The complexities of securing an organization go far beyond one simple solution. While there is an abundance of security technologies and processes available to address many different facets of cyber security risks, an underlying focus on cyber hygiene can provide a strong foundation to help organizations protect themselves.
Cyber hygiene is about making sure you have the fundamental security controls operating and that they are consistently applied across your environment.
The purpose of cyber hygiene is primarily to protect an organization's data. However, once in place, many organizations will find that it goes further than just protecting the organization. Those who implement strong cyber hygiene will see that it will also drive improvements and efficiencies across their organization’s entire technology landscape.
The core building blocks to cyber hygiene is knowing your estate and knowing your identities, this is the absolute key as ultimately this drives the controls you operate and provides a mechanism to understand how effective these controls are within your environment. Once you have an accurate understanding of your estate and identities you can measure their security posture across your environment, which enables you to drive cyber hygiene, controls adoption and embed secure practices into daily routines.
Implementing strong cyber hygiene will sharpen standardization throughout your organization and will increase security and efficiency.
Effective approaches to adopting strong cyber hygiene processes include:
Secure Builds - Define secure build standards for the various platforms that your organization uses. This might include Windows, Linux, Network, Storage, Directory Services, and more. These standards should be reviewed regularly and include vulnerability management practices so that as new vulnerabilities are identified, you can effectively understand where you are potentially exposed to risk. Also, as new platforms and software are introduced into the environment you should ensure they pass through your secure build process. This means you stop potentially vulnerable software and configurations exposing you to cyber risks before they are deployed.
Secure Endpoints: Any and all corporate devices should be secured with strong endpoint controls, advanced malware protection, encryption, least privilege, and security event logging. For these controls ensure you are actively monitoring their status for vulnerabilities such as any broken agents, devices not running the latest updates, incorrect configurations, or not having full visibility into your endpoint environment.
Authentication and Authorization: Standardize authentication and authorization, using strong authentication across the network and applications with MFA (Multi-Factor Authentication). Enforce the use of encrypted protocols to protect data in transit. Ensure that resources across the environment are securely configured and that data is not being inadvertently exposed. Many organizations unknowingly allow open access to shared resources such as network shares, mailboxes and sharepoint which allows inappropriate individuals access to sensitive data and increases the potential blast radius from risks like ransomware.
Identity and Entitlement: It is important to understand the identities within your environment, who they are associated with and the entitlements they have. Limit how identities can be created and managed within the environment and standardize the process to ensure that as identities are created or modified you capture the fundamentals about the identity; who owes it, what it is used for.
One significant area where organizations fail despite implementing cyber hygiene standards is the continuous monitoring of controls and establishing measures to understand the effectiveness of controls. These controls need to be constantly reviewed to understand if they are operating correctly, if they have full coverage, and if they are properly addressing your risks.
Cyber hygiene practices don’t start and stop with the security team. They need to be embedded throughout the organization to better protect your organization, your colleagues and your customers.