“What happened?”
If you’ve never uttered those words, this blog isn’t for you. For those of us in cybersecurity, this pint-sized phrase triggers memories of unforeseen security incidents and long email threads with the CISO. What happened to those security patches? Why didn’t we prevent that intrusion?
Organizations tend to lean towards protecting their borders and less towards understanding the importance of overall security hygiene. Like a love-hate relationship with pineapple on pizza, some of us secretly wish our security teams would accept the fact that a boots-on-the-ground security hygiene program is just as important as big-thinking, big-budget cybersecurity infrastructure.
According to the latest IBM Cost of Data Breach Report, breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in the 17-year history of the report.
How can we all work together to prevent this? Security Information and Event Management (SIEM) platforms and vulnerability scanning tools are one thing but bringing down these costs requires more.
As our expert panel discussed in this webinar, the relationship between cybersecurity strategy and security hygiene takes a commitment from everyone to level up their own games to lift the overall organization’s security posture.
It’s time to bring some security relationship counselling to your organization.
WHAT IS SECURITY HYGIENE?
Like in all healthy relationships, it’s best to start with the fundamentals:
- Cybersecurity is the practice of protecting systems and data from digital attacks. It encompasses a variety of techniques, tools, and processes designed to prevent unauthorized access or exposure of sensitive information and identify threat actors when a breach occurs. Examples include systems monitoring (like SIEM), network traffic analysis, and API management platforms.
- Security hygiene is the day-to-day practice of maintaining the basic health and security of software and hardware assets. Examples include making sure that only the right ports are open to perform tasks, ensuring proper software patch levels, and cybersecurity awareness training.
Security hygiene focuses more on a boots on the ground approach. Password policies, asset inventories, file encryption schemes — these are the frontline tools that make a hygiene program successful. Unlike big cybersecurity platforms and policies, good security hygiene enables the protection of everyday, common activities that lead to potential gaps in your security posture.
In other words, a security hygiene program is the proactive doctor that identifies and prevents data breaches from happening, while traditional cybersecurity is the police officer that patrols the digital pathways and reacts to attackers after something has happened.
The goal is to protect sensitive data from attack by educating users, adopting tools, and managing processes to ensure a strong security posture for your organization.
COMMON GAPS IN SECURITY HYGIENE
Developing practices and maintaining routines around security hygiene protects your organization by enabling everyone to be actively involved in the protection of assets — whether they know it or not.
An organization typically must cover multiple elements under its security umbrella, each with its own set of potential vulnerabilities. From employees and customers to computers and mobile phones, there are many opportunities for malicious actors to exploit:
- Old software versions are more vulnerable to attack, especially when it comes to security patch levels.
- Weak passwords and authentication methodsare ripe for exploitation, as evidenced by the infamous SolarWinds hack last year. While there is no official confirmation, former SolarWinds CEO Kevin Thompson said it may have been performed by a hacker using a password of “solarwinds123”.
- Lost or misplaced data is increasingly common as there are more places for employees to copy, transfer, and store between their computers, mobile phones, and company servers.
- Unsafe email and web browsing habits by employees can lead to ransomware attacks, with phishing being the leading cause according to Statista.
WHY ORGANIZATIONS STRUGGLE WITH SECURITY HYGIENE
Many IT teams focus on cybersecurity first and leave hygiene practices and policies by the wayside. Ultimately, this weakens both sides of the relationship as there’s a strong interdependence between the two.
“The truth is that the vast majority of data breaches can be prevented with basic actions, such as vulnerability assessments, patching and proper configurations. An Online Trust Alliance study estimated that 93 percent of reported incidents could have been avoided with basic security hygiene best practices.”
– “Your Security Strategy Is Only as Strong as Your Cyber Hygiene”, IBM SecurityIntelligence
The reason companies struggle with this critical relationship is that employees feel that security hygiene measures are obstacles to resist, overcome, or ignore. We all have stories of users that reuse the same password and use insecure sites to transfer files. Why? Usually, it’s due to cumbersome organizational processes or the perceived need to do things fast.
“Our business doesn’t make money by being more secure.”
– Someone you know, probably
Fundamentally it comes down to a culture that treats security as a handcuff rather than an essential business need.
Another reason for the struggle is that there’s no consensus on what security hygiene means or what it entails. Unlike the many cybersecurity standards and recommendations available (think ISO/IEC 27001, OWASP, and NIST) there’s very little out there to support organizations in their assessment and execution of a security hygiene plan.
YOUR SECURITY HYGIENE ACTION PLAN
Based simply on the alarming number of industry statistics, and a desire to protect your own house from financial and reputational risk, there’s a massive need to strengthen the relationship between cybersecurity and security hygiene. Building a culture of security within the organization requires a combination of processes, tools, and training that helps everyone become better cyber hygienists.
Here are some considerations for bridging the gap between cybersecurity and security hygiene:
- Understand what your various business units do and what their goals are, to tailor security tactics that are more effective and more likely to be adopted. This could be done through surveys, user sessions, or by establishing a security committee.
- Bake security into everything from people, processes, and tools, to shift the thinking from “security as a destination” to security as an ongoing discipline.
- Perform a cybersecurity audit and inventory, to verify software versions, antivirus protection, password policies, awareness training, and more.
- Create a part-time or full-time role of a “security business partner,” acting as the teacher, supporter, and champion of all things security between departments.
- Have a clear bring your own device (BYOD) policy that protects company data while giving employees flexibility in how they access it.
- Use tools that collect and provide visibility into user activities that may indicate phishing or ransomware attempts.
This is further illustrated by explaining how the gaps in security hygiene mentioned earlier could be addressed:
- Old software versions – Maintaining an inventory of software assets and ensuring the latest patches are applied to all OS, web browser, and application software ensures that all known vulnerabilities are mitigated. This blog explains how we do this for operational technology (OT) assets.
- Weak passwords and authentication methods– Enforcing a policy of strong, unique, and complex passwords makes an attacker’s job that much harder, including the deployment of multi-factor authentication (MFA) where possible.
- Lost or misplaced data – Backups, up-to-date antivirus software, and user training are the most common methods to prevent the loss of data.
- Unsafe email and web browsing habits – To avoid the harvesting of compromisable data, train users on the proper use of email and web browsers, including onboarding sessions, refresher courses, and phishing simulations.
WE MUST ALL PLAY THE ROLE OF CYBER HYGIENISTS
We’re all familiar with fire code, fire drills, and seeing fire extinguishers by every stairwell. Proactive cybersecurity requires the same level of familiarity. Improving your security posture requires a constant evaluation and training of current risks, strategies, and tactics — with constant cooperation between leadership, IT, and all other employees. Like any relationship, this means instilling an understanding and personal responsibility towards the value of cybersecurity that works for all parties.
Security teams shouldn’t be thought of as the bad guys, rather they’re the business enabler that keeps the organization safe and healthy.
For more on building an effective relationship between cybersecurity strategy and security hygiene, watch this panel webinar:
