Your IT systems touch multiple networks -- what's your cyber hygiene plan?
The world is becoming more connected via the use of cloud computing services and Internet of Things (IoT) devices. Over the last decade, we have watched cybercrimes skyrocket before our very eyes. Corporations today cannot afford to rely on basic firewalls and antivirus software to ensure data is protected. It is essential to create a more powerful cybersecurity ecosystem.
How big is the threat against data? First, take a look at how much data we are talking about here. By the year 2025, we can expect there to be 175 zettabytes of data across the internet and networked computer systems. Think streaming video, dating apps, your private healthcare information, banking data, social media posts, and messages. The list can go on.
Cyber hygiene is more important than ever as hackers and data miners continue to find sophisticated ways to stay ahead and gain access to your valuable data.
What is cyber hygiene?
Cyber hygiene is a set of agreed upon practices a corporation performs on a regular basis in order to maintain the health and security of users, devices, networks, and data.
The overarching goal of cyber hygiene is to ensure sensitive data remains secure within an organization and is protected from theft or attacks from hackers. Much like personal hygiene, humans have a set of cleanliness standards to help keep them healthy and performing at their best level. Your corporate network security system must have a similar standard to maintain good health and prevent data breaches and other incidents.
What are some typical cyber hygiene issues?
When cyber hygiene is not a priority, any number of security violations can occur and bring productivity to a standstill. Here are a few major incidents to look out for when a company does not have cybersecurity hygiene measures in place.
#1 Data Loss
Consider all the businesses that depend on storing customer data as part of their day-to-day routine: insurance agencies, banks, healthcare facilities, educational institutions, government agencies. Vulnerable information can include names and address history, bank account information, passwords, and more. Compromising any of this data can harm the reputation of the company or organization. While there are laws protecting data privacy, corporations must prioritize the protection of this information with a strong cyber hygiene regimen.
#2 Poor Organization of Data
Many companies are missing a solid information structure resulting in lost data, and thus, becomes easy to steal. A cybersecurity hygiene routine can help corporations to organize their digital assets to be accessible when needed.
#3 Vulnerable to Breaches and Hacks
A corporate digital ecosystem must be protected from malicious agents and unauthorized software. A cyber hygiene protocol instructs not only the IT department on how to prevent attacks, but the employees as well. All relevant parties are given a role in becoming more aware of phishing, malware, spam, and virus attacks.
#4 Clashes with Outdated and Legacy Software
Technology changes faster than organizations are able to implement. You know the frustration of a halt in productivity due to software hiccups like a lapse in scheduled updates. This is the type of vulnerability hackers are looking for to take over entire network systems with malware and viruses. A cyber hygiene protocol establishes a consistent schedule for scan and security patches to ensure there are no issues.
Overall, poor cyber hygiene habits can lead to big time consequences like financial loss, government regulatory fines, loss of company productivity, damage to a company’s public reputation, and legal liability that may take years to process.
What are potential blocks to developing a successful cyber hygiene protocol?
Before implementing a "one size fits all" cyber hygiene plan, it is important to note there are a number of common challenges that may come up in the process.
Complexity of the Company’s IT Ecosystem
A company can be one small town office in a leased building with as few as 20 employees and grow into multiple offices across the country and the globe. The number of users on the network and devices in use at any one time can grow from one month to the next. These are networked environments distributed across hybrid and multi-cloud environments. This makes establishing a proper cyber hygiene infrastructure that much more of a challenge.
Lack of a Trained Team of Cybersecurity Professionals
Cyber hygiene is more than just a short list of tasks to be checked off a list. Some of these tasks can include:
- Scanning for viruses using antivirus software and malware
- Updating apps, browsers, and the operating system
- Reformatting and wiping hard drives clean
- Installing firewalls so unauthorized users can’t access private information
- Back up important files offline on a hard drive
This is a job that requires a well-trained team of security professionals and end users who routinely follow a long list of tasks that must be done with precision. These are tasks that are easily forgotten because they tend to be mundane.
Missing User Buy-In Across the Corporation
It is not only the job of the IT team to ensure proper cyber hygiene is being practiced by all. Buy-in is required from a number of end-users throughout the corporation, including employees whose positions may not involve knowledge of cybersecurity.
Cyber hygiene best practices
So what should your company consider when developing a cyber hygiene plan? The following are a few ideas to help you build a foundation to ensure your IT network systems, devices, and user information is protected.
Create an IT Asset Inventory
Imagine you buy a new home and need home insurance. Your home insurance company will ask for an inventory of all the assets in the home you want to have coverage for in the case of an emergency. Your IT asset inventory can do the same thing for a corporation.
For a company to understand what they have of value, there needs to be an assessment of what assets exist, the location, and who has access to the data. This can include financial data, customer or patient data, credit card information, patents and copyrights, and proprietary source code. The data can be located within the company’s physical location or in the cloud.
Generate Complex Passwords or Deploy MFA
Users should have passwords of at least 10 mixed characters while administrators should have passwords of at least 15 mixed characters. Why? Because complex passwords subject to change on a regular basis are more likely to prevent a security breach. Better yet, your company may also elect to implement additional security measures through the use of multi-factor authentication (MFA). This requires the user to present a second form of identity verification, such as a thumbprint, a temporary numerical code, or a FIDO2 security key. Security keys allow individuals, businesses, government agencies, and contractors to replace passwords with a secure, fast login solution.
Update Software on a Regular Schedule
Routine patch management must be done for the company’s operating system and software applications to mitigate the risk of a security breach. Cybersecurity criminals see poor patch management as an open invitation to infiltrate company data.
Maintain Control Over Administrative Privileges
Did you know that high-level administrative privileges pose the greatest risk to your cybersecurity ecosystem? That is why IT professionals only give admin-level access to programs and systems as needed. Standard users have even more limited access.
Backup Data on a Regular Basis
Backing up company data should be performed on a planned schedule and verified to confirm its integrity. Users should also test the restoration process to ensure the backup procedure has been done correctly.
Manage Use of Legacy Software
There comes a time when legacy software will no longer be supported by security patches and updates from the manufacturer or developers. Companies must create a viable plan to ensure a decision is made regarding how long to use legacy software and when is a good time to move on to new software that grows with the company.
Implement a Rapid Response Protocol to Security Threats
What will your company do in the case of a security breach? All companies should ensure a plan is in place in order to mitigate the damage from the attack. Remember, it only takes a few hours for a hacker to move through a network, so time is of the essence. In most cases, employees and customers are unable to move forward with work as usual. Test your security plan to ensure it is working as needed.
Cyber hygiene is a responsibility for all users -- not just the IT team
Implementing a solid cyber hygiene plan is not a "set it and forget it" proposition. There are a number of moving parts to analyze and update on a regular basis. Once this becomes a regular company practice, it will be much easier to redirect or even stop a cybersecurity attack altogether.
Photo Credit: Rawpixel.com/Shutterstock
Dr. Manfred Mueller is COO and GM Identity, Identiv. As a result of the diverse roles he has held at Identiv -- including sales, marketing, product management, business development, and investor relations -- he has a deep understanding of the company’s technology, markets, customers, stakeholders, and operations. Dr. Mueller joined Identiv in 2000. Before joining Identiv, Dr. Mueller was responsible for strategic investments, product development, and M&A activities for BetaResearch GmbH, the digital TV division of the German Kirch Group.