What Are CISA’s 4 Steps to Cybersecurity and Why Are They Important?

Written by Kate Lake on October 2, 2023

Share This Article

October is Cybersecurity Awareness Month, and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is calling on all of us to “Secure Our World,” with a simple message that calls everyone to action “to adopt ongoing cybersecurity habits and improved online safety behaviors.” This month, the JumpCloud blog will focus on helping you empower everyone in your organization to do their part regarding cybersecurity. Tune in throughout the month for more cybersecurity content written specifically for IT professionals.

For Cybersecurity Awareness Month this year, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) recommends 4 simple steps that can make a big impact on your security posture. 

These four steps are a great way to start building a strong foundation of cybersecurity. Through the month of October, we’ll be sharing tips and tricks to implementing these steps as well as other foundational security measures. 

Let’s dive into what these steps are, why they’re important, and how you can implement them in your organization. 

What Are CISA’s 4 Steps to Cybersecurity?

The following steps are part of a new CISA initiative to encourage cybersecurity and are the focus of Cybersecurity Awareness Month this year. 

  1. Use strong passwords and a password manager.
  2. Turn on multi-factor authentication (MFA).
  3. Recognize and report phishing. 
  4. Update software.

Note: These steps align with CISA’s cross-sector cybersecurity performance goals, which are a more thorough list of security best practices across sectors. These performance goals can act as great guidelines for building a security program.

Why Are These Security Steps Important?

Passwords Are No Longer a Reliable Security Standard

It takes a lot to make a password secure. Password best practices call for passwords that are long, complex, and unique, among other criteria. That’s too much for the average user to remember, given the sheer number of accounts employees today need to do their work. When users are asked to memorize all these passwords, they end up writing passwords down, choosing easy-to-remember (and easy to guess) passwords, sharing them, and requesting resets often. Cutting corners with passwords can create inefficiencies and security vulnerabilities. 

Password managers combat these issues by generating strong passwords and storing them securely, removing the need for users to create or memorize them. Many password managers include helpful security features like secure password sharing, reporting on password health, and storing and autofilling MFA.

The JumpCloud Password Manager even stores passwords locally on endpoints rather than in the cloud. This segments and secures stored secrets, preventing them from being hacked in bulk or becoming a casualty in an attack on a server.

MFA Is Significantly More Secure Than Just a Password

Multi-factor authentication (MFA) helps combat password vulnerabilities by adding an additional layer of verification. With MFA, a bad actor can’t gain access to resources with just a compromised password — they’d have to then hack an additional factor. Often, that additional factor is much harder to compromise than a traditional password, like a biometric or push notification to a mobile device.

When it comes to implementation, MFA should be turned on everywhere. As CISA advises, “Enable multifactor authentication on all your online accounts that offer it, especially email, social media, and financial accounts and use authentication apps or hardware tokens for added security.” 

In addition, don’t underestimate the importance of training. Make sure all employees understand how to use MFA, and create a policy that requires all employees to use MFA. Turning off or circumventing the process negates any of the security benefits. 

Finally, make sure your training program pays special attention to those with high-privilege accounts and those who support MFA enrollment and resets. These are some of the most vulnerable elements of MFA.

Software Exploitation Is All Too Common — and Easy to Prevent 

Software updates often contain patches for known vulnerabilities. Cybercriminals are constantly searching for and exploiting these vulnerabilities to gain unauthorized access to systems and data. By regularly updating software, organizations close these security holes, making it significantly harder for attackers to breach their systems. 

CISA advises to “regularly check manually for updates if automatic updates are not available and keep operating systems, antivirus software, web browsers, and applications up to date.” The best way to ensure regular updates is with a patch manager. JumpCloud’s patch manager automates much of the patch management process with pre-built policies designed for each operating system.

Phishing Is Becoming More Prevalent and Convincing 

According to CISA, “phishing emails, texts, and calls are the number one way data gets compromised.” 

Phishing attacks are evolving with increasing sophistication, employing tactics like spear-phishing and social engineering to target organizations more effectively. This makes employee awareness critical. Consider implementing ongoing training (quarterly is a great place to start) to ensure employees are aware of common phishing tactics, able to recognize them in emails, phone calls, MFA attempts, and other mediums, and equipped to report them correctly.

Start Securing Your SME 

Fortunately, CISA’s four steps to cybersecurity are intended to be quick and easy to implement with a significant positive impact on security. 

JumpCloud ensures security by unifying identities and devices to provide comprehensive, overarching security for small and medium-sized enterprises (SMEs). The following JumpCloud tools are quick wins when it comes to implementing CISA’s four cybersecurity steps:

To learn more about how to secure your SME, download the whitepaper, How to Secure Your SME with JumpCloud and CrowdStrike.

Kate Lake

Kate Lake is a Senior Content Writer at JumpCloud, where she writes about JumpCloud’s cloud directory platform and trends in IT, technology, and security. She holds a Bachelors in Linguistics from the University of Virginia and is driven by a lifelong passion for writing and learning. When she isn't writing for JumpCloud, Kate can be found traveling, exploring the outdoors, or quoting a sci-fi movie (often all at once).

Continue Learning with our Newsletter