An Open Letter to Small and Medium-sized Businesses

You might have read about the Apache Log4j vulnerability that potentially exposed hundreds of millions of devices worldwide in December. Although it has been over six months since Log4j was discovered, it continues to be a very real threat. At the Cyber Readiness Institute (CRI), we urge small and medium-sized businesses (SMBs)—all organizations, in fact–to continue to be vigilant.

The Department of Homeland Security’s Cyber Safety Review Board (CSRB) has deemed Log4j an endemic vulnerability that could take a decade to eradicate. Specifically, the CSRB reported, “Log4j remains deeply embedded in systems… community stakeholders have identified new compromises, new threat actors, and new learnings.”

When Log4j was discovered last year, CRI issued guidance outlining how cyber threat actors could exploit the Log4j vulnerability, including:

  • Remotely accessing a variety of online services, websites, and applications.
  • Stealing important information
  • Demanding ransom payments

As Log4j continues to be a serious threat to global business, we want to remind SMBs and their Cyber Leaders to make sure they know what to do in case of a Log4j problem or, for that matter, any cybersecurity calamity. Please review your business continuity plans (including your incident response plans) —and if you don’t have a plan, now is a good time to begin to develop one.

We can help you deploy measures to improve your security immediately. Multi-factor authentication (MFA), for example, is a simple solution that can dramatically improve security by requiring users to present more than one piece of evidence (credential) whenever the user logs in to a business account (ex., company email, payroll, human resources, etc.). We recently released an updated MFA guide that addresses many questions from SMBs.

Our tools help SMBs build an inventory of critical business software and hardware, a schedule of the latest software updates, and an incident response plan to help respond and recover from any possible breaches. This is the time to develop and use these resources.  You can access your Playbook by logging into your account here. If you don’t have an account, starting one is easy.

CRI’s tools and resources are free. We are a non-profit dedicated to helping SMBs like yours build strong cyber cultures. We know many of you don’t have budgets anywhere near the resources of larger companies. However, large companies are increasingly implementing cybersecurity requirements for their trading partners. Cybersecurity is no longer an operational expense; it is a business necessity.

We’re here to help your company prepare. The CSRB emphasized good cyber hygiene can help mitigate the Log4j threat. Many cyber leaders at SMBs have learned the basics of cybersecurity from CRI’s free Cyber Readiness Program and the Cyber Readiness Playbook.

If you have questions about accessing your Playbook, please email us at You can learn more about the Apache Log4j Vulnerability and additional mitigation steps here.


Stay Cyber Ready,

Karen S. Evans
Managing Director, Cyber Readiness Institute