Cyber Essentials

Your success depends on cyber readiness. Both depend on you.

CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices. For a deeper look and greater insight, check out the Cyber Essentials Toolkits, a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential.

Consistent with the NIST Cybersecurity Framework and other standards, the Cyber Essentials are the starting point to cyber readiness.

Reducing an organization’s cyber risk requires a holistic approach, similar to that taken to address other operational risks. As with other risks, cyber risks can threaten:

  • Your ability to operate or access critical information
  • Your reputation and the trust of your customers and constituents
  • Your bottom line
  • Your organization's survival

Managing cyber risks requires building a Culture of Cyber Readiness. The Culture of Cyber Readiness has six Essential Elements:

Yourself

You, as leader of your organization are an essential element of your organization’s Culture of Cyber Readiness.

For Leaders

Drive cybersecurity strategy, investment and culture.

Your awareness of the basics drives cybersecurity to be a strategy of your operational resilience, and that strategy requires an investment of time and money.

Your investment drives actions and activities that build and sustain a culture of cybersecurity.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Led investment in basic cybersecurity.
  • Determined how much of their operations are dependent on IT
  • Built a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.
  • Approached cyber as a business risk.
  • Led development of cybersecurity policies.

To learn more about how you can drive cybersecurity strategy, investment and culture, explore the Cyber Essentials Toolkit on this element. 

Your Staff

As users of your organization’s digital equipment and systems, your staff are essential elements of your organization’s Culture of Cyber Readiness.

For Leaders

Develop heightened level of security awareness and vigilance.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Leveraged basic cybersecurity training to improve exposure to cybersecurity concepts, terminology, and activities associated with implementing cybersecurity best practices.
  • Developed a culture of awareness to encourage employees to make good choices online.
  • Learned about risks like phishing and business email compromise.
  • Identified available training resources through professional associations, academic institutions, private sector and government sources.
  • Maintained awareness of current events related to cybersecurity, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.

Your Systems

As the infrastructure that makes your organization operational, your systems are an essential element of your organization’s Culture of Cyber Readiness.

For Leaders

Protect critical assets and applications.

Information is the life-blood of any business and is often the most valuable of a business’ intangible assets.

Know where this information resides, know what applications and networks store and process that information, and build security into and around each.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Learned what is on their network Maintained inventories of hardware and software assets to know what is in-play and at-risk from attack.
  • Leveraged automatic updates for all operating systems and third-party software.
  • Implemented secure configurations for all hardware and software assets.
  • Removed unsupported or unauthorized hardware and software from systems.
  • Leveraged email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.
  • Created application integrity and whitelisting policies so that only approved software is allowed to load and operate on their systems.

Your Surroundings

As your organization’s digital workplace, this is an essential element of your organization’s Culture of Cyber Readiness.

For Leaders

Ensure only those who belong on your digital workplace have access.

The authority and access you grant employees, managers, and customers into your digital environment needs limits, just as those set in the physical work environment do.

Setting approved access privileges requires knowing who operates on your systems and with what level of authorization and accountability.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Learned who is on their network. Maintained inventories of network connections (user accounts, vendors, business partners, etc.).
  • Leveraged multi-factor authentication for admin privileges and remote access.
  • Granted access and admin permissions based on need-to-know and least privilege.
  • Leverage unique passwords for all user accounts.
  • Developed IT policies and procedures addressing changes in user status (transfers, termination, etc.).

Your Data

Your data, intellectual property, and other sensitive information is what your organization is built on. As such, it is an essential element of your organization’s Culture of Cyber Readiness.

For Leaders

Make backups and avoid loss of information critical to operations.

Even the best security measures can be circumvented with a patient sophisticated adversary. Learn to protect your information where it is stored, processed, and transmitted.

Have a contingency plan, which generally stats with being able to recover systems, networks and data from known, accurate backups.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Learned what information resides on their network. Maintained inventories of critical or sensitive information.
  • Established regular automated backups and redundancies of key systems.
  • Learned how their data is protected.
  • Leveraged malware protection capabilities.
  • Leveraged protections for backups, including physical security, encryption and offline copies.
  • Learned what is happening on their network. Managed network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.

Your Actions Under Stress

As your strategy for responding to and recovering from compromise, this is an essential element of your organization’s Culture of Cyber Readiness.

For Leaders

Limit damage and restore normal operations quickly.

Plan, prepare for, and conduct drills for cyberattacks as you would a fire or robbery. Make your reaction to cyberattacks and system failures an extension of your other business contingency plans.

This requires having established procedures, trained staff, and knowing how and to whom to communicate during a crisis.

For IT Professionals and Service Providers

For this Essential Element, organizations living the Culture of Cyber Readiness have undertaken these Essential Actions:

  • Led development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.
  • Leveraged business impact assessments to prioritize resources and identify which systems must be recovered first.
  • Learned who to call for help (e.g., outside partners, vendors, government/industry responders, technical advisors and law enforcement).
  • Led development of an internal reporting structure to detect, communicate and contain attacks.
  • Leveraged in-house containment measures to limit the impact of cyber incidents when they occur.

Booting Up: Things to Do First

Even before your organization has begun to adopt a Culture of Cyber Readiness, there are things you can begin doing today to make your organization more prepared against cyber risks. 

Backup Data

Employ a backup solution that automatically and continuously backs up critical data and system configurations.

Multi-Factor Authentication

Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative, and remote access users.

Patch &Update Management

Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

Was this document helpful?  Yes  |  Somewhat  |  No