Hygiene: a series of practices performed to preserve health.
Cyber Hygiene or Cyber security Hygiene is a term used to refer to practices performed to preserve cyber security when using the internet or engaging in any online activities.
With the surge in cyber crime in the last 5 years and the rise of ransomware, phishing attacks and other threats, the concept of Cyber Hygiene is becoming more pervasive. A seemingly endless supply of big data breaches has seen an increase in the awareness of the importance of cyber security, data security and data privacy.
This awareness can at times still seem to be fixated on the technical solutions that can be applied, the firewalls, VPNs and security endpoint software etc, however Cyber Hygiene is a more universal approach. It incorporates aspects of best practices across the organisation, from technical solutions, business processes and end-user behaviours. This is seen as a smarter way towards prevention as it can assist in tackling some of the most difficult aspects of cyber security, insider threats and change of mindset\culture.
- Insider threats are responsible for as much as a third of all cyber breaches, a percentage that appears to be on the increase.* (references at end)
- Changing a culture is also quite an undertaking but with the right combination of education, awareness and monitoring, large improvements can occur for relatively low levels of investment.
10 Cyber Security Hygiene considerations for your business :
Perimeter Security – Ensure your routers and firewalls are installed and configured properly and monitored regularly with alerts in place.
User Access Control and Permissions – Have a user access policy in place for all departments, listing what access users should have relative to their role. Have procedures in place for joiners, movers and leavers and regularly audit your companies active directory and file, folder and permissions structure.
Security Endpoint Protection – ensuring that all anti-virus (AV), spamware, and other anti-malware protection software is properly installed and configured on all workstations, laptops, tablets or any device that may hold sensitive information.
Stay up to date – Ensure all devices, where possible have the most up to date operating system (OS), application software, web browsers and firmware with latest security patches. Employ a patch management system or process.
Secure Credentials – Ensure a strong password enforcement policy which should include 2-Factor or Multi-Factor Authorization (2FA/MFA), especially for any mobile devices, tablets or laptops.
Network Segmentation – Ensuring that all company networks are physically segmented with secure routers and active firewalls between segments. Ensure you maintain a regular up to date network map along with an ability to audit changes.
Data Security – Ensure your business has the ability to identify where all data is located. That it is securely protected so that only the relevant people have access and that there are adequate back up solutions in place.
What If things go wrong ? Ensure your company has a proper response plan or policy in place. This should include a business continuity plan with a disaster recovery plan included. It would also be wise to draw up a security incident response process. This should be shared with all staff so that everyone knows how to respond.
Security Awareness Training – By providing regular training, either by instructor led training or through a training platform you can ensure your staff are vigilant and can react in the right way should a suspect email make it through your technical defenses.
Disseminate Responsibility – Ensure good cyber hygiene by involving staff in the process and keeping them informed of changes before they are introduced. Create a mindset that encourages compliant behaviours among the staff. Listen out for frustrations and try to ensure that any changes are introduced where possible without sacrificing user productivity.