Telling IT teams to patch vulnerabilities faster when they are already strapped for time may not help organizations get ahead of the increasing cyberthreat landscape. Similar to how an individual would not go to the dentist only once their teeth began falling out, an organization should not wait until a breach to get serious about cybersecurity.
Incorporating “cyber-hygiene” into an organization’s daily routine can help protect them throughout the year. Below I outline the consequences of not incorporating best cybersecurity practices throughout the year and how to incorporate proper cyber-hygiene in your organization.
What is cyber hygiene?
Similar to how an individual engages in personal hygiene by taking care of their health and well-being, cyber hygiene is keeping data safe and well-protected. The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) define cyber hygiene as a means to appropriately protect and maintain IT systems and devices and implement cybersecurity best practices.
On the IT side, this includes organizing security in all hardware, software and IT infrastructure, as well as conducting continuous security assessments. For the organization as a whole, that means providing training for employees across all departments for best cybersecurity practices.
Best practices for proper cyber hygiene
Before establishing a cyber hygiene protocol for your organization, it is important to do an inventory of all of the hardware, software, systems, and applications within the organization. Be sure to include any devices, software or applications that remote employees or partners are using on the company’s network as well as cloud services as well.
After the inventory is complete, an organization will have a better idea of how to approach their cyber hygiene strategy. Below are some recommendations for components to include in the strategy:
Train new hires on security protocol as soon as they are hired
In the face of the tech talent gap, recruiting and retaining the right security professionals can be difficult. Therefore, it is the responsibility of everyone to take security seriously. The key to developing security-minded employees is to provide them with the foundation to succeed. Incorporating a basic cybersecurity training for new employees provides them the knowledge and tools to help protect the organization.
Update old technology
The key to preventing a cyberattack is ensuring that the organization is armed with the best tools for the fight, which includes updating legacy technology. As technology has evolved, better cybersecurity practices have grown with it. Because of this, certain older technologies simply do not have the capabilities to protect data as well as new ones do.
While conducting inventory before establishing a cyber hygiene practice, make sure to note any hardware that can no longer support new software updates. In addition to replacing hardware, be sure all employees know the importance of updating old software.
Encourage healthy password habits
It is imperative that all users across an entire company network and/or applications follow standard safe password practices. Passwords should be complex and changed regularly. Users should never use the same password they use for any other application or network outside of their company. After all, if one site or app is breached then all of the accounts a user uses that password for are compromised. If possible, applications should also require two-factor authentication.
Provide employees with material on industry-accepted secure configurations, but do not mistake compliance for security
Many companies make the mistake of believing that just because they are following laws such as GDPR or the upcoming CCPA, that they are also doing enough in regards to cybersecurity. However, by doing the bare minimum, organizations are opening themselves up to attack. It’s important for companies to go one step ahead. Organizations such as NIST and CIS Benchmark have material on how organizations can define items like password length, encryption, port access, multi-factor authentication and more.
Keep employees up to date on the latest vulnerabilities and cyberattacks that might impact the organization
Staying up to date with all of the latest vulnerabilities and cyberattacks should be the job of the cybersecurity team. However, any change in the application ecosystem that might infect employees should be known. Anytime a vulnerability is discovered and a software update is developed, systems should auto-update or employees should be made aware so they can update their applications as needed. Businesses should be paying attention to the news and see what other companies, specifically in their industry, are doing to stay secure and any attacks that they have experienced lately.
The most important way an organization can practice proper cyber hygiene is to remind all employees to keep cybersecurity in mind when conducting their daily business. Simple reminders every so often to never open links from emails, to not put unknown flash drives into devices and to not share their password with anyone will help. Just like taking time to drink some water or brush your teeth for personal hygiene, taking the small steps for better cyber hygiene can go a long way in helping prevent an organization from being hit with a cyberattack.