In the cyber security sphere, the term “cyber hygiene” enjoys considerable currency.
It was coined a decade or more ago to describe two things: the practices users should follow when they’re online, to reduce the likelihood of systems being compromised or corrupted by hackers and cyber criminals, and of accidental data breaches; and the regular security processes enterprises should implement to keep their ICT infrastructure secure. Cyber hygiene could be compared to behaviours you practice to stay physically healthy: eating vitamins, washing your hands, and avoiding junk food.
Both are key to achieving a robust cyber security posture.
It’s an accessible way to think about what, in the digital era, is a critically important issue.
Growing recognition of the costs
A malware infiltration or major data breach can be more than merely a nuisance, in the ultra-connected digital age. Rather, such an incident can cause damage and disruption that are difficult to recover from, operationally and economically.
Listed Australian property valuation firm Landmark White (now Acumentis) serves as a cautionary tale. As a result of falling victim to two cyber crime incidents in 2019, which saw around 140,000 records and documents posted on the dark web, trading in the company’s shares was suspended, its earnings plunged and it posted a $15.1 million loss for the financial year.
Research suggests enterprises are cognisant of the risk they face, at a decision-maker level. PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report revealed that cyber crime is now viewed as both the most disruptive economic crime of the day and the greatest threat to growth prospects, by the nation’s business leaders.
Make cyber hygiene practical
One challenge is to get employees thinking the same way – and upping their personal commitment to safer cyber practices accordingly. As part of the awareness-raising process it can be helpful to spell out exactly what a rigorous cyber hygiene consists of, rather than merely providing employees with a list of dos and don’ts.
For most organisations, the SAFET-Y acronym represents a simple way to quantify the vulnerabilities they face. Typically, they’re around five key areas:
Storage and device hygiene
Authentication and prevention hygiene
Facebook and social media hygiene
Email and messaging
At the same time, provide employees with examples that pertain to their actual individual work situations in each of these areas as well as the systems they use which will ultimately make it more likely they’ll follow the rules and incorporate good cyber hygiene into their everyday modus operandi.
Testing employees’ awareness, knowledge and technical capabilities – and their current utilisation of those capabilities – can help enterprises determine where resources would be best focused, in order to drive down the collective risk.
Meanwhile, for IT security teams, good network hygiene is also about staying on top of the basics. That means eliminating the use of weak ciphers and expired and self-signed certificates and putting patching protocols in place so vulnerabilities are addressed immediately, not weeks and months after they’re detected.
Getting employees thinking harder about cyber risks
Ease of use and significance are the two factors that determine the uptake of cyber hygiene practices. That’s why the focus must be on getting user buy-in, as well as user compliance. Enterprises stand the best chance of achieving it if they make it their mission to not only teach their workforce about the cyber security behaviours that will protect the organisation but also why they matter – and the implications for themselves and the business if they’re not rigorously adhered to.
Organisations that neglect this awareness-raising step can find themselves in an equivalent situation to that of the café owner who orders employees to wear gloves without explaining the hygiene rationale – and who later observes those employees blithely moving from food prep to bin duty and back again, all the while wearing the same pair of latex.
Protecting the enterprise by empowering employees
While cyber hygiene is an accessible term for users, it’s not necessarily a helpful one unless employers can explain why it’s important and get employees to take ownership of their behaviour when handling sensitive data, applications, and other resources.
Raising awareness of cyber threats and the cascade of consequences that could follow an incident can help them understand the necessity of the security measures and increase their willingness to work together to reduce the risk to the enterprise.
Glen Maloney, ANZ regional sales manager, ExtraHop