Cyber hygiene is a confusing topic. Google the phrase “Cyber Hygiene”, and you will find various articles discussing a handful of different controls to consider. For example, this article from Kaspersky gives you 12 different practices to put in place. An article from Tulane University has 14 different practices to put in place. An article from Splunk recommends 7 different practices.
Matthew Butkovic said it best in a class of his that I attended. “Cyber hygiene should not be considered the maximum extent of acceptable security.”
I’m not arguing that the above articles regarding cyber hygiene are should be disregarded. Cyber hygiene is important. However, these articles reflect a simplified take on best practices. They may better serve as a starting point, as opposed to a finish line, when it comes to cyber security best practices.
Good cyber hygiene is really a deeper dive than a general article giving free advice. Tim McGraw might have said it best, “Free advice is worth the price you paid.” Although Matt would probably have said, “Wait a minute, ah Somebody said Fair warning” by Van Halen.
Due to the extensive nature of this discussion, I’m breaking this discussion into three parts.
So, what is good cyber hygiene?
Let’s start with a working definition of “cyber hygiene”. Cyber hygiene is a series of best practices for an effective cyber risk management program. The more you practice, the better your chances of surviving and during, and thriving after, a cyberattack – similar to your doctor recommending during cold and flu season to wash your hands and get a good night’s sleep to avoid getting sick.
One thing that is missing from this working definition is, what are those best practices?
The reason specific best practices are not stated in this definition is that they will vary to some extent for each organization and industry.
Depending on what regulatory environments you work within and what frameworks you use, your specific best cyber hygiene will have slight variations. For example, if your company uses credit cards and your transactions are at the highest level designated by the Payment Card Industry, your cyber hygiene will be very different than the one-person residential plumber who processes about 200 credit card transactions a year.
If you are a healthcare organization subject to the HITECH Act, your cyber hygiene will be very different than a community bank which is subject to banking regulation like The Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.
When talking about cyber hygiene, you are ultimately talking about the controls your organization has in place that govern cyber security. Organizations that take cyber security seriously will have these controls identified in their policies and procedures.
It’s All About Controls
Controls are the name of the game when it comes to Cyber Security and there are many different types of controls that we are going to discuss in parts two and three of this series.
In part two we will discuss internal controls such as Preventive Controls, Detective Controls, Corrective Controls, and Compensating Controls.
In part three we will discuss Administrative Controls, Technical Controls, and Physical Controls. Also finish up with giving you resources to take you on a deeper dive into Frameworks which, in my opinion, are a great source to finding the right controls that help your organization develop and sustain excellent cyber security.
Image by Cottonbro Studio on Pexels.
