Connect with us

Hi, what are you looking for?


Risk Management

Cyber Hygiene 101: Implementing Basics Can Go a Long Way

With the number of data breaches skyrocketing in recent years, global cybercrime-related damages are expected to surge in the years ahead. In the last two months alone, we have seen a wave of ransomware attacks wreak havoc and another mega breach that impacted more than 100 million individuals whose credit application information was stolen. 

With the number of data breaches skyrocketing in recent years, global cybercrime-related damages are expected to surge in the years ahead. In the last two months alone, we have seen a wave of ransomware attacks wreak havoc and another mega breach that impacted more than 100 million individuals whose credit application information was stolen. 

The initial impulse at most organizations is to ask for additional funding for new security technology. According to IDC, organizations are expected to spend $134 billion on IT security products and services by 2022 alone. However, are we spending that money in the right places? When conducting post-mortem analysis of data breaches, it becomes apparent that lack of cyber hygiene was often a contributing factor. Given this fact, let’s consider what steps organizations can take to shore up their defenses without breaking the bank.

Strengthening an organization’s cyber security posture is complex, but just tackling the challenge with technology isn’t enough. Instead, the process should start with implementing baseline cyber security practices, also known as “cyber hygiene”. Like personal hygiene, cyber hygiene’s objective is to start with basic actions that are most likely to support good health. Despite the popular belief that cyber hygiene is the IT department’s job, cyber hygiene goes beyond departmental borders and should be etched into the organization’s culture. 

Meanwhile, threats go beyond technology and external hackers. Human fallibility is often the root cause of breaches. Cyber-attackers are no longer breaking in—they’re logging in using weak, default, or compromised passwords. Once they compromise security measures, adversaries are able to inflict real damage by moving laterally across the network, seeking privileged access to critical infrastructure and sensitive, potentially valuable data. The IT department alone cannot mitigate identity-based attacks. Ultimately, it’s a responsibility shared by all employees from C-suite to summer interns, as well as partners and contractors.

Cyber hygiene must become engrained in an organization’s daily routine to be effective. For example, this goes beyond enforcing password policies, and requires users implement strong passwords and keep them secret. When applied properly, cyber hygiene can help protect against the most common cyber threats. 

Cyber Hygiene 101

Unfortunately, cyber hygiene basic practices are often overlooked. So, what basic steps can organizations take to get back to the cyber hygiene 101? The National Institute of Standards and Technology (NIST) has developed and promotes a standard set of best practices that every organization should apply. These include:

• Know What You Have: An organization should be able to identify all its assets (e.g., servers, network devices, workstations, data, etc.), be it on-premises or in the cloud. In addition, it is important for organizations to classify the data they store. Under new regulations like GDPR, data is no longer an asset, but rather a liability that needs to be identified.

Advertisement. Scroll to continue reading.

• Educate the Human Element: Implement a cyber security awareness and training program. Because end users are targets, employees and other networks users should be aware of common threats and how they’re delivered.

• Assure Data Integrity: Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working. In addition, ensure backups are not connected permanently to the computers and networks they are backing up. 

• Limit the Social Element: Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing.

• Detect and Patch Vulnerabilities: Conduct an annual penetration test and monthly vulnerability assessments. Based on these findings, regularly patch operating systems, software, and firmware on devices.

• Apply Least Privilege: Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write-access to those files, directories, or shares. Considering human vulnerability, Gartner identified Privileged Access Management as one of the Top 10 information security projects in 2018 and again for 2019, since it is an area where organizations can achieve the greatest return on IT security investments.

Ultimately, organizations should keep in mind that maintaining cyber hygiene is a business problem, not an IT problem. As such, organizations should implement the recommendations listed above in policies, plans, processes, and procedures. A gradual improvement in cyber hygiene can go a long way toward keeping an organization immune from security infections and minimizing the risk of falling victim to a cyber-attack. 

RelatedFailures in Cybersecurity Fundamentals Still Primary Cause of Compromise

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights