Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


The Official Baldrige Blog

6 Cybersecurity Tips to Protect Your Business

Cybersecurity red broken padlock icon with among many other secure padlocks showing binary code through the background.
Credit: NicoElNino/Shutterstock
Baldrige Cybersecurity Excellence Builder Version 1.1 cover

Building a cybersmart organization in today’s fast-moving digital world requires a framework and system for benchmarking security efforts. Consider using the free Baldrige Cybersecurity Excellence Builder (BCEB), a self-assessment tool that blends organizational assessment approaches from the Baldrige Excellence Framework® with the concepts and principles of NIST's Cybersecurity Framework. The BCEB’s goals are to

  • help organizations understand the robustness and effectiveness of cybersecurity programs and practices,
  • help organizations gauge how cybersecurity efforts align to organizational strategy,
  • emphasize tracking and use of performance metrics to drive decision making,
  • spread effective use of NIST’s Cybersecurity Framework, and
  • support the Baldrige Performance Excellence Program’s purpose of improving organizations’ performance and sustainability/competitiveness.
Chart showing relationship between the Framework for Improving Critical Infrastructure Cybersecurity and the Baldrige Excellence Framework for the Baldrige Cybersecurity Excellence Builder.


How the BCEB Helps Leaders and Managers

The BCEB is intended for use by leaders and managers who are concerned with and responsible for an organization’s mission-driven, cybersecurity-related policy and operations. It is most valuable as a voluntary self-assessment of an entire organization’s cybersecurity risk management program; it is also useful in assessing a subunit, multiple subunits, or parts of an organization. Ideally, suppliers and partners also should use the BCEB since they can have immediate and extensive impacts on cybersecurity risks.

The BCEB guides users toward a better understanding of the effectiveness of cybersecurity risk-management efforts and identifies improvement opportunities in the context of their overall organizational performance while illuminating key information about

  • organizational and cybersecurity leaders, 
  • cybersecurity in the context of the organization’s overall strategy, 
  • cybersecurity needs and expectations of internal and external customers, 
  • measurement of cybersecurity performance in the context of overall performance measurement, 
  • the overall workforce and the workforce with special cybersecurity responsibilities, 
  • the overall and cybersecurity-specific suppliers and partners, 
  • cybersecurity operations and their alignment with overall operations,
  • cybersecurity risks in the context of broader enterprise risks, and 
  • results related to each of these areas. 

The questions in the BCEB lead users to manage all areas affected by cybersecurity in alignment with their organization’s characteristics, environment, and strategy.

Cybersecurity is Everyone’s Job

It is often said that a team is only as strong as its weakest player, and the best defense is a good offense. To manage risks and ensure continuity of operations, it’s imperative that leaders and managers take a direct role in motivating their workforce to remain cyber aware—especially in today’s maximum telework space, where so many remote workers are connecting to network services from outside their organization’s boundaries. 

Think of cybersecurity as a team sport, in which all players must make and implement strategic decisions about risks, policies, and operations. To that end, inspired by the Baldrige Cybersecurity Initiative, following are six tips from which every business playbook can benefit to create an environment for success now and in the future.

  1. Keep your assets up to date and fully patched.
    Maintain an inventory of your IT assets, and keep them up to date by patching. Disable unused ports and services. Implement anti-virus/anti-malware/anti-phishing technologies where feasible to prevent, detect, and mitigate malware, including ransomware.
  2. Look comprehensively at your data and consider eliminating or archiving things you no longer need.
    If you haven’t used it in years, then it may no longer be a mission-essential function to your business or a vital part of responding to a cybersecurity event. Time is of the essence when a potential incident occurs. Mean time to inventory, detect, and respond (PDF) are just three important metrics that can impact breach costs for your organization.
  3. Put your disaster response plan to the test, and correct any parts of the process that do not go as planned.
    Everyone on the team should understand their roles and responsibilities for responding to a cyberattack, have emergency contact information on hand for other team members they need to communicate with, and know what the game plan is before that incident becomes a breach (PDF). 
  4. Build in employee cybersecurity awareness continuously through bulletins, text or email alerts, regular training, and other activities.
    This will help everyone understand that vulnerabilities arise and pose a threat to the entire organization, not just one person. 
  5. Report social engineering incidences to your organization’s security team.
    Common examples include email phishing—fraudulent messages containing spam links or attachments. When an email looks suspicious, even if it “appears” to be from someone you know, it’s best to delete it. Remain cognizant of other types of phishing attacks as well, such as vishing (scam phone calls), smishing (fraudulent SMS messages), and angler phishing (fake social media accounts).
  6. Implement multi-factor authentication (MFA).
    MFA (PDF) adds an additional layer of security around sites containing sensitive information, or whenever enhanced security is desirable, and makes it more difficult for unauthorized people to log in as the account holder. To further increase account security, ensure that you’re also using strong passwords. NIST’s David Temoshok adds, “Since multiple long passwords are difficult to remember and manage, consider the use of a password manager for stronger, simpler password management.” For additional information on password managers, consult NIST Special Publication 800-63.

Improve Your Organization’s Cybersecurity Risk Management Efforts

Baldrige Cybersecurity Excellence Builder Version 1.1 cover

Baldrige Cybersecurity Excellence Builder

The Baldrige Cybersecurity Excellence Builder, Version 1.1 is a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts and identify improvement opportunities in the context of their overall organizational performance. 

Download your copy today!

About the author

Michelle Peña

Michelle Peña is a writer/editor for the Baldrige Performance Excellence Program at NIST. Her background includes degrees in English and Spanish from George Mason University, an advanced degree from George Washington University, and more than 20 years of experience in the publishing industry. 

Michelle is passionate about the benefits of personal development in the workplace and helping others become more emotionally resilient leaders in their community. Her blogs provide encouraging perspectives to help employees and businesses thrive and build a culture of continuous improvement.

As a digital marketing enthusiast, she also enjoys sharing motivational social media content and actionable growth strategies that professionals can use to empower their organization.

Related posts


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.