Cyber hygiene – prevention is better than cure
What is cyber hygiene
Cyber hygiene is an ordered routine of specific tools, checks and practices which safeguard the handling of essential data, and secure networks and ‘attack surfaces’ (the areas in your network that are vulnerable to attack). Cyber hygiene practices are specific to the needs of the organisation and of specific individuals or roles. They include but are not limited to, the management and assessment of the afore mentioned ‘attack surfaces’, vulnerabilities management, and the maintenance and updates of essential software and applications.
Cyber hygiene is analogous to our own personal hygiene routine, the necessary specific steps we take as individuals to keep ourselves clean, healthy, and presentable to others are akin to the need to build a habit of steps to keep our work devices and networks secure. These habits in turn inform the security policy and culture of the workplace.
Our last article looked at the broad approach to cyber security policy and the need to have a plan in place, this is hugely important when looking at creating a workplace culture with cyber security at it’s heart and cyber hygiene will help you keep your policy and security measures appropriate and up to date.
Cyber hygiene routine
It may seem daunting but by starting with these simple steps you can create a cyber hygiene routine that is fit for purpose. Follow these steps at regular intervals and build it into your wider cyber security policy to develop a culture of security in your organisation.
- Make an inventory - The first thing you need to do is take inventory of all your hardware, software, digital equipment, programs, and users. Hardware means all your computers, networked devices such as printers and VOIP/ Video phones, remote access devices, server, and mobile devices such as smartphones and tablets.
- Software includes all installed programs or network accessed programs like antivirus software, editing, or office tools.
- Applications include all your online access points such as shared drives, password management systems, social media, and web assets.
- Users are all the people with access to any or all your systems. Keeping stock of who has access to what and for how long.
- Analyse your inventory – You need to go through your list methodically and decisively.
- Less points of attack means less vulnerable so the first thing to do is go through all your hardware and safely dispose of anything you aren’t using. Safely means wiping the data and physically destroying data storage drives and recycling your old devices with a reputable source. You should also remove all redundant hardware like disused video conferencing tools that could be accessed remotely.
- Software vulnerabilities are far greater when your systems aren’t up to date. Consider using a software which keeps track of all your drivers and programs and lets you know when it’s time to update. Some software will automatically do this for you at the same time as your system updates. Make sure the programs on your devices are appropriate to the staff that are using it. There’s no reason for your social team to have the accounting software installed on their device, this seems unlikely, but network installed systems can often default to all access unless permissions are defined.
- Applications are often overlooked. Are you using multiple services for backup and mixing where things are being organised, for example, photos on Dropbox and documents on Google Drive? Sticking to one and then using another as a backup or deleting it is a better idea for security and maintaining your data, especially in larger organisations. Make sure your applications have dedicated user permissions and never use the master password as a universal login that is shared between staff. Enable Two Factor Authentication (2FA) wherever possible.
- Users are a little more difficult to keep inventory on so it’s important everyone has clear, regular training on the cyber hygiene and cyber policies you have in place to ensure new members of the team are informed from the outset. Strong passwords and the use of email encryption are a must for your office and hybrid workers.
- Build your cyber hygiene review into your cybersecurity policy. Set a schedule for a full review and make sure the day-to-day checking for updates becomes second nature for you and your organisation.
Doesn’t my antivirus software and firewall protect me?
You may be thinking, why does my organisation need a cyber hygiene routine at all if I’m already protected with antivirus software, malware protection and a network firewall? These products, from reputable sources go a long way to keeping personal data safe but the reason for your cyber hygiene routine will become clear.
The problem is the veracity of cyber-attacks and the rise in their complexity and frequency. The UK government has reported more than a third of businesses are now experiencing cyberattacks weekly. This coupled with the natural deterioration of software like malware protections that do not have their virus definitions updated. Essentially, unless properly maintained and updated, just like your own health and hygiene, the wear and tear will start to show, and you may lead to much more serious systemic issues such as data loss through theft or corruption.
Knowledge is power
Something often missed in the wider context of a cyber hygiene routine is staying in the know. You may not have a large organisation, but it is a good idea to have someone with their eye on the wider context of cyber security. There are some fantastic blogs and reputable sources such as Tech crunch, Forbes and who regularly post relevant cybersecurity news. You can also contact PieSecurity for a demo and expert assessment of your cyber hygiene.
If you want to improve your cyber hygiene, get in touch for a demo of our email and security solutions.
Tools like PieSecurity are designed with GDPR and hybrid remote working in mind. Learn more about our email hygiene and encryption solutions and how they can protect your business.