Good hygiene keeps you safe and healthy, as well as others around you. It’s the same with cyber-hygiene – the sets of practices that organizations are increasingly adopting in a structured way to complement their technological layers of cyberdefense. We highlight cyber-hygiene in many of our publications – alongside regularly updated education programs, it can be very effective in preventing and mitigating cyberattacks. Here are eight ways to improve your cyber-hygiene, starting today.
BUILD CULTURE: Make cybersecurity everyone’s responsibility
One of the reasons data breaches happen is that it’s too easy for employees to be complacent about cyberthreats – the risks are largely invisible to the untrained eye. This is often compounded by an overconfidence about security infrastructure. A resulting perfect storm of “cybersecurity has nothing to do with me” and “cyberattacks never happen to our department” can have disastrous repercussions when, for example, a complacent employee receives a sophisticated phishing email that compromises the entire organization.
This is where cybersecurity culture is invaluable. Becoming a company with a strong cybersecurity culture means adopting responsibility for cyber protection as a shared value of the organization. Think in terms of “this is how we do things at this company”. Ultimately, the Board needs to show leadership on cybersecurity culture and get buy-in from all levels.
GROW AWARENESS: Foster understanding of relevant threats
Another problem is helping staff understand the connection between their behavior and the cyber-risk profile of the employer organization. The opsec team should never be the only group within a company that knows how to identify potentially malicious activity. A continual program of spreading awareness ensures constant vigilance and reduces the chances of disruption and financial loss.
When educating your people about cyber-risks, concentrate on what they can influence. A seminar on botnets, for example, has limited relevance beyond establishing wider context. So focus on things like phishing emails and social engineering techniques that attackers use to steal user credentials.
SIMULATE AND PRACTICE: Create new lines of expert defense
The end user is both the weakest and the strongest link in the chain. Expose your people to real-world threat simulations and test them regularly to identify those needing extra coaching and support. This can transform users from a potential weak spot in your security apparatus to a powerful defensive asset.
Each organization’s threat profile is unique so it pays to understand it as much as possible, and gear user training programs to suit. Be cautious with generic e-learning modules that use scenarios that aren’t applicable to your sector and don’t match your users’ day-to-day experiences.
TEST YOUR DEFENSES: Internally and externally
A regular schedule of pen-testing is crucial to safeguarding data and should be carried out by a qualified third party. Ensure you act upon all critical advisories.
You can go even further with a subset of designated ‘red-team’ employees. Red-teaming is where your own people try to outfox security defenses without warning. Not only does this keep company personnel on their toes (see above in relation to both awareness and practice), but it also uncovers potential weak spots in security posture that you can subsequently improve.
SCAN FOR VULNERABILITIES: Not just within your network
Regularly scanning computers, networks and applications for known weaknesses is an essential hygiene measure – its success rests on the freshness of the insights and your ability to manage and prioritize patching efforts.
Use threat intelligence to scan outside the network to detect leaked, stolen and even sold user credentials in underground marketplaces. IT security teams can apply this intelligence to locate the sources of the initial attacks and patch vulnerabilities to ensure additional breaches do not occur through that vector.
Another feature of advanced threat intelligence is the ability to gain qualified, contextual insights into the actual threat actors and campaigns affecting your organization or sector. Graphical representations of kill chains mean you can practise on highly realistic attack simulations ahead of time, patching potential vulnerabilities and minimizing your attack surface.
STRENGTHEN AUTHENTICATION: Implement better passwords and MFA
Passwords are regularly exploited by attackers because simple security measures are not consistently enforced. A recent Tripwire survey of IT security professionals found that one-third do not require users to change default passwords. Many organizations also fail to crackdown on things like password reuse, employees sharing credentials and users forming passwords with dictionary-based words.
While organizations have increased their use of two-factor authentication to protect access to critical data, attackers have become more adept at circumventing this with stolen passwords. An improved measure is multi-factor authentication (MFA) where more than two factors are required. This is particularly effective in conjunction with one-time passwords (OTPs), which typically expire within 5 minutes and remove the need for users to memorize multiple passwords or place them in a password vault that will inevitably come under attack.
APPLY A HARDENING BENCHMARK: Establish secure baselines for cyber hygiene
The Center for Internet Security (CIS) offers a diligently researched and updated set of 140+ free to access configuration guidelines for operating systems, cloud providers, server software and desktop software – as well as mobile, network and even multifunction print devices. Developed and accepted by government, business and academia, base-level versions of the benchmarks can be implemented simply and rapidly, while more detailed ‘level 2’ benchmarks address the needs of the most security-conscious organizations. The US DoD’s Defense Information Systems Agency (DISA) publishes similar materials in the form of Security Technical Information Guidelines (STIGs).
Validating your approach with these best-practice benchmarks is labor-saving, plus it allows you to benefit from world-class security resources. Each institution regularly updates its canon in line with system versions and high-level changes to the overall threat landscape.
SHIFT TO REAL-TIME: Detect attacks immediately
The key to emerging from cyberattacks intact is discovering them as fast as possible. It suits the cyberattacker to remain silently undetected, particularly when motivated by commercial gain rather than conspicuous disruption. However, not everyone uses fit-for-purpose threat intelligence, which is why the average timelag is 206 days. And each day that attacks go undetected enables attackers to compromise more data. Literally billions of data records were exposed in 2019, many from exploits that lay undetected for weeks if not months.
The problem of spotting new devices on your network is exacerbated by the rapid growth in IoT endpoints. 57% of IT security pros said it takes them hours, weeks or longer to detect these – far too long given that cyberattackers only need a few minutes within which to launch a successful attack.
There are lessons to be learned outside of the cyber paradigm, at those sectors where the mindset needed to adopt standard safety hygiene has evolved to become second nature. You can’t help but notice it on construction sites in the form of bold signage, specialist apparel and regular inspections.
On hospital wards it’s less visible but just as ingrained: despite all the advanced drugs and technological therapies money can buy, washing hands and keeping dressings clean is the baseline for medical care.
That’s the objective your organization should have for cyber-hygiene; make these measures so obviously beneficial for everyone that it becomes fully ingrained.