What is cyber hygiene? Benefits, problems, and best practices
Studies show that cyber hygiene protects against 99% of cyber threats – but what is cyber hygiene and how can you implement it?
Hygiene is a safety feature built into daily life; a minimum expectation, a set of basics. It’s a regime that people invest time and effort into to protect themselves and those around them from preventable health risks.
What’s true in our daily lives is also applicable to cybersecurity. Cyber hygiene is recognized as an important and effective way of guarding against a majority of threats, even if it’s not always easy to achieve in complex IT environments.
What is cyber hygiene and what are its objectives?
Cyber hygiene refers to a set of practices and habits that minimize the risks from cyber threats, vulnerabilities, and attacks. Many examples of cyber hygiene best practices are ‘common sense’ measures that use comparatively inexpensive solutions.
However, though it sounds easy, it isn’t in practice – especially for large organizations with thousands of users, accounts and devices.
The objective of cyber hygiene is to create a safer digital environment to ensure an organization remains as secure as possible against cyber threats. It’s important to note this isn’t a one-time action – IT environments and cyber threats are both constantly evolving, so cyber hygiene has to be continually monitored and optimized to ensure it’s effective.
Why is cyber hygiene important?
According to Microsoft, fundamental security hygiene can protect against 99% of attacks. One UK government cyber body puts it at 99.9%.
Lack of cyber awareness, failure to implement patches, poor password protection and lack of strong authentication all contribute disproportionately to data breaches. Time and again, figures prove that the greatest potential risks are foreshadowed by the most foundational cyber hygiene failures.
Some of the specific benefits of good cyber hygiene include:
1. Good cyber hygiene = good cyber posture
A strong cybersecurity posture relies on good cyber hygiene. General cyber hygiene practice is typically the strategic bedrock upon which more specific, targeted and optimized cybersecurity measures are built. This allows an organization to keep its IT assets and data safe.
This extends to the protection of customer and supplier data too, enabling the organization to maintain trust and safeguard its reputation.
2. Good for compliance and governance
Cyber hygiene measures can also help with regulatory compliance, as many align with the key principles and requirements of data protection legislation.
From a governance standpoint, cyber hygiene is also closely associated with the implementation of cybersecurity frameworks like NIST CSF and NCSC CAF. Adhering to these frameworks is typically viewed as evidence of good cyber hygiene in action.
3. Deterrent effect
Another key justification for cyber hygiene is that bad actors can recognize it. In fact they are actively looking for targets that lack discipline in cyber hygiene, and they find these easy to identify with minimal due diligence. If you’re following cyber hygiene best practices, there’s a chance attackers will notice and move on to an organization that isn’t.
What are the impacts of poor cyber hygiene?
Cyber hygiene is the first line of defense against cyber-attacks, reducing the risk of data breaches, ransomware, and other threats. Consequently, poor cyber hygiene leads directly to a significant proportion of these threats being successful and causing damage to organizations.
Six potential consequences of poor cyber hygiene include:
- Erosion of trust with customers, partners, employees and shareholders for failing to prevent exposure of sensitive data.
- Long-lasting reputational and brand damage.
- Regulatory censure and penalties for breach of the law.
- Financial losses from theft, fraud, ransom demands, litigation and compensation payments.
- Further financial costs associated with operational disruption, productivity downtime, data recovery and security breach remediation.
- Board members being held personally accountable for failing to adequately implement appropriate cyber risk measures (as defined in new and emerging legislation such as the EU Digital Operational Resilience Act).
What causes bad cyber hygiene?
Several factors contribute to poor cyber hygiene, but all share a common thread: non-existent or poorly implemented controls. As with personal hygiene, the whole endeavor can be undermined by failing to cleanse every inch or adopt hygienic practice every time.
Complete coverage and consistency are critical for cyber hygiene; if you don’t have visibility of every asset, or if controls aren’t implemented universally, then risks increase.
Continuous Controls Monitoring (CCM) can help with this. It combines data across your security and business tools to give a near-real time view of your assets and the effectiveness of security controls. This ensures you know where you have control gaps or you’re failing to meet standards and policies so you can take targeted action to improve.
Nine signs of poor cyber hygiene
Looking at more specific examples, here are some common symptoms of bad cyber hygiene:
- Endpoint security not implemented on all endpoints.
- Inconsistent enforcement of strong authentication for critical data access.
- Inconsistent enforcement of data encryption (where relevant).
- Excessive access permissions.
- No visibility or control over cloud services.
- ‘Rogue’ devices and software packages are unrecorded, unsupported and missing critical security patches.
- Vulnerability patching is slow, inconsistent and takes no account of risk.
- Data not backed up.
- Lack of user awareness on cyber threats such as how to identify phishing emails and act appropriately.
Having policies for these and other cybersecurity areas is important but doesn’t guarantee anything. Good cyber hygiene only happens when policies are followed and can be shown to be followed.
Fundamental cyber hygiene best practices for organizations
Cyber hygiene requires a combination of effective security tools and controls, and diligence on behalf of your employees. Some of the best practices include:
1. Build a good cybersecurity culture
Cyber awareness training is an important topic, with organizations recognizing that knowledge is the best tool they can equip users with. Your people need to:
- Use strong passwords and change them frequently.
- Never click on attachments from unknown sources.
- Escalate suspicious activity (e.g. phishing emails) to the security team.
- Be vigilant when using devices in public areas or via public networks.
Go further by challenging your team to make it one of the shared values of the organization, and make cybersecurity everybody’s responsibility. Culture comes from the top, so it’s critical that the board is intellectually and financially invested and showing leadership in prioritizing cybersecurity standards.
2. Maintain a complete inventory of business assets
Asset management is critical as a starting point for all policies and practices governing the security of data and assets. Do you know all your assets and their status? This includes hardware and software assets, plus everything else that creates or holds value for your organization.
You fundamentally need to understand what you’re protecting in order to manage the risks associated with them. Check out our Cyber Asset Attack Surface Management solution, also known as CAASM, to find out how it gives you a complete, trusted asset inventory.
3. Implement policies and ensure compliance with them
Put proper policies in place in line with security best practice, using your security infrastructure, skills and tooling to best effect. This includes:
- Up-to-date anti-malware tools
- Multi-factor authentication (MFA)
- Privileged access management
- Patch management
- Vulnerability management
- Threat management
- Automated backup and recovery
- Incident management
These and other areas are covered by industry standard cybersecurity frameworks.
4. Use a recognized cybersecurity framework
Cybersecurity frameworks from the likes of NIST (National Institute of Standards and Technology) and NCSC (National Cyber Security Centre UK) can be used to construct cybersecurity strategies that observe best practice cyber hygiene in a way that’s geared to your unique needs.
You can find out more about NIST Cybersecurity Framework (CSF) and NCSC Cyber Assessment Framework (CAF) in our related blogs.
5. Adopt and actively manage security controls
The Center for Internet Security (CIS) provides another framework; this one focused purely on the necessary security controls for a secure digital environment.
An appropriate array of security controls is vital for cyber hygiene. CIS numbers 18 in its list of “Critical Security Controls”. Each control comes with:
- A description of why its implementation is critical.
- A table of the specific actions (Safeguards) that organizations should take to implement the control.
- Procedures and tools that enable implementation and automation.
- The type of asset the Safeguard is protecting (applications, data, devices, network, users).
- The security function the Safeguard is covering.
You can also read our summary of seven cybersecurity metrics for cyber hygiene, created with the help of Stuart Aston from Microsoft.
How to measure cyber hygiene with CCM
The principles of cyber hygiene are well understood, and yet many preventable breaches still occur because “basic cyber hygiene” is actually extremely difficult to implement. The goal for organizations it to strive for certainty that the security measures and controls they’ve designed have in fact been implemented.
Gaining that certainty is challenging because IT environments are highly complex and ever-changing, constantly confronted by new risks, and often managed by hundreds of overlapping tools. It’s why 79% of security leaders say they’ve been surprised by a security incident that evaded their controls.
Continuous Controls Monitoring (CCM) plays a significant role in improving an organization’s cyber hygiene. CCM helps measure whether security controls are deployed as expected and improves accountability through its automated, real-time monitoring capabilities.
Using CCM to get a single source of truth on all security controls status, organizations can evidence that cyber hygiene is actually in place and prioritize action to remediate gaps. Panaseer’s platform does this by analyzing data from across security, IT, and business tools, generating valuable reporting metrics that provide true visibility of cybersecurity posture and the effectiveness of controls.
Request a demo of the platform to find out how we can improve your cybersecurity hygiene.