Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses.  The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices.  While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.

The guide, which was developed to be consistent with the NIST Cybersecurity Framework and other cybersecurity standards, describes six “essential elements” that organizational leaders can adopt to build a “culture of cyber readiness.”  The guide describes the elements as follows:

  • Yourself: The guide recommends that the leader of a small business drive cybersecurity strategy, investment, and organizational culture. Organizations should approach cybersecurity as a business risk, identify their dependencies on information technology (“IT”), and invest in basic cybersecurity measures while building relationships with key sources of cyber threat information.
  • Your staff: This element focuses on developing the security awareness and vigilance of the organization’s staff through training and education on common cybersecurity risks, such as phishing and business email compromises.
  • Your systems: This element focuses on the importance of protecting critical assets and applications by identifying the applications, networks, and systems that process the organization’s information. This recommendation includes maintaining hardware and software inventories, leveraging automatic updates, and implementing controls including secure configurations and application whitelisting.
  • Your surroundings: This element prioritizes limiting the access and authorizations granted to employees, managers, and customers using an organization’s IT environment. The guidance recommends requiring unique passwords, maintaining inventories of network connections, granting access on a least-privilege basis, and requiring multi-factor authentication (“MFA”) for administrative privileges and remote access.
  • Your data: This element focuses on protection and recovery of an organization’s data. The guidance recommends establishing regular data backups and redundancies for key systems, protecting backups using encryption and offline copies, maintaining inventories of critical or sensitive information, and monitoring network activity while leveraging data protection controls, including malware protection.
  • Your actions under stress: This element refers to implementing controls to limit damage and quicken restoration of normal operations after a cyber incident. These controls should include implementing and regularly testing incident response and disaster recovery plans, utilizing business impact assessments to prioritize resources and restoration timing after an incident, and developing partnerships with outside counsel, vendors, and government agencies who can support an organization in its recovery from a cybersecurity incident.

In addition to these six essential elements, CISA’s guide also includes three steps that CISA recommends that organizations take immediately to improve their protection against cybersecurity risks.  These steps include implementing an automatic and continuous system to back up critical data and system configurations, as well as enabling automatic updates “whenever possible” while testing and deploying patches quickly and replacing unsupported operating systems, applications, and hardware.  CISA’s recommended immediate action steps also include requiring MFA “whenever possible,” noting that it should be required for all users.  At a minimum, however, CISA recommends that organizations start by implementing MFA for privileged, administrative, and remote access users.

In sum, CISA’s Cyber Essentials offers a compact set of steps to reduce cyber risk for small businesses that often lack substantial resources to dedicate to cyber preparedness.  Regardless of an organization’s size, CISA’s Cyber Essentials may offer guidance on which cybersecurity measures it recommends all businesses should have in place.

Tags: CISA, Cyber Essentials, Cybersecurity, Data Protection, Data Security, Department of Homeland Security, DHS
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less