The Cybersecurity and Infrastructure Security Agency (CISA) just released a new Cyber Essentials kit for small businesses. CISA is part of the Department of Homeland Security and focuses on making the nation’s businesses more secure in the face of increasing cyber threats.
The goal is to help small businesses more thoroughly understand the cybersecurity risks they face. While many small businesses understand other, more physical risks to their businesses, the same is not true when it comes to cybersecurity.
CISA has defined six Cyber Essentials for small businesses to focus on and take action about. They are: Drive cybersecurity strategy, investment and culture; Develop heightened level of security awareness and vigilance; Protect critical assets and applications; Ensure only those who belong on your digital workplace have access; Make backups and avoid loss of info critical to operations and; Limit damage and restore normal operations quickly.
The first tool CISA has released is a PDF every business should display in their workplace. It carries the tag line “Your success depends on Cyber Readiness. Both depend on YOU. Cyber risks threaten a businesses’ ability to operate and access data. They also impact your reputation and the trust of your clients. Cyber risks can negatively impact your bottom line and threaten a business’s ability to survive.
In trying to raise awareness and create a culture of cybersecurity awareness, the tool recommends establishing yourself as a leader, especially if you manage personnel. Like anything, lead by example. You want your staff to have a heightened awareness of threats and exercise extreme vigilance. The vast majority of successful data breaches track back to an individual who was compromised. This can be a result of using a weak password, using the same password in multiple places, clicking a link or opening an attachment. The important message here is that the breach was not a technical failure, per se. It was a human failure.
While human error accounts for significant risk, that doesn’t mean you can ignore your systems. You must take the steps to properly protect your critical assets and information. Layered technical defenses that leverage next-generation technologies are the best we have seen. Your IT team should be implemented these latest tools and techniques to keep you safe from the network perimeter down to every device you use for your work.
Other areas of focus are your surroundings, your data and how you respond to stress. In other words, be sure you don’t allow unauthorized individuals on to your network. Many bad actors are using social engineering and even physical approaches to key employees, to uncover ways onto the network. Once they gain access, they could use your computing resources to launch attacks on others or simply lurk in the background until they find something of value they can exploit for gain.
You must ensure your data is properly backed up and safeguarded from risk, post backup. Ransomware has been known to reach across backup systems and encrypt backups, just as it does to your live data. Should this happen, you could find yourself unable to recover from an event.
Should an event take place, how you respond will be critical. Your reputation as a business could be at risk, and how your respond will impact the trust your customers and business partners have in you moving forward. You must have a clear incident response plan that dictates your response. Having this plan is step one. Practicing the plan is imperative. You don’t want to implement your response without having played it out and identified weakness. The survival of your business may depend on it.
Visit www.cisa.gov and click on the Cyber Essentials banner and review the information available to help you and your business. It will be time well spent.