Introduction
The world of Cybersecurity is bandied about with a bunch big
buzzwords, techno jargon, etc. One these
is the term “Cyber Hygiene”. It has
become much more prevalent as the COVID19 pandemic continues, and the Remote
Workforce is now a guaranteed happening for the long term. This is the focal point of this article.
What Is Cyber
Hygiene?
In a general sense, Cyber Hygiene means that all employees
of a business, even up to and including the C-Suite, must follow a set of best
practices in order to make sure that all devices and digital assets are
protected from being a Cyber target.
With the advent of the Internet of Things (IoT) and just
about everything being connected together, the attack surface has greatly
expanded. Thus, the need to be proactive
is a must these days, and not just something that gets checked off a list at
later point in time.
The Cyberattacker of today has now become extremely stealthy
and covert – in fact, they find the weaknesses of an unsuspecting victim merely
by building up a profile on them with information that is publicly available,
primarily those of Social Media Sites.
In other words, your business and employees could very well
be watched without anybody knowing it until it is too late. This is yet another reason why maintaining a
strong level of Cyber Hygiene is more critical than ever.
How To Maintain
A Strong Level of Cyber Hygiene
The following are some tips to help your employees maintain
a proactive mindset when it comes to Cyber Hygiene:
1)
Conduct an inventory of all of your assets:
This not only includes digital
assets, but even physical assets as well.
Remember, the Cyberattacker is going to go after those crown jewels that
are the most vulnerable and least protected in your organization. Therefore, your IT Security team needs to
conduct an inventory of everything you have, and from there, complete a Risk
Assessment, and rank them on a categorization scale. This will then give you a good idea of those
assets are most prone to a security breach and those that are the least likely
to be hit. Those that are deemed to be
the weakest should of course have the strongest controls associated with them.
2)
Teach your employees about passwords:
You need to train your employees
about how to keep their passwords safe.
This includes not sharing them with other coworkers, and not to use a
slight variation on an existing password when it comes time to reset it. But most importantly, tell them about the
dire need now to create and long complex passwords, by making use of a Password
Manager. With this, these kinds of
passwords can be created instantaneously, without your employees having to
remember them. Also, they can be reset
on a prescribed time schedule, which is based upon your security policies.
3)
Always update your systems:
This is probably one of the oldest
security rules to be found in the books.
But despite this, many organizations fail to heed this, until it is too
late. Therefore, your IT Security team
needs to make it an almost daily practice to keep checking for the latest
software updates and patches, and deploy them as needed. But, one key thing has to be remembered here: As far as possible, always test these patches
and upgrades in sandboxed environment first, before they are released into your
IT and Network Infrastructure. This
extra practice is to help ensure that what is about to be applied will actually
work in your environment, and not make more a security nightmare.
4)
Keep an eye over what is assigned:
This simply means adopt the
principle of Least Privilege: Give only
the bare minimum of rights, privileges, and access to your employees that they
need to get their job done. This even
includes the members of your IT Security team.
But there is one thing that you also need to keep your eye on – a sudden
escalation in the administrative rights that have been given to an employee. This means that they somehow did this
themselves (which could also be indicative of an Insider Attack that is about
to take place), or a Cyberattacker has gained access to the database where all
of the user profiles are stored at).
Therefore, you need to keep a vigil eye if this does happen. Any escalation in privileges should occur
only when a review of the request has been done, and if the employee really
needs it.
5)
Get rid of old equipment:
This is also technically referred
to as “End Of Life”. This means that the
hardware or software that is used in the device is no longer supported. In other words, there will no longer be any
software upgrades or patches that are available to them. Obviously, this can pose a grave
Cybersecurity risk to your company. But
just don’t get rid of them by simply throwing these out-of-date devices into
the trashcan. Rather, make use of a data
destruction company that can properly purge any information and data, and
dispose of them in a safe and secure fashion, so that they are not vulnerable
to Dumpster Diving attacks.
6)
Have Security Awareness Training:
This is also one of those things
that you hear about on a daily basis, and unfortunately, most CISOs still
disregard the importance of this. With the
bulk of the American workforce still working from home (WFH), this kind of
training is now even more important than ever before. There are many ways that you can about to
implement this, but the key here is to make the training engaging and to test
the employees to make sure that they are taking this seriously. A good example of this is Phishing
training. After you have explained what
it is, how to recognize a rogue email, conduct a mock Phishing campaign to see
which of your employees still fall for the bait. Those that do should be retrained again, with
a much stronger emphasis on the seriousness of it.
Conclusions
Overall, this article has provided you with some tips as to
how you can maintain a good level of Cyber Hygiene for both your business and
employees. Obviously, there are more
action items that need to be taken into consideration, but this list is a good
start. In the end, we all are prone to
becoming a victim of a Cyber-attack, but by having a strong level of Cyber
Hygiene, that risk should be greatly mitigated.
No comments:
Post a Comment