FACT SHEET

Four Cybersecurity Essentials for Businesses

Publish Date
Related topics:
Cybersecurity Best Practices

Strengthening your cybersecurity is crucial to protecting your business from threats that impact customers, the community and critical infrastructure. Start by implementing these four core cybersecurity practices in your business:

Train Employees to Avoid Phishing

device shown with a phishing message

Phishing is a common cyber threat designed to trick employees into clicking fake links, downloading harmful attachments or sharing personal/company details. These actions can expose sensitive information or install malware. The good news is with proper training; phishing can be prevented.

  1. Use available training resources.

    Threat literacy helps staff understand how attackers operate through emails, websites or social engineering and how to respond. Equip your staff by using free training tools from CISA, your IT provider or trade associations. 

  2. Keep employees informed.

    Designate someone to track emerging threats. Ask them to share updates between trainings. Remind employees to stay alert. If a message feels off, staff should verify it—but not by replying or using any phone number or link in the message. Instead, use a search engine to look up the business’s phone number or use a known contact method you already have.

  3. Build a culture of cybersecurity.

    Threats evolve constantly, so once-a-year training isn’t enough. Set the tone by reinforcing safe online practices regularly. Make sure employees know to whom and how to report suspicious emails or phishing attempts. Ongoing education helps staff stay alert and respond quickly.

Return to top

Require Strong Passwords

device shown with someone entering a strong password

Weak or reused passwords make your business an easy target for cybercrimes. Enforce strong password policies to reduce risk and protect accounts.

  1. Require strong, unique passwords.

    Protect your business by enforcing policies that require strong passwords. Strong passwords are:

    • Long: At least 16 characters long (more is better)
    • Random: A mix of upper/lowercase letters, numbers and symbols or a passphrase of 5–7 unrelated words
    • Unique: Used for only one account 
       

  2. Provide a password manager.

    A company-wide password manager makes it easier for employees to follow best practices. It generates complex passwords, fills them in and stores them securely. Employees only need to remember one strong master password for the password manager itself. 

  3. Change default passwords.

    Many products come with default usernames and passwords that are widely known and easily exploited. Require staff to change default credentials before using systems.

Return to top

Require Multifactor Authentication (MFA)

two devices shown using multifactor authentication

MFA adds an extra layer of protection by requiring two or more ways to verify a user’s identity. Businesses should aim to use the strongest MFA available, like a phishing-resistant MFA method.

  1. Require MFA wherever possible.

    Work with your IT team or provider to turn on MFA across systems like email, file storage and remote access. Enable MFA on all admin accounts and for employees who handle sensitive data. Confirm that all remote access to the organization’s network and privileged access requires MFA.

  2. Use the most secure MFA method you can.

    Some forms are much stronger at keeping attackers out. Preferred methods include:

    • Security key: Use a physical security key (like a YubiKey) to log in. Provides the best protection against phishing and is easy to use.
    • Authenticator app (with number matching) pushes a prompt to your phone. You enter a number shown on the login screen to confirm.
    • Authenticator app (with one-time code) generates a new code every 30 seconds. You enter the code on the login screen to confirm.  
       

  3. Educate your employees.

    Teach your employees so they’re protecting themselves, your company and your customers by taking one quick extra step. Encourage employees to turn on MFA for their personal accounts.

Return to top

Update Business Software

device shown with someone performing a software update

Outdated software is one of the easiest ways to protect yourself from criminals, who target known vulnerabilities to steal sensitive data, including business, employee and customer information.

  1. Reduce risks with patching and automatic updates. 

    Work with your IT team to establish regular patching procedures and tests. Prioritize critical vulnerabilities, especially for public-facing or legacy systems. Enable automatic updates where possible, including operating systems, applications and third-party software.

  2. Replace legacy systems and devices. 

    Maintain an up-to-date inventory of authorized devices and applications. Remove or replace any that are outdated or unauthorized.

  3. Train employees to take updates seriously. 

    Remind staff to enable automatic updates on all devices and software. Make it a policy that staff reboot their devices regularly and pay attention to update notifications. Confirm that your organization's entire network is protected by antivirus/antimalware software and prioritize updates for these tools. Require staff to check with IT before installing new apps on company devices. Confirm that your vendors regularly update their systems.

Return to top

CISA has free resources, tools and guidance to help businesses implement these best practices. Share these tips with your team!

 

Printer Friendly Version

Tags

Language: English
Topics: Cybersecurity Best Practices

Related Resources