The Cybersecurity and Infrastructure Security Agency (“CISA”) launched its first installment of its “Cyber Essentials Toolkit” titled, “Yourself, The Leader – Drive Cybersecurity Strategy, Investment, and Culture” on May 29. CISA is developing the Cyber Essentials Toolkit, with the assistance of small businesses, to equip businesses with resources to improve their cybersecurity practices.
CISA will publish six installments coinciding with each of the six “Essential Elements” of the Cyber Essentials Toolkit, which are:
- drive cybersecurity strategy, investment, and culture;
- develop a heightened level of security awareness and vigilance;
- protect critical assets and applications;
- ensure only those who belong on your digital workplace have access;
- make backups and avoid loss of information critical to operations; and
- limit damage and restore normal operations quickly.
The first installment, “Yourself, The Leader – Drive Cybersecurity Strategy, Investment, and Culture,” provides business leaders with information relating to the importance of implementing a culture of cyber readiness. For a business to properly manage cyber risks, CISA recommends that leaders should consider several actions:
- “Approach Cyber as a Business Risk”
Business leaders should evaluate the impact that a cyber breach could cause on employees, customers, business partners, and operations. Given that cybersecurity decisions are “risk-based,” businesses benefit from understanding the benefits of establishing standards, guidelines, and practices to protect critical services from cyber-related risks.
- “Determine How Much of Your Organization’s Operations are Dependent on IT”
Business leaders should develop “‘what-if’ scenarios and an incident response plan to prepare for various cyber events[.]” Leaders preparing ahead of time are better situated when handling incidents than those waiting to make decisions during high-stress situations. Every business leader should consider how much of the organization depends on information technology (“IT”); the higher the dependence, the higher the risk. Such plans should include tabletop exercises to test the company’s readiness to handle an event.
- “Lead Investment in Basic Cybersecurity”
Business leaders should invest in the cybersecurity capabilities of the organization. Investment goes beyond technology; businesses benefit from a properly trained workforce that is well versed in basic cybersecurity risks. This means that business leaders should have conversations with “staff, business partners, vendors, managed service providers, and others [in the] supply chain.”
- “Build a Network of Trusted Relationships for Access to Timely Cyber Threat Information”
Leaders benefit from building and maintaining an “awareness of cybersecurity threats.” Leaders could take advantage of resources offered by CISA, the National Council of Information Sharing and Analysis Centers, Global Cyber Alliance, and more.
- “Lead Development of Cybersecurity Policies”
Business leaders and IT teams should work together to implement up-to-date policies that are understood by the rest of the organization. Leaders and IT could reference respected standards for guidance on implementing cybersecurity programs, such as those offered by the National Institute of Standards and Technology.
Troutman Sanders will continue to monitor new developments in the world of privacy and cybersecurity. To read CISA’s full announcement on its Cyber Essentials Toolkit, click here. For a deeper dive into the first installment or for additional resources, click here.