How to make progress in achieving squeaky-clean cyber hygiene
Good security, or cyber hygiene, is a crucial skill to be taught and should help users to form habits that lead to a more secure system or network.
Just like with anything else, habits are what drive users. For example, if one brushes their teeth every morning and evening as a child, they form a habit and that hygiene becomes a given rather than something they “need to remember to do.” This same approach should be used to ensure good cybersecurity hygiene is practiced at your organization and by your employees, even when they are not at work.
For starters, there are several important tasks that should be done by the organization regularly in order to maintain a baseline level of security. Applying the top 10 of CIS Controls is a perfect place to start. When you look at this list, even back over the last decades’ lists, you will note that the top two items have consistently been inventories of hardware and software. Even in the most progressive and secure organizations, there tends to be a concerning number of unknown systems and software lurking on the network. One simply cannot protect what is not known.
Now that you have a handle on what is actually on the network, you can begin to reduce the risk those systems and software pose. This is accomplished by the presence and execution of a solid patching program. This is typically handled by monitoring systems with a vulnerability scanning program such as Qualys, Nessus or OpenVAS.
On a regular basis, at least monthly, all known systems should be scanned for missing patches, known vulnerabilities and default configurations. Then, using the results of those scans, remediation plans should be made to address any issues found within a reasonable amount of time. Generally, it should be much faster (within seven to 14 days) for the critical and high rated findings while moving out to slightly longer timelines with less severe findings.
When it comes to users, the story changes. Users, even the most loyal employee, are less concerned about the safety and security of the corporate assets than they are about their own. By “their own,” most people will be more concerned about things that have the potential to affect their loved ones, personal finances or even their own well-being.
This is not a dig on any employee or towards one’s loyalty, it is just the simple truth. No one is ever going to care as much about your corporate security as they do about their own security. But, that doesn’t mean that bias can’t be used to help keep the organization, and by extension, its employees and customers or patients.
With this bit of reality in mind, take a look at your annual compliance training, the acceptable use policies, and other things you expect your users to do, follow or comply with. Is it all corporate jargon? Does it explain the importance of keeping corporate data secure and stop there?
We will never get rid of the corporate jargon, or the direct mentions of how crucial it is to keep corporate data secure, and an organization’s lawyers will make sure of that. But that doesn’t mean we can’t personalize the training, teach users how these security hygiene habits (like choosing strong passwords and thinking twice before clicking a link in an email) can help them. Sure, a strong password helps keep the corporate network safer from attack, but why can’t it be explained to them in a different light?
For example, while a strong password keeps the data safe for the organization, it also keeps the user’s personal email and social media private. Additionally, people constantly receive phishing emails in their personal email accounts, as do their friends and loved ones, so understanding how to avoid a phishing scam at work also helps the user in their non-work life. If we give our users the training they need to protect the network while at work, they will likely form the right cyber hygiene habits and take it home with them. As a result, your organization is more secured and employees are more secure in their personal lives.
One final thought: there is no one-size-fits-all solution. Training can’t be bought and presented in its stock form. Two organizations in the same town, with the same number of employees, and even the same technical security controls, are still vastly different in culture and risk tolerance.
This goes further, the training that will truly reach the executives would be quite a bit different from that designed to reach maintenance staff or providers because what they care about is vastly different. For example, executives are more concerned about numbers and hard facts, while providers tend to be more focused on their ability to provide the best possible patient care. Having good cyber hygiene practices is not unlike preventative medicine, it gives us the tools we need to maintain good security hygiene and will help all of us improve our cyber health both at home and work.