Our Guide to Cyber Hygiene
We’ve been hearing a lot about hygiene lately, and hopefully everyone is washing their hands. However, we also need to talk about cyber hygiene. Work from home has opened up new targets for cyber attacks, and with everyone a little tired and stressed, we’re all a bit more vulnerable to social engineering.
Cyber hygiene is a concept that varies in meaning, but we’re going to break it down to a simple set of practices and principles that can be applied to any organization..
What is Cyber Hygiene?
Cyber hygiene is a way of referring to the protective security and privacy policies that are designed to both reduce the chance of a breach and minimize the damage if one does occur. There is no single definition of cyber hygiene that fits every company — it is both a human problem and a business problem, and each approach is unique. At its most essential, cyber hygiene is about implementing and enforcing data security and privacy policies, as well as controls to reduce the chance of a breach and to minimize damages in the event of one.
Using the word “hygiene” is deliberate here. Think of it as both keeping from becoming infected and then avoiding getting as sick if you do. In 2019, there were 1,473 reported data breaches that exposed over 164.68 million records. Additionally, 650,000 Americans experienced identity theft and 1.7 million experienced some form of fraud. Cyber hygiene is, therefore, vital at both the individual and the corporate level. It is not a process, but a set of practices and principles.
How Do You Improve Your Cyber Hygiene?
Cyber hygiene is not the process itself, but the set of practices and principles you implement, so you start with a hygiene level evaluation and risk assessment to establish where the holes are in your existing policies. Once this is done, you can start the process of continuously improving cybersecurity in your organization. Much of the cyber hygiene process is focused on policy because the biggest weak point in any security system is human behavior. The vast majority of cyber attacks involve some form of social engineering, most often phishing.
Cybersecurity goals may vary by industry, and obviously in some industries regulatory compliance is vital. Having cybersecurity compliance can also help attract investors, customers, and talent.
Cybersecurity governance is at the core of a good cyber hygiene practice. Ensure that you have followed the essential elements of the process:
- Establish dashboards & authorities
- Formalize baseline & key processes
- Assign roles and responsibilities
- Monitor indicators for decision- making and adaption
What are Cyber Hygiene Best Practices?
Again, cyber hygiene practices are often variable, but there are certain basic best practices that can actually go a long way towards protecting your organization, customers and employees.
- Require all employees to use a VPN when connecting remotely. This helps protect employees from insecure public or hotel Wi-Fi, although it doesn’t completely prevent man-in-the-middle attacks.
- Update all software, on all devices, regularly. Make sure that patches are pushed out immediately. A lot of malware programs take advantage of people being lazy about updates by exploiting issues that have, in fact, been patched.
- Require password security to the best current standards. Employees should not be reusing passwords across different accounts. You might want to require the use of a password manager.
- Use two-factor authentication using either device-based or biometric methods as well as passwords.
- Provide employees access to only the data they need.Train employees in how to spot and avoid phishing attacks. Run phishing drills where you send out shady emails and count who clicks on them.
- Make sure employees practice physical device security; laptops and phones should never be left unattended in public. If you have an employee who likes to work remotely in a public location, provide them with a laptop security screen that makes it harder for people to read over their shoulder.
- Have a solid BYOD policy that supports both security and employee privacy. Ideally, personal devices should be partitioned with separate accounts so company data can be wiped if needed without affecting personal data.
All of these are pretty simple measures, which can go a long way towards preventing a breach. They need to be practiced by every employee in your organization. Those at the top must set a good example, and cyber hygiene training needs to be part of onboarding, even if it seems that the person already knows best practices.
What Tools Can You Use?
Although most of cyber hygiene is about training and policy, there are tools your organization’s IT department can can use to ensure that the technology and software side of things are there they are supposed to be.
All major cloud providers now have a compliance monitoring dashboard that runs automated security checks on accounts. While these are not sufficient on their own, they can help you find problems with your security quickly and easily and assess how much you need to call in an expert to do heavier lifting.
There are also tools available for real-time threat notifications, especially for websites, that can ensure you know immediately if there is a breach and can respond right away.
What About After a Breach?
With the best practices and will, a security incident may still happen. At this point, you need a solid incident response plan to ensure that you move quickly to limit damage and ensure compliance.
In most cases, you are required to notify customers and/or employees of a breach within a certain period of time. The NIST recommends that your plan should include forming an incident response team, that includes not just IT, but customer service and communications. The team may have to communicate with the media and law enforcement. Ensure that you have designated people to talk to law enforcement and that you know which agency you should contact. Some companies choose to outsource their incident response work to a contractor.
Your initial audit should include the most likely vectors for an attack, depending on your industry and practices. For example, the risks experienced by a company that has people on travel a lot may well focus on public Wi-Fi, remote devices, using VPNs internationally, etc. For an e-commerce firm, the concern might be protecting customer data and your website. When an incident is detected it should be analyzed, documented, and resolved as quickly as possible. Once the incident is resolved, the analysis and documentation should be used to further improve your cyber hygiene processes.
Cyber hygiene is vital to all companies these days, especially in this time of increased remote work. Make sure that your employees receive the training and tools they need to be part of the solution, guided by the set of practices and principles your organization has implemented.