Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses.  The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices.  While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.

The guide, which was developed to be consistent with the NIST Cybersecurity Framework and other cybersecurity standards, describes six “essential elements” that organizational leaders can adopt to build a “culture of cyber readiness.”  The guide describes the elements as follows:

  • Yourself: The guide recommends that the leader of a small business drive cybersecurity strategy, investment, and organizational culture. Organizations should approach cybersecurity as a business risk, identify their dependencies on information technology (“IT”), and invest in basic cybersecurity measures while building relationships with key sources of cyber threat information.
  • Your staff: This element focuses on developing the security awareness and vigilance of the organization’s staff through training and education on common cybersecurity risks, such as phishing and business email compromises.
  • Your systems: This element focuses on the importance of protecting critical assets and applications by identifying the applications, networks, and systems that process the organization’s information. This recommendation includes maintaining hardware and software inventories, leveraging automatic updates, and implementing controls including secure configurations and application whitelisting.
  • Your surroundings: This element prioritizes limiting the access and authorizations granted to employees, managers, and customers using an organization’s IT environment. The guidance recommends requiring unique passwords, maintaining inventories of network connections, granting access on a least-privilege basis, and requiring multi-factor authentication (“MFA”) for administrative privileges and remote access.
  • Your data: This element focuses on protection and recovery of an organization’s data. The guidance recommends establishing regular data backups and redundancies for key systems, protecting backups using encryption and offline copies, maintaining inventories of critical or sensitive information, and monitoring network activity while leveraging data protection controls, including malware protection.
  • Your actions under stress: This element refers to implementing controls to limit damage and quicken restoration of normal operations after a cyber incident. These controls should include implementing and regularly testing incident response and disaster recovery plans, utilizing business impact assessments to prioritize resources and restoration timing after an incident, and developing partnerships with outside counsel, vendors, and government agencies who can support an organization in its recovery from a cybersecurity incident.

In addition to these six essential elements, CISA’s guide also includes three steps that CISA recommends that organizations take immediately to improve their protection against cybersecurity risks.  These steps include implementing an automatic and continuous system to back up critical data and system configurations, as well as enabling automatic updates “whenever possible” while testing and deploying patches quickly and replacing unsupported operating systems, applications, and hardware.  CISA’s recommended immediate action steps also include requiring MFA “whenever possible,” noting that it should be required for all users.  At a minimum, however, CISA recommends that organizations start by implementing MFA for privileged, administrative, and remote access users.

In sum, CISA’s Cyber Essentials offers a compact set of steps to reduce cyber risk for small businesses that often lack substantial resources to dedicate to cyber preparedness.  Regardless of an organization’s size, CISA’s Cyber Essentials may offer guidance on which cybersecurity measures it recommends all businesses should have in place.