Saturday, October 28, 2023

6 Golden Aspects Of A Good Cyber Hygiene Plan

 


Introduction

The world of Cybersecurity is bandied about with a bunch big buzzwords, techno jargon, etc.  One these is the term “Cyber Hygiene”.  It has become much more prevalent as the COVID19 pandemic continues, and the Remote Workforce is now a guaranteed happening for the long term.  This is the focal point of this article.

What Is Cyber Hygiene?

In a general sense, Cyber Hygiene means that all employees of a business, even up to and including the C-Suite, must follow a set of best practices in order to make sure that all devices and digital assets are protected from being a Cyber target. 

With the advent of the Internet of Things (IoT) and just about everything being connected together, the attack surface has greatly expanded.  Thus, the need to be proactive is a must these days, and not just something that gets checked off a list at later point in time.

The Cyberattacker of today has now become extremely stealthy and covert – in fact, they find the weaknesses of an unsuspecting victim merely by building up a profile on them with information that is publicly available, primarily those of Social Media Sites. 

In other words, your business and employees could very well be watched without anybody knowing it until it is too late.  This is yet another reason why maintaining a strong level of Cyber Hygiene is more critical than ever.

How To Maintain A Strong Level of Cyber Hygiene

The following are some tips to help your employees maintain a proactive mindset when it comes to Cyber Hygiene:

1)     Conduct an inventory of all of your assets:

This not only includes digital assets, but even physical assets as well.  Remember, the Cyberattacker is going to go after those crown jewels that are the most vulnerable and least protected in your organization.  Therefore, your IT Security team needs to conduct an inventory of everything you have, and from there, complete a Risk Assessment, and rank them on a categorization scale.  This will then give you a good idea of those assets are most prone to a security breach and those that are the least likely to be hit.  Those that are deemed to be the weakest should of course have the strongest controls associated with them.

2)     Teach your employees about passwords:

You need to train your employees about how to keep their passwords safe.  This includes not sharing them with other coworkers, and not to use a slight variation on an existing password when it comes time to reset it.  But most importantly, tell them about the dire need now to create and long complex passwords, by making use of a Password Manager.  With this, these kinds of passwords can be created instantaneously, without your employees having to remember them.  Also, they can be reset on a prescribed time schedule, which is based upon your security policies.

3)     Always update your systems:

This is probably one of the oldest security rules to be found in the books.  But despite this, many organizations fail to heed this, until it is too late.  Therefore, your IT Security team needs to make it an almost daily practice to keep checking for the latest software updates and patches, and deploy them as needed.  But, one key thing has to be remembered here:  As far as possible, always test these patches and upgrades in sandboxed environment first, before they are released into your IT and Network Infrastructure.  This extra practice is to help ensure that what is about to be applied will actually work in your environment, and not make more a security nightmare.

4)     Keep an eye over what is assigned:

This simply means adopt the principle of Least Privilege:  Give only the bare minimum of rights, privileges, and access to your employees that they need to get their job done.  This even includes the members of your IT Security team.  But there is one thing that you also need to keep your eye on – a sudden escalation in the administrative rights that have been given to an employee.  This means that they somehow did this themselves (which could also be indicative of an Insider Attack that is about to take place), or a Cyberattacker has gained access to the database where all of the user profiles are stored at).  Therefore, you need to keep a vigil eye if this does happen.  Any escalation in privileges should occur only when a review of the request has been done, and if the employee really needs it.

5)     Get rid of old equipment:

This is also technically referred to as “End Of Life”.  This means that the hardware or software that is used in the device is no longer supported.  In other words, there will no longer be any software upgrades or patches that are available to them.  Obviously, this can pose a grave Cybersecurity risk to your company.  But just don’t get rid of them by simply throwing these out-of-date devices into the trashcan.  Rather, make use of a data destruction company that can properly purge any information and data, and dispose of them in a safe and secure fashion, so that they are not vulnerable to Dumpster Diving attacks.

6)     Have Security Awareness Training:

This is also one of those things that you hear about on a daily basis, and unfortunately, most CISOs still disregard the importance of this.  With the bulk of the American workforce still working from home (WFH), this kind of training is now even more important than ever before.  There are many ways that you can about to implement this, but the key here is to make the training engaging and to test the employees to make sure that they are taking this seriously.  A good example of this is Phishing training.  After you have explained what it is, how to recognize a rogue email, conduct a mock Phishing campaign to see which of your employees still fall for the bait.  Those that do should be retrained again, with a much stronger emphasis on the seriousness of it.

Conclusions

Overall, this article has provided you with some tips as to how you can maintain a good level of Cyber Hygiene for both your business and employees.  Obviously, there are more action items that need to be taken into consideration, but this list is a good start.  In the end, we all are prone to becoming a victim of a Cyber-attack, but by having a strong level of Cyber Hygiene, that risk should be greatly mitigated.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...