Cyber hygiene is the cybersecurity equivalent to the concept of personal hygiene in public health literature.
The European Union's Agency for Network and Information Security (ENISA) states that "cyber hygiene should be viewed in the same manner as personal hygiene and, once properly integrated into an organization will be simple daily routines, good behaviors, and occasional checkups to make sure the organization's online health is in optimum condition".
However, the report found there was no consensus on what cyber hygiene meant or even entailed. Various nations have their own recommendations and advisories, such as the NIST Cybersecurity Framework, but there is no single standard or commonly agreed-upon mechanism for an organization to assess, evaluate, or demonstrate cyber hygiene.
At UpGuard, we believe good cyber hygiene practices create a strong security posture, as measured by a security rating. The higher your security rating, the better your security practices, and the better you can prevent data breaches, cyber attacks, phishing, malware, ransomware, exposure of personal data, and other cyber threats.
In short, cyber hygiene encompasses your hardware, software, IT infrastructure, cybersecurity awareness training, and increasingly, your employee's own devices.
Why is cyber hygiene important?
In today's ever-changing threat landscape, it's more important than ever to create a cyber hygiene routine that can prevent cybercriminals from causing security breaches, installing different types of malware, and stealing personal information from you and your customers.
Many organizations rely almost exclusively on cybersecurity professionals to carry out day-to-day tasks designed to protect themselves and their end-users' sensitive data.
This is a mistake. Every employee needs to understand basic cyber hygiene practices and their role in protecting and maintaining your IT systems and devices. This will enable better incident response and provide immediate and effective defenses against cyber attacks.
It doesn't matter whether you have 10 or 10,000 employees, the world is becoming increasingly connected, and the size and impact of data breaches is on the rise. For context, there have been at least 34 data breaches that have exposed more than 55 million people.
And it's not just the large breaches that cost money, according to the 2019 Cost of Data Breach Report from Ponemon Institute and IBM Security, the global average cost of a data breach has grown by 12 percent in the last five years to $3.92 million.
Beyond improving security, cyber hygiene can also help your hardware and software run at peak efficiency. Without maintenance, files can become fragmented and programs can become outdated. Not only does patching reduce the risk of exploitable vulnerabilities, it can also introduce new or improve existing functionality.
What are common cyber hygiene problems?
You likely have multiple attack vectors that are in need of cyber hygiene. All hardware (computers, mobile devices, connected devices, hard drives, and cloud storage), software programs, SaaS applications likely need regular, ongoing maintenance. Each of these systems can become vulnerable over time as new vulnerabilities are listed on CVE. Common cyber hygiene problems include:
- Loss of data: Hard drives, online cloud storage and SaaS apps that store sensitive data that isn't backed up or maintained can be vulnerable to hacking, corruption, data leaks, and data breaches. To learn how to fix this problem, read our guide on data loss prevention.
- Misplaced data: Poor cyber hygiene could mean losing data in other ways, while it may not be corrupted or gone for good, it's increasingly common to misplace data due to the myriad of places it can be stored. This is why robust data classification is important.
- Security breaches: Data breaches are becoming increasingly common, and costly. Spear phishing, whaling attacks, lack of configuration management, and poor network security can all lead to exposure of trade secrets, PII, and PHI. This can result in customer identity theft, industrial espionage, and a loss of market position.
- Outdated software: Software applications must have security patches applied regularly to prevent known vulnerabilities. The success of the WannaCry ransomware computer worm is a great example of why patching operating systems is an important part of good cyber hygiene. To learn more, read our guide on vulnerability management here.
- Old security software: Antivirus software and other security software must be kept up to date to keep pace with the ever-changing threat landscape. Additionally, you may find it helpful to invest in continuous security monitoring.
- Poor or lack of vendor risk management: Gone are the days where you can think solely about your organization's security posture. Chances are a number of your third-party vendors and service providers have access to your Wi-Fi networks or process sensitive data on your behalf. This is why vendor risk management is so important. Additionally, you may have a regulatory requirement to focus on third-party risk management, e.g. FISMA, CPS 234, GLBA, SOX, PCI DSS and HIPAA. Read our guide on vendor risk management here.
What are cyber hygiene best practices?
Cyber hygiene best practices are really just cybersecurity best practices. The Center for Internet Security (CIS) Controls for Effective Defense is a good place to start.
The CIS Controls for Effective Defense can be broken up into three groups:
- Basic CIS Controls
- Foundational CIS Controls
- Organization CIS Controls
What are the basic CIS controls?
There are six controls in the basic CIS controls, namely:
- Inventory and control of hardware assets: This control requires organizations to manage hardware devices on their network to ensure only authorized devices have access to sensitive areas.
- Inventory and control of software assets: This control mitigates this risk by requiring organizations to actively manage all software on the network so only authorized software is installed and can execute.
- Continuous vulnerability management: This control requires organizations to continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate them and minimize the window of opportunity.
- Controlled use of administrative privileges: The principle of least privilege and other access control methods, such as two-factor authentication or multi-factor authentication, are designed to create processes and tools to track, control, prevent and correct the use, assignment, and configuration of administrative privileges.
- Secure configuration of hardware and software on mobile devices, laptops, workstations and servers: Organizations must establish, implement and actively manage the security configuration of mobile devices, laptops, servers and workstations using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings. This should include the use of complex passwords. To learn how to create strong passwords, read our password security checklist.
- Maintenance, monitoring and analysis of audit logs: Organizations must collect, manage and analyze audit logs of events to help the detection, identification and to recover from attacks.
What are the foundational CIS controls?
There are ten controls in the foundational CIS controls, namely:
- Email and web browser protections: This control can minimize the attack surface and opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. Read our guide on email security for more information.
- Malware defenses: Organizations must control the installation, spread, and execution of malicious code while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
- Limitation and control of network ports, protocols, and services: This control must manage the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers. To learn more, read our guide on open ports.
- Data recovery capabilities: Organizations must use processes and tools to properly back up critical information with a proven methodology for timely recovery of it.
- Secure configuration of network devices, such as firewalls, routers, and switches: Organizations must establish, implement and actively manage the security configuration of network infrastructure devices by using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.
- Boundary defense: Boundary defense controls detect, prevent and correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.
- Data protection: Sensitive data resides in many places. The protection of that data is best achieved through the combination of encryption, integrity protection, and data loss prevention techniques.
- Controlled access based on the need to know: Organizations must have processes and tools to track, control, prevent and correct secure access to critical assets according to access control rights of people, computers, and applications based on a need or right previously classified. Read more about access control and the principle of least privilege here.
- Wireless access control: Wireless access controls are processes and tools to track, control, prevent and correct the secure use of wireless local area networks (WLANs), access points and wireless client systems.
- Account monitoring and control: This control requires active management across the life cycle of system and application accounts - their creation, use, dormancy, and deletion - to minimize opportunities for attackers.
What are the organizational CIS controls?
There are four organizational CIS controls, namely:
- Implement a security awareness, and training program: Organizations must identify the specific knowledge, security skills and abilities needed to support the defense of the organization, develop and execute a plan to assess, identify gaps and remediate through policy, planning, training and awareness programs.
- Application software security: Organizations must manage the security of all in-house and acquired software over its life cycle.
- Incident response and management: Organizations must protect their information and reputation by developing and implementing an incident response infrastructure (e.g. plans, defined roles, training, communications, management oversight) to quickly discover attacks and then contain the damage, eradicate the attacker's access and restore the integrity of the network and systems.
- Penetration tests and red team exercises: Organizations must test their overall defense (technology, processes, and people) by simulating the objectives and actions of an attacker. This may include on-site and off-site penetration testing, network security assessments and testing the implementation of information security policies.
How can I measure my cyber hygiene?
Security ratings are a great, and increasingly common, way to measure the effectiveness of your cyber hygiene.
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cybersecurity risk.
The higher your security rating, the better your organization's cyber hygiene practices. Unlike traditional risk assessment techniques like penetration testing, security questionnaires, and on-site visits, security ratings are derived from objective and externally verifiable information.
UpGuard is one of the most popular and trusted security ratings platforms.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all externally facing assets, such as web applications, IP addresses, and marketing sites.
To keep our security ratings up-to-date, we recalculate sores whenever a website is scanned or a security questionnaire is submitted. In general, this means an organization's security rating will be updated multiple times a day, as most websites are scanned daily.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are considering other security rating services, like SecurityScoreCard or BitSight Technologies, see our guide on SecurityScorecard security ratings vs BitSight security ratings here.
How to use UpGuard to measure your cyber hygiene in real-time
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
If you'd like to see your organization's security rating, click here to request your free security rating.