Cyber Essentials
CISA's Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. Download the Cyber Essentials Starter Kit, the basics for building a culture of cyber readiness. For a deeper look and greater insight, check out the Cyber Essentials Toolkits, a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential. Consistent with the NIST Cybersecurity Framework and other standards, the Cyber Essentials are the starting point to cyber readiness. Managing cyber risks requires building a Culture of Cyber Readiness. The Culture of Cyber Readiness has six Essential Elements:
Yourself
You, as leader of your organization are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to drive cybersecurity strategy, investment and culture.
Actions For Leaders
- Lead investment in basic cybersecurity.
- Determine how much of your organization's operations are dependent on IT.
- Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
- Approach cyber as a business risk.
Action to Take in Consultation with IT
- Lead development of cybersecurity policies.
To learn more about how you can drive cybersecurity strategy, investment and culture, explore the Cyber Essentials Toolkit on this element.
Your Staff
As users of your organization's digital equipment and systems, your staff are essential elements of your organization's Culture of Cyber Readiness. Your task for this element is to develop cybersecurity awareness and vigilance.
Actions For Leaders
- Develop a culture of awareness to encourage employees to make good choices online.
- Learn about risks like phishing and business email compromise.
- Maintain awareness of current events related to cybersecurity, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.
Actions to Take in Consultation with IT
- Leverage basic cybersecurity training to improve exposure to cybersecurity concepts, terminology and activities associated with implementing cybersecurity best practices.
- Identify available training resources through professional associations, academic institutions, private sector and government sources.
Your Systems
As the infrastructure that makes your organization operational, your systems are an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to protect critical assets and applications.
Action For Leaders
- Learn what is on your network. Maintain inventories of hardware and software assets to know what is in play and at-risk from attack.
Actions to Take in Consultation with IT
- Leverage automatic updates for all operating systems and third-party software.
- Implement security configurations for all hardware and software assets.
- Remove unsupported or unauthorized hardware and software from systems.
- Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.
- Create application integrity and allow listing policies so that only approved software is allowed to load and operate on their systems.
Your Surroundings
As your organization's digital workplace, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to ensure only those who belong on your digital workplace have access to it.
Actions to Take in Consultation with IT
- Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).
- Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.
- Grant access and admin permissions based on need-to-know and least privilege.
- Leverage unique passwords for all user accounts.
- Develop IT policies and procedures addressing changes in user status (transfers, termination, etc.).
Your Data
Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to make backups and avoid loss of information critical to operations.
Action For Leaders
- Learn how your data is protected.
Actions to Take in Consultation with IT
- Learn what information resides on your network. Maintain inventories of critical or sensitive information.
- Learn what is happening on your network. manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.
- Domain name system protection.
- Leverage malware protection capabilities.
- Establish regular automated backups and redundancies of key systems.
- Leverage protections for backups, including physical security, encryption and offline copies.
Your Crisis Response
As your strategy for responding to and recovering from compromise, this is an essential element of your organization's Culture of Cyber Readiness. Your task for this element is to limit damage and quicken restoration of normal operations.
Actions For Leaders
- Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
- Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.
- Learn who to call for help (outside partners, vendors, government/industry responders, technical advisors and law enforcement).
- Lead development of an internal reporting structure to detect, communicate and contain attacks.
Action to Take in Consultation with IT
- Leverage in-house containment measures to limit the impact of cyber incidents when they occur.
Booting Up: Things to Do First
Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks.
Backup Data
Employ a backup solution that automatically and continuously backs up critical data and system configurations.
Multi-Factor Authentication
Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.
Patch &Update Management
Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.
Webinar
Head over to CISA's YouTube channel to learn about the Cyber Essentials. This introductory webinar provides an overview of foundational cybersecurity principles and simple measures to start applying to your business.
To access the webinar, click here.