What exactly is basic cyber hygiene?
Basic cyber hygiene is a concept that was developed by cybersecurity professionals years ago and it was to help businesses understand what the fundamental best practices are to help keep your business safe.
What you need to know:
- What are you trying to protect?
- How are you protecting it?
- Who are you protecting it from?
Each of the cybersecurity frameworks has a slightly different take on it, but the basic concepts are the same so I’ve broken it down into 12 steps that you should know:
You need to identify and prioritize all your key company assets: hardware, software, and services.
You don’t know how to protect things if you don’t know what you have so the first thing is to make sure that you have an accurate inventory and make sure that you prioritize what are your key assets versus what would maybe be untrusted public assets.
Identify and prioritize threats and risks to key company assets, products & services.
You want to identify and prioritize the threat so you do a risk assessment. Make sure that you understand all the threats associated with all of your business risks whether that’s online threats or just human threats of people deleting files. Capture all the different things and be as verbose as possible so you capture everything then you need to make sure that you have a strong network security posture.
Establish good network security and monitoring.
Don’t treat all of your network segments the same – make sure that you know where what they call your crown jewels – the most important bits of information that you need to protect – and that’s where you want to fortify. That’s where you want to make sure that you focus your monitoring.
Use least access privileges everywhere.
Next, you want to make sure that you use the least access privilege everywhere so you limit your exposure wherever possible and that includes limiting human error and those types of things. Don’t give people access to stuff they don’t need access to and make sure that you keep a real close eye on those elevated user accounts.
Use standardized secure configurations.
Next, you want to make sure that you have a standardized security configuration that is always in place so everything you deploy is going to have a baseline of security for every laptop, desktop, mobile phone, router, firewall, printer, IoT. You know every device is going to be connected to your network so you make sure that you maintain a baseline level of security and then you can improve from there.
Patch, patch, patch…keep all software up to date.
I can’t express enough how important patching is the software vulnerabilities have always been a hacker’s heyday so they want to get in through whether it’s a vulnerability in your printer software, more likely your end device, or your Mac OS or your Windows operating systems. They look for the holes and they’re well published on the internet on the vulnerabilities as they get exposed.
You want to make sure that you have you use a modern endpoint and malware security – the old antivirus just doesn’t cut it anymore. You want to look for a solution that has what’s called EDR, endpoint detection response, and incorporates the AI and machine learning and all the rest of that in there so they can detect the modern attacks. Hackers now are getting very clever at getting around detection methods so you have to go deeper.
Use two-factor authentication.
It isn’t a foolproof or a perfectly safe way to control access but it’s far greater than just using a password. I also use a password vault because in today’s world you need to have better protection than just expecting people to use best practices on passwords and not reusing passwords.
Get a password vault – it’ll help you maintain that integrity with all of your passwords across your enterprise
Have a good data backup strategy and make sure you test it often. You want to make sure that you know when something goes wrong or if somebody deletes something. If a hacker gets in and encrypts your files you need to know that you have a good backup and that you have a way back to a normal state. So, make sure that’s always in good order and you have a good strategy around that.
You have to plan for the inevitable. The way things are going nowadays, hackers get in – it’s just that it happens. People make mistakes: there are all kinds of things that can go on that can go wrong so make sure you have a solid instant response plan and make sure that you have a business continuity plan. These are things you can’t make up on the fly while the incident’s happening – you need to have Your CyberPlan prepared and tested well in advance.
Make sure you conduct cyber awareness training.
The talk nowadays is about the human firewall and that’s about making sure that all of your end-users know they’re the weakest link in any security program. Make sure they understand what they need to do and how they need to behave. How to detect the common phishing attacks, the common modern attacks, and who to talk to. Make sure you’re doing a good job of building a cyber aware culture within your organization
Lastly, it’s one thing that gets overlooked a lot, but make sure you hold your partners to your standards. Only you have an expectation of the security and integrity needed to protect your business. A lot of people are moving to SaaS (cloud-based) applications which is great. But they don’t verify and make sure that the SaaS provider that you are using has all of the pieces in place that you would have. So, make sure you do a third-party risk assessment for every vendor, especially the ones that are doing data processing or doing anything that involves your data because ultimately, you’re responsible.
I hope you found this information informative. Schedule a consultation if you have questions about cybersecurity in your organization and how to keep your data safe.