Basic Cyber Hygiene: New Definition and Best Practices for the Current World
With the latest changes in regulations and laws, and with cyberattacks becoming more sophisticated, costly and frequent, it’s unavoidable: You must rethink basic cyber hygiene for your organization.
Today, effective cyber hygiene requires you to plan and carry out regular and consistent actions to not only meet current challenges but also to keep pace with a threat landscape that is always evolving. The pivot to remote work, cloud computing and mobile devices created new openings for hackers, as will tomorrow’s developments in IoT and other technologies. What constituted basic cyber hygiene not very long ago no longer applies today.
A call for action: The NIS2 directive
The NIS2 (Network and Information System Security) directive of the EU urges every essential or important company to perform basic cyber hygiene, applying to entities in Europe and any businesses in the first tier of the digital supply chain of essential and important EU companies. EU and US authorities say they will work together on cybersecurity frameworks for critical infrastructure, possibly leading to US adoption of parts of the directive.
In recital 89 of the NIS2, Essential entities are asked to adopt a wide array of basic cyber hygiene practices including zero-trust principles, network segmentation, access management training in cyberthreat awareness. They’re also advised to pursue AI and machine learning technologies to bolster their capabilities.
A few years ago, basic cyber hygiene meant creating and updating complex passwords, patching devices regularly, backing up data and deploying firewalls and endpoint virus scanners. People worked in-office, applications were hosted on-premises or on devices, data stayed in on-premises data centers, and vulnerabilities rarely occurred in operating systems and applications.
Today, with hybrid work, there's a proliferation of devices connecting to applications hosted on-premises and in the cloud. Data is saved in multiple clouds and on-premises. More vulnerabilities are being exploited by more attackers.
Therefore, we must understand current basic cyber hygiene best practices all IT administrators should employ and all users should follow – and the technologies that can be deployed to support them.
Passwords: From complexity to simplicity
Creating and remembering complex passwords can be challenging for users, especially for dozens of accounts. This can create “password fatigue,” a tendency to reuse or write down passwords or use easy to remember (and therefore easy to guess) ones. That opens doors for phishing, brute force and credential-stuffing attacks.
IT personnel should recommend users use password phrases instead. These are long, memorable sentences mixing words, numbers and symbols. "I love to eat pizza on Fridays!" is easy to remember but hard to crack, and more resistant to dictionary attacks employing likely words or combinations.
Password phrases do not need to be regularly changed as often as passwords. Changing passwords too often can reduce security, as users tend to make minor and predictable modifications or reuse them across accounts. Strong password phrases must be changed only if a breach or leak is suspected.
IT teams can also introduce a password manager so users can generate, store and autofill their passwords and alert them if passwords are weak, reused or exposed in a data breach.
Device management: From protect most to protect all
Another cyber hygiene must: Keeping track of all devices connected to your network and ensuring security compliance. This way, administrators are not only protecting traditional devices like laptops, mobile devices, desktops and servers but others that might need access: printers, scanners, cameras, smart TVs or IoT devices.
Device management can be complex due to this increasing diversity of devices and the dynamic nature of networks. Some devices might belong to third parties (contractors, vendors, guests) not following your security practices.
A 24/7 asset discovery and inventory tool can automatically collect data about connected devices to help identify and classifying devices by providing information about their hardware, software, applications, databases and dependencies.
This helps administrators understand the relations among devices, data and applications and the potential network impact of a device failure or compromise. It can also help detect unauthorized, unmanaged or unsecured devices that may pose a risk, so you can take appropriate actions to remediate and manage them; these insights are essential to managing risk.
Patching: From delay to priority
Patching is essential to prevent hackers from exploiting software vulnerabilities, but can be daunting and time-consuming, especially for multiple devices and applications. Patches can cause compatibility issues, performance problems or errors, leading IT personnel to delay or ignore patching.
Prioritize and automate patching by enabling automatic updates for system, applications and antivirus software. A patch management tool can scan, download and install patches and help schedule, monitor and report on patching activities and send alerts on missing or failed patches.
Different patches have different installation priorities: Some should be installed in days or weeks; others can wait. Prioritize patches for critical systems that cannot auto-update immediately, or when more control and less disruption is necessary.
Consider the likelihood of a vulnerability being exploited: Some vulnerabilities might have a high severity rating, but hackers may not use them as they are difficult to exploit or require specific conditions or user interaction. Some might have a lower severity rating but are widely exploited as they are easy to exploit or are used in automated attacks or malware campaigns.
Assess compromise indicators and threat intelligence reports to know exploitation status and vulnerability type and frequency, then prioritize patches accordingly. For zero-day vulnerabilities, apply patches as soon as possible. Patch any vulnerabilities used in common attack vectors like phishing, credential stuffing, ransomware or those that affect critical systems or data.
By focusing on the actuality of a vulnerability, you can reduce your exposure to cyber threats and optimize your patching process and resources.
Multi-factor authentication: From optional to mandatory
Multi-factor authentication (MFA) verifies identity using two or more factors, such as something you know (e.g., password), something you have (e.g., phone), or something you are (e.g., fingerprint). This extra layer of online security prevents hackers from accessing accounts and services with just a password.
However, many users still do not use MFA because they are unaware of its benefits or find it inconvenient. It can also cause MFA fatigue among users who must enter multiple codes, tokens or biometrics at login, leading to dissatisfaction, reduced productivity and increased support costs.
Yet you must make MFA mandatory for all user accounts, especially those with access to sensitive or confidential data. To overcome MFA fatigue, IT administrators can also use a single sign-on (SSO) solution, letting users log in to multiple accounts and services with one username and password, reducing how often they need to enter credentials and MFA factors.
Another way to improve security is bringing MFA to the next level and completely remove the password. By using non-password authentication — biometrics and managed mobile devices only— you can eliminate password management and reduce the risk of phishing, brute force and credential-stuffing attacks.
Privilege: From excessive to minimal
Many users and applications have excessive or unnecessary privileges, increasing the attack surface and potential cyberattack damage. Users often have administrator privileges allowing them to install or remove software and change settings on devices, but these privileges are exploitable by malware, phishing or social engineering attacks. Plus, many applications have too many privileges, allowing hackers to access data and resources.
Follow the principle of least privilege: Users and applications should have the minimum required to perform tasks. A privilege management solution can monitor, control and audit these privileges and help you enforce policies, grant or revoke privileges and detect and respond to suspicious or anomalous activities.
One cyber hygiene best practice: Make everyone a standard user — including administrators – with limited privileges, preventing them from installing, changing or removing software and settings on their devices. This reduces risk of malware, phishing or social engineering attacks while improving device performance.
Your admins should only use administrative accounts to perform certain tasks, such as patching, troubleshooting or configuration. These accounts are task-specific, available for a limited period, and are then automatically revoked or deleted.
Also, use a privilege elevation solution to let standard users temporarily gain higher privileges (after approval or verification) for a specific process or application. This avoids granting permanent or excessive privileges as they only have the ones they need when needed. One of the most popular lets you control and monitor device applications and grant or deny privileges based on policies, rules or context.
Zero trust: From assumption to verification
A zero-trust security model assumes no user, device or end user is trustworthy. Everything and everyone must be verified before getting access, as trust is a vulnerability and traditional security models are no longer effective in the era of cloud computing, mobile devices and remote work.
Many users and organizations still rely on outdated or security models – for example, virtual private networks. VPNs can also create security risks, such as exposing the entire network to a compromised device or allowing unauthorized access to network resources. Moreover, many users and organizations use software-as-a-service applications hosted and accessed online. SaaS applications can also create security risks, such as exposing sensitive data to third-party providers or allowing unauthorized access to application data.
To support a zero-trust approach, you can deploy a zero-trust access solution to enforce policies, authenticate and authorize users and devices, encrypt and isolate data and traffic, and monitor and audit activities.
On managed devices, an application control solution is usually set up to allow only known applications to run in your infrastructure. Unknown applications, like any downloaded by users or launched from USB drives or sticks, are blocked.
Another practice of Zero Trust is restricting the use of external devices, such as USB drives, printers, cameras or other external devices by using a software-based device control. This helps prevent data leakage, malware infections or unauthorized access by auditing outside devices connected to endpoints and servers and either blocking or allowing access and encrypting data being saved on external devices.
Security training: From awareness to action
Many users and organizations still fail to identify or avoid phishing, or report or escalate cyberincidents.
Fortunately, it is easier than ever to address these deficiencies with regular and interactive security training. With security awareness software, IT teams can deliver and measure training programs that can cover the latest cyberthreats, trends and techniques, as well as the best cyber hygiene best practices and policies.
A security awareness solution can help administrators create, customize and deliver engaging and relevant content to all users in the company, such as videos, quizzes, games or simulations, and track and evaluate organizational progress and performance.
Encryption: From optional to standard
Many organizations still should use encryption but are unaware of its benefits or find it complex or costly. Encryption can cause performance issues, compatibility problems or data loss if not correctly implemented or appropriately managed.
By using encryption as a standard practice for your data and communication and by using a good, properly implemented and well-managed encryption solution, you will avoid the issues we’ve just mentioned while being able to choose, apply and manage the best encryption method for data and communication to ensure only authorized parties can access them.
Cyber hygiene is attainable with the right tools
Many of the established practices of cyber hygiene still apply, but we need to embrace new tools to keep pace with evolving challenges.
For instance, virus scanners are still necessary, but AI is enriching their capabilities by quickly assessing data from multiple sources to drive action. We still need to make backups, but they should be saved in secure, non-connected places, immune from modification.
Optimal cyber hygiene is within our grasp as long as we stay apprised of the latest tools and the best practices for using them well.