The recent barrage of coronavirus advisories by various authorities all have one recommendation in common: maintain personal hygiene until a treatment becomes available. This maxim is true for information security as well. While security professionals focus on managing risk that has already been identified, attackers try to find new means of attacking organizations to steal information.
Like many cyberattacks, the coronavirus emerged quickly and its effects were felt immediately. New cybersecurity threats have amplified news of breaches and resulted in calls for more media coverage. It appears that we never have enough controls. To combat this, organizations must be prepared to counter new threats. Just as personal hygiene recommendations can help mitigate the risk of coronavirus, organizations can protect themselves by observing good cyberhygiene practices.
Some may argue that personal hygiene and cyberhygiene are not similar because our bodies have evolved over a period of time and developed defenses that fend off viral attacks. But the same is true for information security within organizations. Enterprises can defend themselves against known threats; it is new or unknown threats that have adverse impact. Good cyberhygiene helps delay the impact of new threats. A differentiating factor, however, can be that cyberhygiene does not leave any room for error since computers transmit infection much faster than the human body and do not have the same self-protecting mechanisms. Therefore, cyberhygiene is more essential for cybersecurity.
The question is, how much cyberhygiene is enough? One thing is certain—there is no one-size-fits-all solution. Every organization needs to define its own cyberhygiene requirements, although, like personal hygiene, some practices are universal, such as washing hands. These guidelines may help:
- Adopt global standards and frameworks after ensuring that they meet the requirements for the organization and user environment.
- Do not simply post dos and don’ts; give a rationale as to why the guidance is in place. This will help users understand underlying risk factors so they can adjust their cyberhygiene practices for changing threats.
- Make the first line of defense stronger by teaching operational users to detect abnormal behavior of machines and people.
- Understand users and tailor the cyberhygiene guidance to suit their requirements. Common guidelines may be useful to some extent, but may not work for everyone.
- Try to implement automated controls wherever possible to reduce human error.
Cyberhygiene is a part of awareness training. Good cyberhygiene practices help make awareness training more effective in defending against emerging threats.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.