Importance of cybersecurity fundamentals for businesses

Michael McCarthy, External Affairs, CISA Region 1

At the Cybersecurity and Infrastructure Security Agency (CISA), we understand that businesses across New Hampshire face unique challenges when dealing with cyber risks, such as ransomware. We all want the best defenses, but money can be an issue, especially for small and medium-sized businesses who are constrained by a smaller, limited operating budget and fewer IT staff than a larger business.   

But in today’s connected world, business leaders must view cyber risk as a core business risk, no less important than the financial, regulatory and competitive risks you face. For a whopping 83% of companies, it’s not a question of if a data breach will happen, but when.

The best thing a small business can do to enhance their businesses cybersecurity is to get the fundamentals right.  

The cybersecurity basics are still the basics—the foundation of good security is the same regardless of size or mission of your organization. 

CISA’s Cyber Essentials is a starting point for small businesses to understand and address cybersecurity risk as they do other risks. Developed in collaboration with small businesses and state and local governments, Cyber Essentials aims to equip smaller organizations with basic steps and resources to improve their cybersecurity. 

Here are some simple steps that you and your business can take today to improve your cybersecurity posture: 

Tip 1: Practice good cyber hygiene

• Establish and enforce strong password requirements for all users and require multi-factor authentication (MFA) for all remote users and those with administrative access. 
• Enable auto-update for software where possible. Where auto-update is unavailable or infeasible, prioritize updating applications that are accessible via the Internet. 
• Consider using a Managed Security Provider (MSP) for many security services. Consider using a Cloud Service Provider (CSP) to host your organization’s data, applications, and services. Particularly consider using a Software-as-a-Service provider for email and workplace productivity solutions, such a Google Workspace or Microsoft Office365.

Tip 2: Train your staff 

• Avoid phishing schemes by educating your employees about thinking before they click. More than 90% of successful cyber-attacks start with a phishing email. 
• Ensure that resources are in place to identify and quickly assess any unexpected or unusual network behavior, whether via MSP or the organization’s own personnel device.  

Tip 3: Prepare to respond if an incident does occur

• Assure availability of key personnel; identify means to provide surge support for responding to an incident. 
• Develop a cyber incident response plan and conduct exercises to ensure employees understand their roles during an incident. 
• Ensure that critical data is backed up. Test backup procedures to ensure that critical data can be rapidly restored and ensure that your backups are isolated from network connections. 

Tip 4: Read and use CISA’s free cybersecurity resources

CISA makes available several resources, at no cost, for organizations and businesses looking to improve their cybersecurity practices. Here are a few:

• CISA offers guidance on important risk management considerations. 
• When adopting a cloud service, review CISA’s guidance on cloud security. 
• CISA’s Cyber Essentials guide helps small businesses owners and leaders just starting their journey to implement cybersecurity practices into their organizations.
• Review and use our list of free cybersecurity tools and services — a living repository that houses cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
• We also recommend following our 4 Things You Can Do To Keep Yourself Cyber Safe tips, reading the Bad Practices to avoid, and checking out our Cyber Hygiene Services.
• Lastly, small business owners should sign up for the National Cyber Awareness System to ensure that your business has access to timely information about security topics and threats. 

While ransomware and cyber-attacks are on the rise among small and medium sized businesses, the good news is that you can take steps now to avoid becoming a victim in the first place and lessen the impact if an incident does occur.

For more information, visit CISA’s small business webpage — www.cisa.gov/small-business — which includes specialized information and resources. 

At the end of the day, we are dedicated to working with the business community to provide the information you need to keep your networks secure and safe. CISA’s regionally based advisors are located throughout New England to work directly with your states, and we encourage you to contact us for support.  Contact: CISAregion1@cisa.dhs.gov