What is Cyber Hygiene?

Wellness is a popular topic in today’s world, and rightfully so. It’s tough to achieve your dreams and goals if you neglect to take care of your physical, emotional, family, social, and career needs. To set ourselves up for success, we attempt to eat healthily, visit the doctor for an annual checkup or physical, choose to spend quality time with friends and family, read up on topics of interest, and generally put ourselves in a positive position to get what we desire.

When it comes to security, cyber hygiene is similar to taking care of your own wellness. Some individuals and organizations invest a lot of resources into making sure they’re mitigating risk from today’s big cyber threats, such as ransomware and data breaches. Conversely, some individuals and organizations haven’t made much investment into the basics of cybersecurity protection – otherwise known as cyber hygiene – to keep themselves from being the low-hanging fruit for online attackers looking for an easy target.

Common Cyber Hygiene Issues

Today, many organizations have more than just computers in need of cyber hygiene. All hardware (workstations, servers, smartphones, firewalls, connected devices, etc.), software programs, and online applications should be included in a regular, ongoing maintenance program. Each can open vulnerabilities into the organization when not managed properly. Some problems that can arise due to poor cyber hygiene include:

• Loss of Data: Hard drives and online cloud storage that aren’t backed up or maintained can be vulnerable to hacking, corruption, and other problems that could result in the loss of important information.
• Misplaced Data: Improper file system organization can lead to misplaced files and is becoming increasingly commonplace as organizations grow.
• Data Breach: The most severe and damaging to organizations is the data breach. There are constant and immediate threats where a single click can mean a slow and costly recovery. Phishing, malware, spam, viruses, and a variety of other threats exist in the modern threat landscape, which is constantly changing as new vulnerabilities and social engineering techniques emerge.
• Software Vulnerabilities: Out of date software and failures in patch management are one of the leading causes of breaches at organizations and have led to many reputable organizations suffering unnecessary incidents. Patches and updates to software (not just Windows operating systems, but other software like Microsoft Office, Adobe, Java, Flash, and many others) are released to fix known vulnerabilities that hackers exploit in those software applications to access computers and networks.
• Malicious Software: New versions and variants of malware are released daily, challenging traditional antivirus applications to work harder just to keep up. Traditional antivirus software and other security software must be updated at least weekly to keep pace with the ever-changing threat landscape. Also, consider more advanced forms of anti-malware solutions, like Carbon Black or Cylance, which look at the behavior of files and applications, rather than relying on outdated signatures to catch only the known-bad malware.

Know What You Have

Before you can understand how to protect your organization, you must know what you have in the first place. Taking an inventory of your assets - which can include hardware, software, applications, and information - is a crucial component of properly managing the risk of today’s threats. Implementing a plan to document all current equipment and software programs will help improve the security of any environment. Your assets can be broken up into the following groups:

• Hardware: any computer, connected device, or mobile device (including instances of Bring You Own Device)
• Software: any and all programs used on the network and installed onto computers
• Applications: web and mobile apps, including apps not installed directly on devices (i.e., websites used by your organization to perform daily job duties)

Creating a Cyber Hygiene Culture

Below are items that should be taken into account when considering cyber hygiene:

• Password Changes: Complex passwords changed regularly can prevent many malicious events. Passwords should be at least 10 characters for regular user passwords and 15 characters for administrative passwords. Password managers can be an easy way to maintain complex passwords without the need to remember each individual password for applications. Multi-factor authentication adds another layer of security on systems and applications that support it.
• Software Updates: Poor patch management mixed with the right phishing emails can spell disaster. Operating system and third-party patches need to be applied on a timely basis to mitigate the chance of malicious software taking advantage of unpatched systems. Having a strong patch management program is one of the best things any organization can do to mitigate the risk of a data breach or incident.
• Manage End of Life Systems: End-of-Life (EOL) must be a consideration for computer hardware and software in a business environment. Systems utilized after their EOL introduce great risk to the organization because security patches and updates are no longer being pushed out from the provider.
• Limit Users: Only those who need admin-level access to programs should have access. Standard users should have limited capabilities and not be allowed to install software or applications on their local computers without administrative permission.
• Back-Up Your Data: All data should be backed up to a secondary source (i.e. hard drive, cloud storage). A general rule to follow is the 3-2-1 backup rule: three (3) copies of data stored on two (2) different storage media, with one (1) located offsite (and offline).
• Employ a Cyber Security Framework: Businesses may want to review and implement an industry-standard framework for cybersecurity within their organization (e.g., the NIST Cybersecurity Framework or the Center for Internet Security Top 20 Critical Security Controls). Cybersecurity frameworks help organizations by providing a starting point for implementing good cybersecurity practices (you don’t have to implement everything in such a framework). Remember, the most important step is to start.

Putting It All Together

Cyber hygiene is a necessary component for your organization’s security and the overall health of your digital environment. Failing to fully consider the risks will open any organization to financial and reputational damage. Management of both hardware and software assets from acquisition to sunset, in addition to creating a good culture of cyber hygiene, moves any organization to a greater level of security maturity. If your organization is not already regulated with cybersecurity standards, the NIST Cybersecurity Framework and The Center for Internet Security Top 20 Controls will provide a good starting point for any organization that understands the importance of protecting its computers, network, and data.

Written by: Eric Chase
Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources: 

{Solution} TRAC: TRAC™ is our integrated cybersecurity risk management solution developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals. TRAC provides you with the right data to make more informed decisions about where to spend your next security dollar. 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.