Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses.  The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices.  While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.

The guide, which was developed to be consistent with the NIST Cybersecurity Framework and other cybersecurity standards, describes six “essential elements” that organizational leaders can adopt to build a “culture of cyber readiness.”  The guide describes the elements as follows:

  • Yourself: The guide recommends that the leader of a small business drive cybersecurity strategy, investment, and organizational culture. Organizations should approach cybersecurity as a business risk, identify their dependencies on information technology (“IT”), and invest in basic cybersecurity measures while building relationships with key sources of cyber threat information.
  • Your staff: This element focuses on developing the security awareness and vigilance of the organization’s staff through training and education on common cybersecurity risks, such as phishing and business email compromises.
  • Your systems: This element focuses on the importance of protecting critical assets and applications by identifying the applications, networks, and systems that process the organization’s information. This recommendation includes maintaining hardware and software inventories, leveraging automatic updates, and implementing controls including secure configurations and application whitelisting.
  • Your surroundings: This element prioritizes limiting the access and authorizations granted to employees, managers, and customers using an organization’s IT environment. The guidance recommends requiring unique passwords, maintaining inventories of network connections, granting access on a least-privilege basis, and requiring multi-factor authentication (“MFA”) for administrative privileges and remote access.
  • Your data: This element focuses on protection and recovery of an organization’s data. The guidance recommends establishing regular data backups and redundancies for key systems, protecting backups using encryption and offline copies, maintaining inventories of critical or sensitive information, and monitoring network activity while leveraging data protection controls, including malware protection.
  • Your actions under stress: This element refers to implementing controls to limit damage and quicken restoration of normal operations after a cyber incident. These controls should include implementing and regularly testing incident response and disaster recovery plans, utilizing business impact assessments to prioritize resources and restoration timing after an incident, and developing partnerships with outside counsel, vendors, and government agencies who can support an organization in its recovery from a cybersecurity incident.

In addition to these six essential elements, CISA’s guide also includes three steps that CISA recommends that organizations take immediately to improve their protection against cybersecurity risks.  These steps include implementing an automatic and continuous system to back up critical data and system configurations, as well as enabling automatic updates “whenever possible” while testing and deploying patches quickly and replacing unsupported operating systems, applications, and hardware.  CISA’s recommended immediate action steps also include requiring MFA “whenever possible,” noting that it should be required for all users.  At a minimum, however, CISA recommends that organizations start by implementing MFA for privileged, administrative, and remote access users.

In sum, CISA’s Cyber Essentials offers a compact set of steps to reduce cyber risk for small businesses that often lack substantial resources to dedicate to cyber preparedness.  Regardless of an organization’s size, CISA’s Cyber Essentials may offer guidance on which cybersecurity measures it recommends all businesses should have in place.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.