On July 1, the Cybersecurity and Infrastructure Security Agency (“CISA”) launched its second installment of the “Cyber Essentials Toolkit” titled, “Your Staff, The Users.” This installment follows last month’s “Yourself, The Leader,” where CISA provided business leaders with information to better implement a culture of cyber readiness within organizations. To read more about the first installment, check out Troutman Pepper’s post by clicking here.
CISA’s installments coincide with six elements the organization deems essential—and includes them as part of the Cyber Essentials Toolkit; they are:
- Drive cybersecurity strategy, investment, and culture;
- Develop a heightened level of security awareness and vigilance;
- Protect critical assets and applications;
- Ensure only those who belong on your digital workplace have access;
- Make backups and avoid loss of information critical to operations; and
- Limit damage and restore normal operations quickly.
This second installment emphasizes the importance of security awareness and vigilance among staff to better protect critical assets and applications, such as those required to maintain a remote staff connected during the COVID-19 pandemic. Since March of this year, organizations and staff are increasingly dependent on more devices and different network entry points—increasing the cyber risk within each organization. The increase in cyber risk means there must also be an increase in cyber vigilance. Below are five things leaders and staff can begin to do today to mitigate cyber risk:
1. “Leverage Basic Cybersecurity Training”
Provide staff with a basic understanding of potential threats they may encounter. Through basic cybersecurity training, leaders have the opportunity to provide staff with tools to better recognize and avoid risks to an organization, such as threats relating to installation or usage of untrusted applications, utilization of weak or default passwords, social engineering and phishing attacks, and user-disabled security controls. For each staff member trained in basic cybersecurity, businesses strengthen network controls by mitigating the greatest risk for compromise, human error. Don’t know where to find cybersecurity-related training courses? Check out CISA’s National Initiative for Cybersecurity Careers and Studies to learn more.
2. “Develop a Culture of Awareness to Encourage Employees to Make Good Choices Online”
Leaders should actively promote a culture of cyber awareness. This should start with the business leaders themselves taking time for training, applying sound cyber hygiene rules, and not demanding short-cuts around those controls. Leaders should champion specific behaviors that encourage good cyber hygiene, such as staff using strong and various passwords throughout systems (and distinct from passwords used for personal accounts); leaders could also implement guidelines and policies requiring staff to update passwords periodically, and with specific minimum character type requirements. CISA also recommends that staff could be encouraged and reminded to “participate in awareness campaigns like Stop. Think. Connect. and National Cybersecurity Awareness Month.” Curious to learn more about the negative implications arising from security breaches? Click here to read Troutman Pepper’s most recent review of privacy and data breach class action lawsuits brought against businesses, and the lessons they may provide leaders and staff.
3. “Learn About Risks Like Phishing and Business Email Compromise”
Provide staff with the negative practical implications of successful phishing and e-mail compromise incidents. Leaders could accomplish this by first alerting staff of potential tactics, specifically tailored to the business, then by ensuring staff are aware of the procedures for reporting suspicious activity or attempts. Also, check out Troutman Pepper’s post, where we discuss several email-related threats during COVID-19. For additional information, visit the Federal Bureau of Investigation’s resources section.
4. “Identify and Use Available Training Resources”
When leveraging basic cybersecurity training, businesses need not create their training materials. CISA recommends that leaders look to “professional organizations, industry associations and academic institutions, as well as private sector and government networks” that may provide free resources. Small businesses could look to organizations, such as the Small Business Administration or Information Systems Audit and Control Association (“ISACA”)—each providing a myriad of resources.
5. “Maintain Awareness of Current Events Related to Cybersecurity”
Finally, leaders must encourage their staff to stay alert of new cyber-related developments. CISA recommends that members of any business should continually ask themselves:
- What types of cyberattacks are hitting my peers or others in my industry?
- Which tactics were successful in helping my peers limit damage?
- What does my staff need to know to help protect the organization and each other?
- On a national level, are they are any urgent cyber threats my staff need to know?
There are many ways leaders and staff could stay up to date. Consider subscribing to free resources such as: “The OUCH!” newsletter and the IAPP’s United States Privacy Digest. Troutman Pepper also offers many free cyber-related resources, such as through our COVID-19 Resource Center and the Consumer Financial Services Law Monitor.
Please stay tuned as Troutman Pepper will continue to monitor new developments in the world of privacy and cybersecurity. For a deeper dive into the second installment, with additional references to resources, click here.