Cyber hygiene is the latest industry buzzword, referring to best practices and other activities that IT staff and users can undertake to improve their cybersecurity while engaging in common online activities, such as web browsing, emailing, file sharing, and texting. The fundamental premise is that cyber hygiene can keep data safe and protected, and insofar as cyber hygiene practices and precautions can guard against external attacks and theft, we would never argue that a good cyber hygiene program is not a necessity.
Data security is, perhaps, the most-important reason for any organization to incorporate a cyber hygiene routine into its normal IT processes and procedures. What lurks in the cloud – and on the Dark Web – is a very long list of viruses, malware, spyware, identity thieves, and hackers, all patiently waiting to exploit the smallest vulnerability in your cloud-based cybersecurity perimeter. Mitigating these threats is possible with sound cyber hygiene practices.
The Essentials of a Cyber Hygiene Policy
If you don’t currently have a cyber hygiene policy and don’t know where to start, then a good place is the Digital Guardian’s list of seven cyber hygiene essentials:
- Password Changes: Complex passwords changed regularly can prevent many malicious activities and protect cybersecurity.
- Software Updates: Updating the software you use, or perhaps getting better versions, should be a part of your regular hygienic review.
- Hardware Updates: Older computers and smartphones may need to be updated to maintain performance and prevent issues.
- Manage New Installs: Every new install should be done properly and documented to keep an updated inventory of all hardware and software.
- Limit Users: Only those who need admin-level access to programs should have access. Other users should have limited capabilities.
- Back Up Data: All data should be backed up to a secondary source (i.e. hard drive, cloud storage). This will ensure its safety in the event of a breach or malfunction.
- Employ a Cybersecurity Framework: Businesses may want to review and implement a more advanced system (e.g. the NIST framework) to ensure security.
The 8th – Yet Missing – Item That Should be Added to the List
It is important to note that the definition of cyber hygiene, as provided by the CyberSecurity Forum, focuses solely on “common online activities.” We would argue that the definition of cyber hygiene should be expanded to include offline activities, too, especially when considering that 43% of data exfiltrations were linked to trusted internal associates downloading files onto seemingly innocent USB flash drives, according to McAfee’s Grand Theft Data report.
If nearly half of all data breaches are physical breaches, not cloud-based breaches, then doesn’t it make sense to include physical security in any cyber hygiene policy? Of course it does.
So, with the idea that we need to secure our entire IT perimeter – not just the part of the perimeter that exists in the cloud – we offer up an eighth bullet to add to Digital Guardian’s list of policy essentials:
- Port Locks: Locking all computer and network ports to prevent access via USB flash drives and other external devices can reduce the opportunity of intentional and accidental data breaches.
The question you might be asking right now is, “Can your organization afford to lock all of its computer and network ports?” The real question is, “Can you afford not to?” Consider this: In the United States, the average cost of a data beach is a staggering $8.19 million, according to the Ponemon Institute’s Cost of a Data Breach Report sponsored by IBM Security.
Now compare this to the cost of locking your ports: $4 per USB port, $4 per HDMI port, and $7 per fiber optic port – to name just a few of the most common port types.
Given this information, we wonder why any organization would implement a cyber hygiene policy that diminishes the threat of online attacks, yet allows the front door of their cybersecurity perimeter – those ubiquitous computer and network ports – to remain wide open and easily accessible to anyone wanting to steal their data.