Connect with us

Hi, what are you looking for?


Risk Management

Cyber Hygiene 101: Implementing Basics Can Go a Long Way

With the number of data breaches skyrocketing in recent years, global cybercrime-related damages are expected to surge in the years ahead. In the last two months alone, we have seen a wave of ransomware attacks wreak havoc and another mega breach that impacted more than 100 million individuals whose credit application information was stolen. 

With the number of data breaches skyrocketing in recent years, global cybercrime-related damages are expected to surge in the years ahead. In the last two months alone, we have seen a wave of ransomware attacks wreak havoc and another mega breach that impacted more than 100 million individuals whose credit application information was stolen. 

The initial impulse at most organizations is to ask for additional funding for new security technology. According to IDC, organizations are expected to spend $134 billion on IT security products and services by 2022 alone. However, are we spending that money in the right places? When conducting post-mortem analysis of data breaches, it becomes apparent that lack of cyber hygiene was often a contributing factor. Given this fact, let’s consider what steps organizations can take to shore up their defenses without breaking the bank.

Strengthening an organization’s cyber security posture is complex, but just tackling the challenge with technology isn’t enough. Instead, the process should start with implementing baseline cyber security practices, also known as “cyber hygiene”. Like personal hygiene, cyber hygiene’s objective is to start with basic actions that are most likely to support good health. Despite the popular belief that cyber hygiene is the IT department’s job, cyber hygiene goes beyond departmental borders and should be etched into the organization’s culture. 

Meanwhile, threats go beyond technology and external hackers. Human fallibility is often the root cause of breaches. Cyber-attackers are no longer breaking in—they’re logging in using weak, default, or compromised passwords. Once they compromise security measures, adversaries are able to inflict real damage by moving laterally across the network, seeking privileged access to critical infrastructure and sensitive, potentially valuable data. The IT department alone cannot mitigate identity-based attacks. Ultimately, it’s a responsibility shared by all employees from C-suite to summer interns, as well as partners and contractors.

Cyber hygiene must become engrained in an organization’s daily routine to be effective. For example, this goes beyond enforcing password policies, and requires users implement strong passwords and keep them secret. When applied properly, cyber hygiene can help protect against the most common cyber threats. 

Cyber Hygiene 101

Unfortunately, cyber hygiene basic practices are often overlooked. So, what basic steps can organizations take to get back to the cyber hygiene 101? The National Institute of Standards and Technology (NIST) has developed and promotes a standard set of best practices that every organization should apply. These include:

Advertisement. Scroll to continue reading.

• Know What You Have: An organization should be able to identify all its assets (e.g., servers, network devices, workstations, data, etc.), be it on-premises or in the cloud. In addition, it is important for organizations to classify the data they store. Under new regulations like GDPR, data is no longer an asset, but rather a liability that needs to be identified.

• Educate the Human Element: Implement a cyber security awareness and training program. Because end users are targets, employees and other networks users should be aware of common threats and how they’re delivered.

• Assure Data Integrity: Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working. In addition, ensure backups are not connected permanently to the computers and networks they are backing up. 

• Limit the Social Element: Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and Domain Keys Identified Mail (DKIM) to prevent email spoofing.

• Detect and Patch Vulnerabilities: Conduct an annual penetration test and monthly vulnerability assessments. Based on these findings, regularly patch operating systems, software, and firmware on devices.

• Apply Least Privilege: Configure access controls—including file, directory, and network share permissions—with least privilege in mind. If a user only needs to read specific files, the user should not have write-access to those files, directories, or shares. Considering human vulnerability, Gartner identified Privileged Access Management as one of the Top 10 information security projects in 2018 and again for 2019, since it is an area where organizations can achieve the greatest return on IT security investments.

Ultimately, organizations should keep in mind that maintaining cyber hygiene is a business problem, not an IT problem. As such, organizations should implement the recommendations listed above in policies, plans, processes, and procedures. A gradual improvement in cyber hygiene can go a long way toward keeping an organization immune from security infections and minimizing the risk of falling victim to a cyber-attack. 

RelatedFailures in Cybersecurity Fundamentals Still Primary Cause of Compromise

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...