In line with recent actions taken across the government to enhance the resilience of the nation’s cybersecurity apparatus, the Cybersecurity Infrastructure Security Agency (CISA) recently released a set of best practices for small businesses. These Cyber Essentials, according to CISA, are intended as a starting point to nurture a “culture of security, and specific actions for leaders and their IT professionals to put that culture into actions.”
The Cyber Essentials provide guidance for both organization leaders and IT professionals across six elements:
- Yourself
- Your Staff
- Your Systems
- Your Surroundings
- Your Data
- Your Actions under Stress.
Each element, in turn, provides a number of “Essential Actions” expected of either leaders or IT professionals. For organization leaders, for example, these include creating and driving a comprehensive cybersecurity strategy, developing security awareness among staff, enhancing physical security of information systems, and adopting contingency plans in case of data loss. “Essential Actions” for IT professionals are more heavily focused on implementation of cybersecurity and tracking of outcomes. These encompass implementing secure configurations for all hardware and software assets, establishing automated backups and redundancies of key systems, and developing of an oft-tested incident response and disaster recovery plan, among others.
Cybersecurity Readiness Is Critical – Compliance Is Key
Though voluntary for the time being, these Cyber Essentials speak to a growing emphasis on cybersecurity readiness across government agencies. Most notably, the Department of Defense’s (DoD) recently announced cybersecurity model will soon require contractors to undergo certification by a third party auditor as a prerequisite to contract award.
There is reason to suspect civilian agencies could soon follow suit. This is especially true given the significant adverse impacts of cybersecurity and cyber theft on national security; indeed, according to a recently issued DoD report, cyberattacks have cost U.S. businesses more than $600 billion and threaten to expose sensitive government information to hostile foreign actors. Contractors who act now to secure their networks could therefore find themselves at a significant competitive advantage in the future.
