As part of National Small Business Week, CISA is sharing practical steps to secure your environment against cyber attacks. As small businesses often don’t have the resources to invest in cybersecurity, they become a target for cyber criminals. Alaina Clark, Assistant Director for Stakeholder Engagement at CISA, shares these four steps in a recent blog post. Members, especially smaller utilities, are highly encouraged to consider taking these basic steps to enhance cyber resilience.

1. Train staff to recognize phishing. Emphasize the harm phishing emails can cause while educating employees on what to look for in a phishing email and encouraging everyone to think before they click on any links or attachments. The most successful phishing messages are the ones designed to elicit an emotional response. Threat actors know that when we react based on emotion, we are less likely to be discerning and often act hastily. Attackers often use urgency accompanied by fear to manipulate victims. Others threat actors take advantage of natural curiosity and even compassion. See the WaterISAC handout attached: Phishing: Don’t Get Hooked on a Feeling.”
2. Require strong passwords. As the first line of defense in stopping criminals from accessing accounts, passwords should be random, unique, and at least 16 characters long. Avoid using the same password for multiple accounts and enable an enterprise-level password manager so that the only password you need to remember is the one for the password manager. One method for implementing strong passwords is to create passphrases that are more easily remembered and more difficult to crack. See the WaterISAC handout attached: What is Longer, Stronger, and Difficult to Guess? (Answer: Hopefully, YOUR password)
3. Require multifactor authentication (MFA). MFA requires more than a password to access your accounts, such as a texted code, biometric scan, or access card. With more than 310 million smartphone users in the U.S., it’s easy to use a smartphone or tablet to implement MFA. It is recommended that MFA be implemented for every account that permits it, especially any account associated with work, school, email, banking, online shopping, and social media. See the WaterISAC handout attached: MFA Can Save the Day!
4. Update any software used for business. Out-of-date software is easily exploited to steal business, employee, and customer data. Enable automatic software updates on connected devices used for business so they automatically get the latest security patches. It is also incredibly important to be aware of any outdated or unsupported software or hardware, so make sure to inventory and update them. If you haven’t always had automatic updates enabled or are using older technology that is no longer supported, don’t assume it’s not important to apply older patches or upgrade your technology. Threat actors know that we have historically been poor in our patching practices, and they do poke around for places to pillage for programs and devices – including workplace and personal – that haven’t had vendor patches applied. See the WaterISAC handout attached: Don’t Hesitate, Automate or Click to Update.

Last October during Cybersecurity Awareness Month, WaterISAC provided four single-page handouts (one per week) for members to pass along to staff for cybersecurity awareness (See attached). These handouts are very relatable to the four steps shared by Assistant Director Clark and dive deeper into each of the areas. They include:

• What is Longer, Stronger, and Difficult to Guess? (Answer: Hopefully, YOUR password)
• MFA Can Save the Day!
• Phishing: Don’t Get Hooked on a Feeling.
• Don’t Hesitate, Automate or Click to Update.

Additional resources from CISA include:

• Secure Our World – CISA’s enduring, year-round cybersecurity awareness program that uses creative campaigns to teach the American public easy ways to stay safe online.
• Local CISA Resources – CISA has regional offices throughout the U.S. where field personnel provide a variety of risk management and response services to help businesses become more resilient to cyber and physical threats.
• National Small Business Week Virtual Summit – This year, CISA is hosting this virtual booth where registered attendees can access resources to boost their cyber resiliency. Hosted by the U.S. Small Business Administration and SCORE, the April 30 – May 1 summit recognizes America’s small businesses for their hard work, ingenuity, and dedication and will feature educational workshops, networking opportunities, and access to other federal resources.