Security awareness

Cyberhygiene as a Mandatory Doctrine for all Organizations

Pedro Tavares
August 24, 2018 by
Pedro Tavares

Introduction

The number of cyber threats has spread quickly and furiously, and with them also spread the advent of new security challenges that need to be treated by organizations. New security routines are necessary: ones that not only protect infrastructures from cyberthreats, but also promote training sessions and education of employees towards a new cybersecurity era.

For example: look at phishing, one of the most critical threats since the birth of the Internet. Stopping fraudulent campaigns disseminated via phishing can be a difficult task. Many security firms market software that can minimize these type of problems, but these solutions do not solve them completely; this is because the most sensitive point is the employee, who may not know how to detect phishing.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

For this, it's necessary to guarantee a cyberhygiene routine, a doctrine that needs to be shared by all within an organization. Acquiring a piece of new hardware or software may not be enough.

This article aims to take a different look at this problem and lay out a number of steps that can be implemented by organizations seeking to improve their cybersecurity plan.

Towards Cyberhygiene

Cyberhygiene is often compared to personal hygiene: it should be part of a daily routine.

Cyberhygiene is focused on a principle that establishes the practices and steps users need to maintain a system's health and improve their online security, minimizing the risks from cyberthreats.

Just like children need to learn some basic things to survive, to practice cyberhygiene tasks correctly we need to begin with basic principles and practice. There are three basic principles: (i) using tools that fit our hygiene needs, (ii) performing these hygiene tasks correctly and (iii), establishing a routine.

Thinking in Terms of Cyberhygiene Doctrine

Maintenance and security are two crucial pillars of a resilient cybersecurity culture and having a cyberhygiene doctrine in place is mandatory today.

I have a question for you: Do you cut your nails at least once a week? To do this, you need to set your own routine — using a nail-cutter, learning to use it, and end up making that a routine.

Bringing this scenario to our discussion, I have another question for you: Do you change your password regularly?

Let me guess — probably not. This is the real problem that we'll discuss.

An IT team can set password policies, but employees have to set strong and complex passwords or even passphrases and keep them secret. This is general knowledge, but the bottom line is that people persist in creating basic passwords without any complexity, and crooks continue to steal sensitive data from organizations every day.

Cyberhygiene routines should be implemented to ensure the safety and integrity of employees' identities, and to prevent that information from being stolen and corrupted.

We need to look at this subject and observe the risk associated with an incomplete implementation (or even a non-implementation). Thinking about this problem is a good exercise, and we end up realizing that our failure or non-compliance not only harm us but is also detrimental to our organization and all co-workers. Thus, having good cyberhygiene involves many efforts: for instance, identifying, prioritizing and responding to risks of the organization's key services and products.

With the Bring Your Own Device (BYOD) concept, organizations have several devices connected to the Internet, exposing an enormous quantity of personal and organizational information all the time. That information is typically stored in multiple devices, such as smartphones, tablets, computers (laptops and desktops), servers and all that the Internet of Things (IoE) can provide.

Organizations need to minimize the risks of spreading lots of information. This can be done by including these devices, hardware components, software programs and online applications in a regular maintenance program. The challenges that come with these devices are quite different, and each one has its security vulnerabilities and flaws.

Some threats that reinforce the use of a cyberhygiene doctrine are presented below.

Data Loss Prevention (DLP): All organizations need to ensure DLP as a basic pillar of their business. Hacking or corruption could result in the loss of information and cause a nightmare for the company.

Misplaced Data: Poor cyberhygiene could mean losing data. The information is available on several devices at the same time, and because of this, misplacing files is becoming increasingly commonplace in modern organizations.

Security Breach: Sophisticated threats are emerging every day and organizations must be prepared to fight them.

Out-of-Date Software: One of the worst enemies of IT administrators is the out-of-date software that can be exploited through known vulnerabilities. Software applications must be updated periodically.

Implementing a Cyberhygiene Routine

There is no time to wait: we need to do it now. The creation of a cyberhygiene plan should not be seen as a complicated and impossible task. This security paradigm can help you in your daily tasks, as well as building a better security perimeter and a safer and stronger policy within your organization.

Next, some topics that can help you to implement a cyberhygiene routine.

  1. Identify and prioritize organization services, products and their supporting assets.
  2. Is security the main activity of your organization, or is it some kind of sensitive activity, such personal data, health or money services? If you answered yes to any of those, then you should establish an incident response plan. If there are no human resources to build a team ready and qualified to respond to security incidents, then hire a third-party service.
  3. Monitor your network safely. Cyberhygiene refers to all cyberspace, and you should invest in protection against new threats such as fileless malware and crypto-miners. You should also think about investing in technologies and defensive approaches, such as threat intelligence and threat hunting.
  4. Implementing an Identity and Access Management (IAM) culture. Is John Doe no longer part of the organization? Then create procedures to eliminate all access and thereby prevent potential unauthorized accesses to information.
  5. Document all current equipment that is part of the plan (such as hardware, software, applications and programs).
  6. Maintain a list of the equipment and software updated (this can help you to identify vulnerable and obsolete software).
  7. Create a strong and well-defined cyber-policy inside the organization (e.g., password policy, software updates, hardware updates, manage new installs, limit users and back up all data).
  8. And finally, one of the most important measures to execute: promote cybersecurity education and awareness activities within the organization.

Awareness and Employees Education

This topic refers the last resolution left in the listing above. It appears in the last position, but in my opinion, it's the most important task of this challenge and will impact in the daily tasks of any employee. Today's security challenges are varied. One example is ransomware: VXers spread their malicious machinery via social engineering, generally phishing campaigns that targeting multiple or isolated organizations.

These campaigns are sent via email distributing malicious links that are waiting for a user click. Strategies used by crooks are increasingly sophisticated, and users end up click in the malicious link. The consequences of this act are completely disastrous — devices are compromised and encrypted by ransomware and a lot of information is stolen by crooks. Next, it's sold it on the dark web to be used by another criminal in different illicit contexts.

This is where organizations must act: promoting training plans continually for all employees.

In this context, some good practices may be performed. For example:

  • Simulated phishing campaigns should be executed inside an organization by the security team in order to promote better cyber-education and knowledge for all employees. For instance, a fake email is sent, and all the employees who click on the malicious link are notified about that. Consequently, some preventive measures are also delivered indicating what should be the right approach next time.
  • Workshops and data sharing need to be encouraged. Sharing knowledge is important and should be seen as the first preventive measure.

In conclusion, we need to understand that cybersecurity must be regularly monitored to increase the chances of avoiding an online threat. Just like any habit you wish to keep, it requires routine and repetition. A cyberhygiene routine will become a natural activity that can help to prevent major losses for you and your organization.

Sources

What is Cyber Hygiene? A Definition of Cyber Hygiene, Benefits, Best Practices, and More, Digital Guardian

Cyber Hygiene: 11 Essential Practices, Insider Threat Blog

Good cyber hygiene, Norton

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Cyber Hygiene, European Union Agency for Network and Information Security

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.