The breaches continue despite heightened cybersecurity awareness. To help establish standards, the Cybersecurity and Infrastructure Security Agency (CISA) has issued best practices around nine cybersecurity goals for control systems in response to a July 2021 Presidential Memorandum.
The CISA guidelines establish a minimum level of cybersecurity posture across 16 sectors, many of which include private businesses, whose critical infrastructure supports national defense; critical lifeline sectors (i.e., energy, communications, transportation, and water); or where the failure of control systems could have impacts to safety.
Let’s unpack what’s involved in the CISA guidelines, who should be paying attention, and the steps your company may need to take now.
Setting a cybersecurity baseline
The CISA guidelines are baseline objectives — the minimum cybersecurity practices that should reasonably be in place for all businesses connected to the government. The requirements were developed from standards and controls already released by CISA and the National Institute of Standards (NIST). They are not as thorough as those controls required by other new government cybersecurity frameworks like the Cybersecurity Maturity Model Certification (CMMC) and the finalized CISA controls that will be released later this year. Instead, companies should view them as the compliance framework that any client would want to see in a SOC2 Type 2 report.
CISA’s goals and objectives will become controls in the future. There’s nothing new or surprising in the list of best practices, and it’s certainly not an exhaustive list or the only cybersecurity measures that US companies should have in place. That said, setting a cybersecurity baseline is an important step. Just like the requirements for public health and safety that keep the public safe, these guidelines task critical infrastructure owners and operators to protect national and economic security.
Sage advice for small and mid-sized businesses
While the CISA guidelines are intended for organizations that potentially impact critical U.S. infrastructure, they are also a prescription for all small and mid-sized U.S. businesses. Meeting cybersecurity standards help protect the businesses’ data and ability to operate, the U.S. economy, as well as personal investments.
The guidelines define what must be done while leaving flexibility for how businesses achieve it. They offer best practice advice, like using hybrid cloud tools while hosting data locally to boost security cost-effectively. For the technical aspects, an IT consultant can suggest different options based on a company’s existing structure and systems, allowing them to plan and budget. Importantly, nearly half of the guidelines are not technical, so businesses can begin implementing them independently or use the guidelines as a checklist to see what more they need to be doing.
This is the moment: Four steps to take now
Arguably there’s never been a time when cybersecurity is more important to U.S. businesses. Prioritizing and starting now is important for several business-minded reasons:
- Cybersecurity is a change management process. It takes time to turn a ship, especially onboarding people and devices. Implementing tougher cybersecurity is often easier in brand new companies where policies are established from the very start. Asking people to change — even for tasks as simple as how they log in to email or shared folders — requires communication, training, and a period of adjustment.
- Sooner equals better. The security best practices outlined by CISA reduce the risk of a ransomware attack. Many small business owners think they are too small to be a target, but they are wrong. Bad actors hack into a small business because they are often less protected. They aren’t looking to make money or steal data, rather they use the small business as a testbed to work out the kinks in ransomware and plan for larger, more sophisticated attacks. This exact scenario led to the ransomware attack on the City of Atlanta. Investigators traced the roots of the attack back to small businesses in New Jersey, then a small town in Arizona, then the Colorado Department of Transportation, and then eventually to Atlanta.
- Sooner equals cheaper. The cost of ever-evolving cyber protection will continue to increase, so meeting minimum standards now means many companies will be able to update rather than overhaul. It’s also important when technical controls and license costs are based on company headcount or the number of devices. It’s less costly to get compliant before you grow. If technical controls and operational processes are established when smaller, it becomes the way when you grow. New user accounts and new hardware assets will be configured with the security protocols at the start, and the processes will be the only ones employees have known. This will result in less time and money spent modifying existing assets and going through the change management process with staff.
- Future-proofing. In time, customers and clients will start looking at cybersecurity like they do a company’s credit score — writing requirements into RFPs and contracts. Meeting standards, like the CISA guidelines, ahead of the pack can be a competitive advantage and sets companies up to make more strategic investments and decisions about cybersecurity rather than being reactionary.
Looking at the CISA guidelines from an implementation perspective, there isn’t anything too challenging or scary for most businesses. Training and awareness, and incident response and recovery, are goals that might require time. The planning, testing and integration to support these goals will undoubtedly be more consuming for businesses than implementing the technical configurations and logical controls, which can be completed by a consultant in a few weeks or months.
Importantly, business owners need to understand that meeting cybersecurity standards doesn’t mean a huge financial outlay or hiring experts. Many options exist for tools and as-needed consultant expertise that keep costs down for policies and procedures, remediation, automation technologies and more.
The CISA guidelines signal that the Federal government, traditionally behind the industry, is serious about cybersecurity standards. Now is the time for businesses to get primed and ready to respond and pull their weight to contribute to a more secure environment for all.