There has been a lot of hype around cyber hygiene. The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) extols the benefits, defining it as the practice of implementing cyber security best practices and appropriately protecting and maintaining IT systems and devices to keep them “clean.” Sounds good. Of course, these are things you should be doing.
Unfortunately, as you and I know, all these things tend to get messy, fast. As a result, when it comes to cyber hygiene I prefer to “hope for the best, plan for the worst.” I see cyber hygiene as an ideal – it’s something to aspire to and aim for, but also recognize it’s probably not going to happen.
You may be asking, why are you being so defeatist? The quick answer is because cyber hygiene relies on people doing all they are supposed to:
These are all good things to do, but let’s face it, we don’t always do what’s best for us.
How often have you downloaded an app because you know it will help you get your job done quicker, better. Did you ask IT? Did you submit the necessary paperwork? Probably not. And you’re not alone – it’s estimated Shadow IT, which are services and applications in use within an organization that haven’t been approved by IT, may account for as much as 90% of IT spending!
So how can an organization ensure cyber hygiene when they don’t even know what’s in their network? It’s estimated CIOs underestimate the amount of Shadow IT in their environment by a factor of 15 to 22! Those are dangerous blind spots – Gartner predicts that by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources.
Then, of course, we can’t discredit the mayhem that general human nature poses. Making mistakes is a part of who we are – we even have a saying, “to err is human.” Unfortunately, this endearing part of humankind is not good for cybersecurity – most cybercrimes (84%) are the result of human errors! Even when we have only the best of intentions, we can find ourselves in trouble. It’s estimated, one in every 131 emails contains malware; more than 760K “trusted” web sites are infected yearly; social media posts are increasingly being used to deliver attacks.
Just by doing what we do daily, we can be putting our organizations at risk. Let’s face it, cyber hygiene, which relies on us all being our best selves all the time, isn’t going to cut it. We need additional measures in place that can protect us when we slip up, and we will slip up.
- Locations – all the places used by the organization to conduct business, such as their campus, remote sites, hotspots, home offices, data centers, and public, private and hybrid clouds.
- Users – anyone that may need access as some point to an organization’s information or systems, including employees, partners, vendors, contractors, customers, etc.
- Systems/devices – all servers, desktops, mobile devices, etc. that may be used to store or access the organization’s information.
- Information flow – understanding, at all layers (Layer 1-7), where data is at rest and how it is transferred to, from and in between resources.
When the environment as a whole is considered, organizations can develop comprehensive cybersecurity strategies to address vulnerabilities and reduce their attack surface to minimize their risk profile. Because, while cyber hygiene is good, we need to remember that life (and business) often gets in the way, so we need effective cybersecurity measures in place that can back us up!