Organizations need a cybersecurity strategy to protect both infrastructure and customer data from growing cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA) developed the Cyber Essentials as a guide for small businesses and local government leaders to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
CISA leaders provided insight into how the pillars of the Cyber Essentials plan give a starting point to greater resilience through building a corporate culture of cyber readiness on June 29 during a webinar with the U.S. Chamber of Commerce.
“From human resources to marketing to sales and procurement, it is almost guaranteed that you rely on one or more digital platforms to facilitate the success of your business operations. The Cyber Essentials are a series of tools and practices that we have assembled to provide what we consider to be the basics of cyber organizational readiness,” Trent Frazier, deputy assistant director of the Stakeholder Engagement Division at CISA, said.
The Cyber Essentials takes on cyber readiness in a holistic approach, getting outside of the IT silos and addressing cybersecurity on a broader organizational level that considers how every team level drives the organization’s cybersecurity practices.
Creating a Culture of Cyber Readiness
The Cyber Essentials consists of six pillars. Pillar one, and the most important pillar according to Frazier, is leadership. Leaders of an organization are an essential element of a business’s culture of cyber readiness.
Therefore leaders must push investments in essential cybersecurity, determine how much of the organization’s operations are dependent on IT, build a network of trusted relationships with sector partners and government agencies to access timely cyber threat information, and approach cyber as a business risk.
“Cybersecurity has broad implications for every aspect of an organization and its success. Therefore, addressing it requires influence from the top, from the leader,” Frazier said.
The second pillar is the staff. As users of an organization’s digital equipment and systems, the staff is an essential element of an organization’s cyber readiness. The task for this element is to develop cybersecurity awareness and vigilance.
“Leaders must develop a culture of awareness to encourage employees to make good choices online, make sure that staff members learn about cyber risks like phishing, and ensure that staff remains vigilant against the current threat environment and agile to cybersecurity trends,” Bradford Willke, senior advisor for Stakeholder Engagement at CISA, said.
Systems and Data Environment in Cyber Readiness
In the third pillar, systems, leaders are instructed to learn what is on their network and maintain inventories of hardware and software assets to know what is in play and at-risk from attack.
“It is also crucial that an organization’s digital workplace is secured so only those who belong on the digital workplace have access to it,” Willke said.
In the fourth pillar, the guide instructs leaders to learn who is on the network, maintain inventories of network connections such as user accounts, vendors, and business partners, and leverage multi-factor authentication for all users, starting with privileged, administrative, and remote access users.
The fifth pillar is the data, intellectual property, and other sensitive information within an organization. Leaders and staff are tasked with learning how to protect their data, such as “making backups to avoid loss of information critical to operations,” Willke said.
Responding and Recovering from a Crisis
According to Willke, an organization’s strategy for responding to and recovering from compromise is an essential element of cyber readiness within business principles.
The last pillar in the Cyber Essentials is crisis response, which focuses on limiting damage and quickening normal operations’ restoration after a cyber-attack.
The Cyber Essentials tasked leaders with developing an incident response and disaster recovery plan outlining roles and responsibilities, and they must test it often. Leaders must also leverage business impact assessments to prioritize resources and identify which systems must be recovered first. And learn who to call for help, such as outside partners, vendors, government and industry responders, technical advisors, and law enforcement. And lastly, they must lead the development of an internal reporting structure to detect, communicate and contain attacks.