Managing cyber risks requires building a culture of cyber readiness, the Cybersecurity and Infrastructure Security Agency (CISA) told small organizations in its published infographic Cyber Essentials.
The project, which was developed in partnership with small businesses and state, local, tribal, and territorial governments, aims to equip organizations with basic steps and resources to improve their cybersecurity resilience. According to CISA, the steps are consistent with the NIST Cybersecurity Framework and other standards and meant as a starting point to cyber readiness.
Here are six essentials for leaders in small organizations to build a culture of cyber readiness:
- Operations. Make cybersecurity a major part of your operational resilience strategy.
- Awareness. Develop the staff’s security awareness and vigilance and the skills to practice and maintain readiness.
- Information. Know where information resides, what applications and networks store and process that information, and build security into and around these.
- Access. Know who operates on your systems and with what level of authorization and accountability.
- Plan. Draw up a contingency plan, starting with being able to recover systems, networks, and data from known, accurate backups.
- Prepare. Plan, prepare for, and conduct drills for cyber attacks as you would a fire.
For IT professionals within small organizations, here are a few essentials to build a culture of cyber readiness. Things to do first:
- Backup data. Employ a backup system that automatically and continuously backs up critical data and system configuration.
- Multi-factor authentication. MFA should be required of all users. Start with privileged, administrative and remote access users.
- Patch and update management. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.
Then there’s a partial list of six essentials for IT professionals, based on organizations with a culture of cyber readiness:
- Built a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
- Develop a culture of cyber awareness to encourage employees to make good choices online.
- Maintain inventories of hardware and software assets to know what is in play and at risk.
- Maintain inventories of network connections, including user accounts, vendors, partners, etc.
- Maintain data inventories of critical or sensitive information.
- Lead plan development of an incident response and disaster recovery map.