Cyber hygiene might be something that you haven’t come across until now. It’s comprised of the steps, methods, and practices that computer users use to ensure system health and security. It draws a comparison to keeping your body healthy by making sure you keep it clean.
It entails keeping your network, computers, storage devices, software, e-mail, and even your employees “clean.”
The Infosec Institute writes that you should make sure that you are protecting and maintaining systems and devices for everything that connects to the Web.
They recommend several processes, including:
- making hardware, IT infrastructure, and software secure
- monitoring your network continuously
- training employees and making them aware of different threats and attack vectors
You need to maintain and protect IT systems and different devices, as well as implement the best practices in cybersecurity.
How do you do this?
- Know what’s connected to your network.
- Set up security settings that can protect your systems.
- Manage and limit users who can access security settings.
- Update operating systems, software, and apps that run on your network.
- Repeat everything to make sure that new threats are eradicated.
Cyber Hygiene: Best Practices
As you can see, carrying out the best practices in cybersecurity is very important in cyber hygiene. But what are the cyber hygiene best practices for small and medium-sized businesses?
1. Take inventory of your applications.
Applications, software, and operating systems all need to be patched and updated if these are still in use. Leaving them unpatched will open you to vulnerabilities that may be exploited by a hacker.
For example, in September 2017, Equifax reported that sensitive and confidential data from more than 143 million of its customers had been leaked. This included names, financial details, and social security numbers.
This could have been easily prevented if they’ve patched the Apache Struts software they were using. What’s more, the company has been sitting on updating the software for four months. They were already aware of the bug but did not do anything about it.
You should always make time updating your software, applications, and operating systems on your calendar. For the most part, you can turn on auto-updates on your computer and other devices.
Outdated software should be patched the moment an update comes out. Or you should make it your priority if you need to do it on your own instead of running the update service.
Delete software and applications that you are no longer using from your devices. This will lessen possible attack vectors due to unpatched or outdated software.
2. Encourage employees and network users to use strong passwords and enable multi-factor authentication.
The first line of defense when it comes to cyberattacks is using a strong password on your computer. Your security programs will be nothing when you do not use a strong password.
But what exactly is a strong password? Should it be a long string of characters that has numbers, symbols, and letters?
Randall Munroe, who used to be with NASA’s Langley Research Center, recommends coming up with a password that is easy for you to remember and hard for computers to guess.
For years, we have been told to use passwords that we probably will not remember the next time we log onto our accounts. For instance, “L3+M31n+33&4” – you know that it’s a scrambling of the words “let me in” and some random numbers and punctuation. Because we were taught that this is what a strong password should look like.
However, most people will have problems remembering that password. So they write it down. Probably on a sticky note and then put it on their monitors.
Imagine the security risks this will entail.
Munroe suggests using four common random words, such as, “rock Buddha chair crystal.” This will make it more difficult for brute force programs to decrypt while making it easy for you to remember.
Munroe further suggests using an image to help you remember your password. In this instance, you will need to remember “a Buddha sitting on a crystal chair listening to rock music.”
However, given time and computing resources, even the longest passwords may be guessed by brute force. What’s more, most websites require you to use the mix of special characters, numerals, and letters, which, as we have learned, are not uncrackable.
So, what do you do to make sure that nobody gets into your account even when they guess your password? Enable two-factor or multi-factor authentication.
What is two-factor or multi-factor authentication?
Using only the username and password, you have a single-factor authentication. It shows that you have information that only the authorized user will know.
Two-factor authentication, on the other hand, will require credentials that the user possesses. This could include security tokens or software tokens sent to your smartphone.
Then there is the inherence authentication factor, which will include biometrics such as iris scans, fingerprint scanning, or voice identification. This way, when a hacker gets hold of your login credentials, they will not be able to access the content without access to your smartphone. When they try to log in, the system will send a code to your phone that will be needed to gain access.
With multi-factor authentication, you will need to be physically there for the hackers to steal your identity.
3. Document your cybersecurity policies.
As with every company-wide policy, you will need to have everything written down. You will need to include an inventory of the network resources you have, such as the hardware, software, applications, and everything that connects to your network.
Some of the things you should also include in your cyber hygiene policy are:
- Required password changes: making use of strong passwords that users will need to change regularly
- Policies regarding the installation of software and hardware updates
- Rules on which users will have admin-level access and which ones will have limited access
- Policies regarding back-up, including disaster recovery plans
- Employing a cybersecurity framework such as NIST
The Small Business Administration has a cybersecurity page that has checklists and information on how to protect yourself. This is a good start for your own organization’s policies.
4. Employee education and training matter – a lot.
“Your cyber hygiene is only as good as the weakest link. And when it comes to security, the weakest link is the human element: your employees and yourself,” says Dan Smith, Co-Founder and CRO of Zeguro. “You can have all the best antivirus and malware detection programs, but without properly training your employees on what kind of threats to expect and how to avoid them, you will still be vulnerable.”
According to the 2019 Insider Threat Survey Report, 73 percent of organizations have confirmed that insider attacks are more frequent now. Most of the time, or in 59 percent of cases, it is those with privileged access that pose the most risks.
You don’t even have to look at rogue insiders. It can be an absent-minded employee opening an e-mail attachment or an accident like leaving a smartphone in a cab.
A good cyber hygiene program will always include employees in the mix. You should teach them what threats to expect, how to detect them, and what to do when they encounter these attacks. They should also know your company’s cybersecurity policies.
5. Restrict data sharing.
Perhaps one of the most important processes in cyber hygiene is to limit data sharing. You’ll be more proactive in keeping your data safe if you don’t spread it out too much.
For instance, discourage employees from signing up for online services using Facebook, Twitter, or other social media credentials. Let’s say you do sign up for a service using your Facebook login; hackers can easily open your online cloud account as well as other services you use, just by using your Facebook.
You should also opt-out of third-party data sharing services. If you download and use an app, enable only those permissions that allow the app to do its work.
Who needs cyber hygiene, anyway? YOU DO!
Small business owners think that they are safe from hackers and cybercriminals. They see hacking attacks, data breaches, and other cybersecurity-related stuff on the news, but these usually involve the big guns: Equifax, Google, Yahoo, Facebook, and other multibillion-dollar corporations.
They start thinking, “Who would be interested in a small business like mine?”
What they don’t know is that 43 percent of cyber attacks target small businesses.
What’s worse, only 14 percent say that they have the means to fight attacks and close up vulnerabilities.
For six out of 10 businesses, a cyberattack means they’ll end up closing shop within six months. More cybersecurity lapses are due to human or system error; only 48 percent are due to malicious attackers.
As a small business, you don’t have the budget to spend too much on cybersecurity. The good news is that you don’t have to: when you implement cyber hygiene best practices, you are well on your way to fending off these attacks.