staff
  • Your Systems
  • Your Surroundings
  • Your Data
  • Your Actions Under Stress

While the guide walks business leaders through the components and importance of each of these elements, they also provide three “Things to Do First.” These three technical recommendations create a basic foundation for all other cybersecurity policies, procedures, and controls you can add. The three things to do first are:

  • Employ a Data Backup Solution
  • Add Multifactor Authentication
  • Take Control of Patch & Update Management

Compliance Requirements

Most small business IT teams can implement these best practices without much help.  But, as you start to ask questions about your cyber readiness, you will likely uncover areas of your business where the policies, procedures, and controls are not optimal. You may even find that your partners have higher security standards or compliance requirements than your current internal processes. This is where you may need help from a compliance and cybersecurity expert.

Risk Assessments

Most small businesses don’t have dedicated cybersecurity experts on staff. A local cybersecurity consultant will start with a couple of assessments that will help your board and leadership team better understand your cyber readiness. The first is a Security Risk Assessment. In its simplest form, a security risk assessment will identify all of the assets within your environment, their current security controls, and the associated risks (by assigning scores for “consequence” and “likelihood”). Once you have the results of a risk assessment, you can determine how to prioritize and treat the risks. The second assessment is a Vulnerability Assessment. This assessment looks at your assets and determines how well your team implemented the third step of the “Things to Do First” list above. It’s a great way to establish checks and balances within your environment for patches and updates. This service is also available as a monthly managed service for regular patch and update analysis.

Cybersecurity Consultants

A cybersecurity consultant can help you understand your industry’s compliance requirements. Your supply chain partners and customers may have minimum information security requirements that you need to meet. Complying with these contractual terms is crucial, but if each partner requires a different cybersecurity framework, it can get confusing. A consultant can help you select an appropriate framework that balances your internal requirements with the requirements of your current suppliers and customers. Cybersecurity consulting organizations often offer a Virtual Chief Information Security Officer (vCISO) service to act as your part-time CISO and help the board of directors, leadership team, and employees understand your cybersecurity risks, posture, and responsibilities.

Cybersecurity Training

Learning cybersecurity concepts, terminology, and best practices is an important part of building your cyber readiness culture. Making sure that your employees understand the techniques that threat actors use to phish for credentials, disguise malicious attachments, or distribute malware on USB drives requires purposeful cybersecurity training. Users need to learn the importance of using multifactor security, reporting suspicious emails, and ignoring click-bait. Affordable programs are available to train, test, and assess your team’s ability to act safely and responsibly.

Start with the Essentials

So, where do you begin? Start by taking a look at the CISA Cybersecurity Essentials. Use the guide to develop questions that will start a healthy internal discussion about your information security practices. If you get to a point where you realize you need external help, reach out to us. We’ll help you make sense of it all and get you on your way to developing a cyber readiness culture.

Frequently Asked Questions

Which cybersecurity framework should SMBs use?

Small and midsize businesses often have contracts with larger supply chain partners that require compliance with specific security standards. Finding the best framework for your organization may require the assistance of a cybersecurity consultant to balance your internal, customer, and partner security and privacy requirements (PCI, HIPAA, ISO 27001, NIST, SOC2, GDPR, etc). The consultant will help you prepare for the appropriate certification or attestation and complete the documentation for each customer and partner.

What are small business Cyber Essentials?

The United States Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) prepared a “Cyber Essentials Guide” for small business and local government leaders. The guide is consistent with the NIST Cybersecurity Framework and outlines six (6) elements of a Cyber Readiness Culture. The elements include Yourself, Your Staff, Your Systems, Your Surroundings, Your Data and Your Actions Under Stress. The guide describes how to start implementing organization-wide cybersecurity practices.

How can cybersecurity consultants help businesses?

Most small and midsize businesses are not able to attract, hire, or retain expert cybersecurity personnel. Cybersecurity consultants bring expertise on policies, procedures, controls, and compliance to organizations with limited internal resources. Most consultants can also act as a Virtual Chief Information Security Officer (vCISO). The vCISO will organize the resources and services that a small or midsize business requires to meet customer and supplier information security requirements.

Share this Post with Your Social Media Followers (use the icons on the left or the “Share This” bar on mobile).

Recent Blog Posts

FTC Cybersecurity for Small Business Guides

FTC Cybersecurity for Small Business Guides

BlogRobust FTC ResourcesThe Federal Trade Commission (FTC) offers a great “Cybersecurity for Small Business” website that helps small business leaders learn about cybersecurity basics. Developed in cooperation with the National Institute of Standards and Technology...

Pin It on Pinterest

Share This