Every organization should adopt certain fundamental steps to establish a robust cybersecurity program:
1. Rectify known software security flaws: Refer to the CISA Known Exploited Vulnerabilities (KEV) Catalog to identify any software used by your organization that may have known vulnerabilities. If any are listed, update the software to the latest version as per the vendor’s instructions. Please note that CISA regularly updates the KEV catalog with newly discovered exploited vulnerabilities.
2. Implement Multifactor Authentication (MFA): MFA is a layered security measure that requires two or more authenticators to verify your identity before granting access to your online accounts. This method offers greater protection than just a username and password, as even if one factor is compromised, unauthorized users will be unable to fulfill the second authentication requirement.
3. Cease harmful practices: Take immediate action to replace end-of-life software products that no longer receive updates, replace systems or products that rely on known/default/unchangeable passwords, and adopt MFA for remote or administrative access to critical systems, resources, or databases.
4. Enroll in CISA’s Cyber Hygiene Vulnerability Scanning: This service, which can be registered for by emailing email@example.com, performs vulnerability scans and delivers a weekly report. The scanning process begins within 72 hours of receiving the necessary paperwork, and organizations will start receiving reports within two weeks.
5. Utilize the Stuff Off Search (S.O.S.) initiative: This initiative aims to reduce internet attack surfaces visible on web-based search platforms, addressing both cyber and physical security exposures.
After making progress on the above measures, organizations can utilize the free services and tools listed below to further mature their cybersecurity risk management. These resources align with the four goals outlined in CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats, which are: reducing the likelihood of a damaging cyber incident; detecting malicious activity quickly; responding effectively to confirmed incidents; and maximizing resilience.