There has been a lot of hype around cyber hygiene. The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) extols the benefits, defining it as the practice of implementing cyber security best practices and appropriately protecting and maintaining IT systems and devices to keep them “clean.” Sounds good. Of course, these are things you should be doing.

Unfortunately, as you and I know, all these things tend to get messy, fast. As a result, when it comes to cyber hygiene I prefer to “hope for the best, plan for the worst.” I see cyber hygiene as an ideal – it’s something to aspire to and aim for, but also recognize it’s probably not going to happen.

Cyber hygiene depends on everyone doing everything they are supposed to do.

You may be asking, why are you being so defeatist? The quick answer is because cyber hygiene relies on people doing all they are supposed to:

  • IT admins must inventory and manage everything that goes into the network; backup everything; ensure only best practice implementations/configurations are in place; immediately apply all patches, so everything is up-to-date; and regularly upgrade or end-of-life equipment that’s getting old.
  • Users should never download anything that hasn’t been approved by IT; always use strong passwords and change those passwords frequently; resist the urge to click on links that aren’t completely trusted; stop visiting sites that could be compromised; and avoid interacting with anyone they don’t know.
  • These are all good things to do, but let’s face it, we don’t always do what’s best for us.

    It’s impossible for IT to know everything that’s being downloaded.

    How often have you downloaded an app because you know it will help you get your job done quicker, better. Did you ask IT? Did you submit the necessary paperwork? Probably not. And you’re not alone – it’s estimated Shadow IT, which are services and applications in use within an organization that haven’t been approved by IT, may account for as much as 90% of IT spending!

    So how can an organization ensure cyber hygiene when they don’t even know what’s in their network? It’s estimated CIOs underestimate the amount of Shadow IT in their environment by a factor of 15 to 22! Those are dangerous blind spots – Gartner predicts that by 2020, a third of successful attacks experienced by enterprises will be on their Shadow IT resources.

    “To err is human.” True, but not good for cyber security.

    Then, of course, we can’t discredit the mayhem that general human nature poses. Making mistakes is a part of who we are – we even have a saying, “to err is human.” Unfortunately, this endearing part of humankind is not good for cybersecurity – most cybercrimes (84%) are the result of human errors! Even when we have only the best of intentions, we can find ourselves in trouble. It’s estimated, one in every 131 emails contains malware; more than 760K “trusted” web sites are infected yearly; social media posts are increasingly being used to deliver attacks.

    Just by doing what we do daily, we can be putting our organizations at risk. Let’s face it, cyber hygiene, which relies on us all being our best selves all the time, isn’t going to cut it. We need additional measures in place that can protect us when we slip up, and we will slip up.

    What organizations need is a comprehensive security strategy that provides:

  • Visibility into everything that’s going on in the network – though it should be noted, visibility for visibility’s sake may not provide us the value we need. We need context to help us see what different data points mean and understand how they all fit together, so we can take appropriate actions to stop, curb, or empower the activity.
  • Controls to eliminate (or at least greatly reduce) threats in and targeting the environment. We need to implement security strategies that will address the many different attack vectors that can threaten the integrity and privacy of all our organization’s operations and resources. This includes looking at the organization’s:
    • Locations – all the places used by the organization to conduct business, such as their campus, remote sites, hotspots, home offices, data centers, and public, private and hybrid clouds.
    • Users – anyone that may need access as some point to an organization’s information or systems, including employees, partners, vendors, contractors, customers, etc.
    • Systems/devices – all servers, desktops, mobile devices, etc. that may be used to store or access the organization’s information.
    • Information flow – understanding, at all layers (Layer 1-7), where data is at rest and how it is transferred to, from and in between resources.

    Comprehensive cybersecurity strategies will minimize risk over cyber hygiene.

    When the environment as a whole is considered, organizations can develop comprehensive cybersecurity strategies to address vulnerabilities and reduce their attack surface to minimize their risk profile. Because, while cyber hygiene is good, we need to remember that life (and business) often gets in the way, so we need effective cybersecurity measures in place that can back us up!